May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Recommended CISSP Books


CISSP for Dummies

CISSP All-in-One Exam Guide

The CISSP Prep Guide
cissp_certification     Etc



CISSP for Dummies

CISSP for Dummies

Lawrence C. Miller (Author), Peter H. Gregory (Author),

Taking into account an extremely weak book "Solaris Security" by the second author I was pleasantly surprised. The book is very practical and is definitely useful "exam-cram" book.

Excellent reference, October 16, 2002
Reviewer: A reader from Ohio

Everyone knows that the CISSP exam is not for dummies, but don't let the title of this book put you off.

It was great as a review/final cram before I took the exam. I think it would make an excellent first read, too. I studied using The CISSP Prep Guide and an online study group and then bought this book on the recommendation of someone in my study group. There is a chapter for each of the ten domains. There are no frills here, but the coverage is accurate, balanced, and matched pretty closely what I found on the exam. I particularly appreciated the study tools on the CD-ROM. The flash cards were pure genius. I was able to download them to my Palm, and I quizzed myself in the car all the way to the testing location. I definitely got my money's worth out of this book and highly recommend it to others sitting or considering sitting for the CISSP exam.

CISSP All-in-One Exam Guide

CISSP All-in-One Exam Guide

Shon Harris

The author is an CISSP instructor and it's clear that she luck practical experience in many areas of the exam. That was notices by several reviewers here and should be taken into account.

But as an instructor and member of "CISSP gang" she probably knows quite a lot about exam kitchen and there are several reviews here, which claim that the book was the only one they used to pass exam.

CD ROM exam questions are sometimes pathetic with some as close to nonsense as one can get and many qustionable "right" answers presented. But CISSP is a very immature exam and people claim that they are improving.

The English, from both a grammatical and style perspective, is very poor. This book is simply one of the worst written technical books I have ever read.

The superfluous content should be reviewed and placed in an appendix.

The facts should be accurate and reflected by accurate exam questions.

This final point is the most worrying. As an IT professional with extensive experience in certain areas, I was able to recognise when something was incorrect, in those areas. However, the CISSP covers the full spectrum of security from IT security to classical security and the laws pertaining to them. How am I to know the specifications of a PIDAS? In these areas one needs to be able to trust the book and I found myself not able to do that.

It is worth buying as a resource for passing the exam, but you would need to have other sources (Krutz & SRV are probably complimentary). The problem in this area is there are too few books providing the information that is really needed and to the level required, without additional non-relevant text.

***The quesitons on the CD are extremely useful and around the level of the questions on the real exam.

**** Do them several times until you get an idea of the tricky style of questions asked. The real exam questions are designed to lure you into a wrong answer and the CD questions help you get used to that.

5 out of 5 stars If you want to pass the test read this book, January 2, 2003
Reviewer: Michael R Scanlon from North Andover, MA United States

No kidding. I have a networking background of 20 years, but I would have failed the test if I hadn't reviewed this book. I spent 6 hours/day, for 6 days studying this book and taking the exam questions at the end of each chapter. I also recommend buzzing around the web for searches on test taking strategies for the cissp. Other than that I would contradict other reviewers and say that in addition to a good networking background (general knowledge of security wouldn't hurt either) this book is all you need. And yes I did pass the test!!

2 out of 5 stars Good, contains errors, reads easily, December 11, 2002
Reviewer: Martin Pivetta from Bonn, Germany

This is a book I very much enjoyed reading. The content is not always correct or complete, but I guess that is a problem that is found in most "all-in-one" books. While reading this book I very often got distracted by the way the author got me involved in examples that take away the attention from the important information. The chapter about Cryptography is not complete.

I do not believe it is possible to pass the CISSP exam with just this book. It is a pity that there is no motivation with the solutions for the test questions. The solutions sections consist of a list of letters. If a question is troubling, this approach doesn't help.

Overall, this is a nice book. But it should not be the only reference you read on the subject.

2 out of 5 stars Author lacks understanding, too much fluff, a casual read, November 19, 2002
Reviewer: kevster75 from FL, United States

I purchased and read this book based on recommendations from others in the posting community here on Amazon.[com]. My good first impression of the book was quickly muddled when I realized the lack of understanding expressed in many of the subject areas presented in the book. A book with a [high] price tag should be written by an expert! As I read this book by Harris, I kept getting the impression that she simply copied and pasted information from the Web into her publishing application and left credit for her references in the sidebar. Look to the Wiley book for a text written by true experts in the field. The amount of typos and grammatical errors in the book also exceeds the acceptable level for a book in this price range. Also, (and this shouldn't influence your decision to buy this book) it is HIGHLY annoying to read a book that has all third person references expressed as "her" and "she." Harris should leave her political agenda aside when writing a book on any other subject.

3 out of 5 stars Editor? What's an editor?, November 9, 2002

Reviewer: A reader from Dobbstown, Malaysia

No, I am not referring to vi or emacs. I am referring to the human being who, nominally, is there to guide the author. Well, not in this case. The CISSP certification is a professional certification (that's what the 'P' stands for, folks). Unfortunately, the author seems to think that writing in an excessively colloquial, familiar, and almost "slangy" style is just what is needed to help her readers stay awake thru this kilopage tome.

Admittedly, the CISSP exam is a mile wide and an inch deep, so one cannot fault the author for the depth (none) with which things are treated.

HOWEVER, the cutesy way the book is written, with cheesy jokes to "help you remember" the material borders on the insulting for anyone who isn't looking to just cram for the exam, get the "cert", and move on.

For readers who actually do have infosec experience, and who are looking for a review guide, this book works well enough, but you have to read it defensively -- the style is actually an obstacle to readbility, which is why the editor needs a clue. Also - there are typos and grammatical errors that a book at this price point should NOT have.

On the plus side, it is trivial to resell the puppy once it has served its purpose -- mine was gone three hours after I got home from the exam -- and the practice questions actually are somewhat helpful.

In a nutshell -- grind your teeth thru the style and the sloppiness, augment the practice stuff with the Boson practice questions (for example), and this book might be worth keeping long enough to help you remember what you read in other vastly better books covering any of the 10 domains.

3 out of 5 stars NOT A GOOD EXAM PREP TOOL, October 9, 2002
Reviewer: A reader from Dallas, TX

I agree with the other reviewer who said there was too much fluff in here. I had already bought many of the recommended texts listed by ISC2. What I needed was focused preparation materials that took me through, approximately, what I could expect to find on the exam. What I got here was a rather poor rehash of the dozens of better written, classic, professional texts that have been written by others. I even found topics on the exam that were definitely NOT addressed by this book. Bigger is not always better.

5 out of 5 stars Took the CISSP exam 9/31/02 and PASSED., September 1, 2002

Reviewer: A reader from St. Louis, MO USA

The CISSP All-in-One Exam Guide was the best of the half-dozen sources that I used. I'd rate it a must-have if you want to take the exam. I also used the The CISSP Prep Guide but switched to Shon's book halfway through.

The CISSP exam is immature; that is, many of the questions appear convoluted for the sake of being obtuse. I doubt seriously if your score on this exam correlates to your true ability. That said, it is a necessary benchmark of a very broad subject. And having talked to people taking the test for second time, I'm told the test is improving. That's about all I can say about the test; you have to sign in blood not to discuss it once you take it. Most people walk out having no idea if they did well; my peers were no exception.

I took the course that Shon teaches at the Intense School (see for a link and useful study materials). It is a great course and a terrific value. Everything is taken care of in the course cost (hotel, food, snacks - and they don't skimp). Shon is an excellent and patient instructor with an in-depth understanding. Her pointers on the test were worth about 15 extra questions right; possibily the difference between passing and not for many of us. But the course is not for the meek. It is 8:30 to 6:30 for 6 days, followed by the exam. By the 3rd day most of us (including kids 15 years younger than me) were feeling beat -- only 500 pages and halfway thru the course material. But everyone I talked with though that it was well worth it.

The only critism of Shon's book is that her sample test questions were far easier than the actual test. She admits it; her questions are to help you know if you understand the material. If her questions were like the test, everyone would think she couldn't write a decent test question (and they would be right!). But her material is dead-on.

I should have studied operational security more than I did. There was far less on cryptography - the hardest subject - than I expected. With over 20 year experience in 9 of of the 10 domains, the exam wasn't a cakewalk. But Shon's CISSP All-in-One Exam Guide did make me much more confident about passing the exam.

I have no financial or other interest in the Intense School or Shon's book. I'm just a very satisfied customer (and hopefully a CISSP now!).

Update: Got my CISSP and so did everyone is my 4 person study clique - including one person who was sure that she wouldn't pass becuase she didn't have a strong security background. So the Intense School course was a big gain for her.

3 out of 5 stars Good, but not comprehensive, August 27, 2002

Reviewer: beamthis (see more about me) from Croton-on-Hudson, NY USA

There is some great content in this book and it definitely gives you an understanding of the basics in the 10 Domains. It, by no means, is enough to be able to pass the exam.

After having taken the exam, you realize that you are recalling a great deal of information not included in this particular book.

It is a good cornerstone to your study collection, but is not detailed enough.

This book is also tougher reading than the CISSP Prep Guide, but I feel it helped more (having gone through both).

3 out of 5 stars Could be better ..., August 19, 2002
Reviewer: Chris Taylor from USA

The book was a fairly easy read, but lacked some crucial content. This was apparent when taking the actual exam. I encountered numerous questions that were not addressed in this book. Overall, this title could be used as a sole source, but I would recommend finding at least one more good reference to use. The included CD of sample questions was rather worthless.

4 out of 5 stars The best could be better, easily, July 24, 2002

Reviewer: A reader from Reston, Va USA

This book, along with the CISSP Exam Prep Guide by Kurtz and Vines, provided me a great deal of insight into the 10 domains of computer security and it was instrumental in assisting me to pass the CISSP exam on the first try.

No book alone can inform a candidate to the level of familiarity with this topic needed to pass this very broadly scoped exam. But, this book helped me put my 20+ years of IS experience into perspective from the point of view of the ten domains of computer security. It helped provide the context and framework for organizing and thinking about the issues, helped to sort-out and standardize my terminology, informed me in some areas where I was weak and provided pointers to additional resources to supplement my understanding.

This book was helpful in spite of considerable shortcomings, including errors of fact, errors in logic, and an appalling number of typographical errors that must reflect a rush to publish and a lack of interest in quality control. Errors of fact included erroneous definitions of important terms, e.g., MTTR - improperly defined as the mean time between repairs rather than the mean time to repair. Some sample questions at the chapter ends included duplicate answers, and offered wrong answers as correct ones. While this occurred infrequently, it shouldn't happen at all. Without prior knowledge, the reader wouldn't know what was true and what was in error. The book was laced with exasperatingly trite examples that distracted from the theme development in the chapters. Moreover, many of the book's sections were far too wordy and could have been distilled or provided as an appendix for those who are interested in the tutorial material, e.g., over 150 pages on the telecom and security domain alone.

The sample test S/W included informative questions, but was unwieldy, error-filled and did not permit the user to suspend the exercise until later nor did it provide for printing the Q&A's in any useful way.

All in all I believe the book was a considerable help to me. If you can get by the multiplicity of errors and deal with the frustrating sample test software, it could be a helpful tool in preparing for the CISSP exam.

2 out of 5 stars can you say typo?, July 22, 2002
Reviewer: kayvon Sadeghi from Fremont, CA United States

this one is a poorly written book with lots of typos. Things that could have been easily caught by a spell/grammer checker. I "cannot not" believe that some one proof read this book and did not find something wrong with "that0" book. :-)
The material is also confusing at times. I don't mean to be picky but I saw some recursive definitions. For one thing, headers could have been numbered and that would have solved a lot of confusion. And, oh a lot of grammatical mistakes.
On the positive front, it does have web site references at the end of each section. That seems to be very useful.
I would not recommend this edition of the book. Maybe, the next revision would be better.

2 out of 5 stars A (probably) good book badly in need of editing, June 27, 2002

Reviewer: Richard Stack from Golf, IL USA

I seem to be in the minority here, but I found this book very disappointing, primarily because it apparently never was edited at all. It contains literally (I mean literally) hundreds of typos, grammatical errors, poorly organized sections, and awkwardly worded phrases. The content may be good, but I find the lack of care in assembling this book insulting. The result appears to have been created by hastily transcribing dictated material and taking it directly to press.

The "dictation" style requires careful use of headings to guide the reader/learner through the hierarchy of presentation. Intelligent heading use is largely absent, e.g., in a section starting on pg. 266, (A Few Threats to Security Models and Architectures), Covert Channels, Countermeasures, Back Doors, Countermeasures, Timing Issues, Countermeasures, Buffer Overflows, and Countermeasures are all presented at the same heading level. It is clear that the countermeasure item should be subsidiary to the threat preceeding it in each case. (This is an easy example to see and correct, but others are more obscure).

The conversational but awkward wording, e.g., "A covert storage channel is when a process writes data to..." can be repaired easily by someone with minimal experience.

Disagreements in number between verb and subject are too numerous to mention.

I don't mean to sound like an English teacher (I'm not), but I think shoddy work should not be rewarded. McGraw-Hill Osbourne can do (and has done) better. We should encourage them to spend more time in preparing an expensive book by buying the competition.

Although the examples were presented from one section, I have in fact read three-quarters of the book. I just happened to be in chapter 5 when my frustration peaked.

1 out of 5 stars Is English Shon Harris' mother tounge? More than 110 errors!, June 22, 2002

Reviewer: Mark Fyvie from Zurich, Switzerland

First some basics before I get down to the things that really tick me off.

1. Check the ISC2 blueprint for the exam, and then check the contents or index pages of this book. You will see that there are a LOT of things which this book does not cover. It is certainly not an "all in one" study guide.

2. The pages are padded out with large text and absolutely pathetic clip art. If you think you are getting 800 or so pages of good reference material, think again.

3. The author is obviously not well versed in some of the domains she covers, it seems as though she has just paraphrased a lot of material from other sources. Many sections contain technical errors, or demonstrate small points which show that she didn't know the subject she was writing about as well as she should have.

But what really bugged me the most was the absolutely poor quality control which permitted this book to be published with so many (110+) errors! I complained to the publisher who said that they had contracted out the proof reading (presumably to the local zoo).

What amazes me even more is the number of reviews here that praise the book for being well written! My advice is as follows:

If your reading experience is limited to the sport pages of your local tabloid paper, buy this book, it is perfect for you.

Or, if you prefer to read the more serious parts of a broadsheet paper, don't buy this book, it will irritate you. Buy Krutz's book instead. It also doesn't cover everything you need, but at least you won't feel the need to correct it as one might when reading a school child's essay.

In conclusion: This book isn't cheap, I think that if someone pays top dollar for a technical book they should expect that the author knows the difference between terms such as "regimen" and "regime", or that NAT doesn't run at layer 7, or that ARP is not a layer 1 protocol (just check the diagram on page 48 for an example). To summarise in one word: shameful.

The CISSP Prep Guide

The CISSP Prep Guide

The CISSP exam covers multiple fields in security and for those of you who are in a technical field will see how lacking the authors are there.

4 out of 5 stars Tear out chapter 3, and you have a useful CISSP study guide, December 9, 2001

Top 500 Reviewer Reviewer: Richard Bejtlich (see more about me) from Texas, USA

I am a senior engineer for network security operations. I read "The CISSP Prep Guide" (TCPG) as a study aid for the CISSP exam, which I completed yesterday.

CISSP candidates are not allowed to discuss the contents of the test, but I can comment on the quality of TCPG's text. If you tear out chapter 3 (Telecommunications and Network Security), the remaining content is informative and applicable. If you rely on chapter 3 to learn about network security, you'll be sorely disappointed.

By performing network security monitoring, I am intimately familiar with defensive tools and tactics, and adequately informed of offensive operations. I observe network defense and offense on a daily basis.

Unfortunately, chapter 3 of TCPG demonstrates almost no understanding of these important concepts. The authors do not correctly explain network attacks. ("Ping of death" is the most common buffer overflow?) Their firewall deployment strategies are wrong, and their examples of "protocols" at each OSI layer are false. (Since when is SQL a session layer protocol?)

The authors should have consulted someone with real knowledge of network security before publishing this poor material.

Thankfully, beyond chapter 3, the majority of the book is helpful and reliable. The authors cover each domain of the Common Body of Knowledge, and present information in a humorless but well-organized manner. TCPG introduced me to management concepts I hadn't formally studied elsewhere, such as risk management, risk assessment, business continuity planning, and disaster recovery planning. TCPG also offered helpful quizzes at the end of each chapter. The appendices, covering the RAINBOW series, HIPPA, NSA assessments, and the Common Criteria, were also enlightening.

5 out of 5 stars Great all around CISSP Prep Guide, August 12, 2002

Reviewer: oishi_ushi from Albany, NY United States

I purchased two books - this book and the Shon Harris book - and I thought this book was very detailed, more organized, and overall a better preparation for the exam than the Shon Harris book. There were a lot of things in the Shon Harris book that were not explained, that I only understood after reading the Ten Domains of Computer Security. The examples in The CISSP Prep Guide were relevant and supportive of all the information that was tested on the CISSP.

Overall - between the two books - I highly recommend the CISSP prep guide. It is an all inclusive guide to the information that you need to know when taking the CISSP. It wasn't confusing, it more organized and well thought out comparatively to the Shon Harris book.

4 out of 5 stars Well presented, but not deep, May 10, 2002

Reviewer: Wilfred Wong from Hong Kong

This book gives a good introduction to one interested in security related works. It covers most aspects in information security, and cover all area of CISSP exam. This book gives you good knowledge but seems cannot help you practice securing your system as this book does not give you good technical knowledge implementing security on systems. You must have many other reference books for specific topics if you want to have in-deep knowledge on security.

In short, it's a good book for one seeking basic and general knowledge on information security, but don't expect you can find in-deep information inside.

3 out of 5 stars Worth reading but watch the errors, April 1, 2002
Reviewer: Samuel C. Adams (see more about me) from Tampa FL

I recently took and passed the CISSP exam. My two main study guides were this book and the Information Security Management Handbook. I also used the CISSP Exam Cram. The main benifit to this book is that it gave some background on topics that are useful to know for the exam and exposed me to areas I was unfamiliar with. Note, the above info is all I can say in relation to the exam, the rest of the review just contains general opinions about the book. One good thing about this book is that it has lots of definitions. The glossary is good and the index is great.

I particularly enjoyed chapter 10. Chapters 4 and 8 were pretty good too.

The reason I'm giving this book 3 stars is that it has some glaring failures.

It's not a good place to learn about forensics, risk management, computer crime law or technical aspects of computer network security. Chapter 3 in particular is littered with errors.

Perhaps the most offensive is the description of a buffer overflow on page 76. It's listed under denial of service attacks and a "Ping of Death" is described as typical. Check out Aleph One's "Smashing the Stack for Fun and Profit" (Phrack 49...) or the definition in Hacking Exposed for the real scoop.

2 out of 5 stars Good material, poorly presented, November 13, 2001

Reviewer: Alan from Atlanta

This book is apparently right on target in terms of content. However it is in serious need of a good editor. I estimate it is taking me twice as long to read and understand the text because of poor grammer and ambiguities. For example, on pages 5-6, under the heading "Information Classification Objectives":

".. it is obvious that information classification has a higher, enterprise-level benefit. Information can have an impact on a business globally, not just on the business unit or operations levels. Its primary purpose is to enhance confidentiality, integrity, and availability..."

Ok, after reading that a couple of times, it is clear that "Its primary purpose" refers back to "information classification" in the first sentence, not to "Information" in the immediately preceding sentence. But it certainly would be easier to read if you didn't have to decipher things like this on every page.

Also, in the Introduction, page xiv, it says about the test, "No acronyms are used without being explained". Yet, in the sample questions at the end of chapeter 1, there are half a dozen or more questions that in essence are testing your knowledge of certain acronyms. So, do I need to memorize the acronyms or not?

I'm grateful that a text is available designed to focus my preparation for the test. It is probably the best available, but it just needs more work.

Handbook of Information Security Management Table of Contents online book

Trafford Publishing Secured Computing, A CISSP Study Guide

Table of Contents

Preface vii
Overview of CISSP and the Exam vii
How to Use This Book viii
The Study Plan viii
Test Day Tips ix

Chapter One
Domain 1 - Access Control Systems and Methodology
Definitions 3
Access Control Layers 4
Types of Access Control 5
Access Control Techniques 7
Access Control Administration 9
Data Owner, Custodian, and User Responsibilities 9
Access Control Models 10
Identification and Authentication Techniques 13
Access Controls Methodologies and Implementations 17
Monitoring 19
Test Your Knowledge 24

Chapter Two
Domain 2 - Telecommunications & Network Security
Definitions 31
ISO/OSI Model 31
Communications and Network Security 33
Protocols 37
Identification and Authentication 46
Data Communications 48
Network Components 53
Network Availability 54
Test Your Knowledge 59

Chapter Three
Domain 3 - Security Management Practices
Definitions 66
Security Management Concepts and Principles 67
Change/Control Management 68
Data Classification Schemes 69
Employment Policies and Practices 72
Policies, Standards, Guidelines, and Procedures 74
Risk Management 75
Roles and Responsibilities 83
Security Awareness 84
Security Management Planning 85
Test Your Knowledge 87

Chapter Four
Domain 4 - Applications & Systems Development
Definitions 93
Application Issues 93
Local/Non Distributed Environment 98
Data Information Storage 102
Knowledge Based Systems 103
System Development Controls 107
Test Your Knowledge 113

Chapter Five
Domain 5 - Cryptography
Definitions 117
Uses of Cryptography 118
Cryptographic Concepts, Methodologies, and Practices 120
Types of Encryption Systems 126
Public Key Infrastructure 136
Application and Network Based Protocols 140
Methods of Attack 142
Test Your Knowledge 144

Chapter Six
Domain 6 - Security Architecture and Models
Definitions 149
Principles of Common Computer and Network Architecture and Design 149
Principles of Common Security Models, Architectures, and Evaluation Criteria 153
NSA/NCSC Rainbow Series 158
Objects and Subjects 165
Common Flaws in Security Architecture 166
Test Your Knowledge 169

Chapter Seven
Domain 7 - Operations Security
Definitions 173
Administrative Management 174
Computer Operations Concepts 175
Test Your Knowledge 179

Chapter Eight
Domain 8 - Business Continuity Planning and Disaster Recovery
Definitions 184
Business Continuity Planning 185
Disaster Recovery Planning 187
Recovery Planning Development 188
Test Your Knowledge 193

Chapter Nine
Domain 9 - Laws, Investigations, and Ethics
Definitions 201
Types of Laws 201
U.S. Laws 203
International Computer Crime Related Laws 205
Investigations 206
Types of Computer Crime 211
Incident Handling/Response 212
Ethics 213
ISC2 Code of Ethics 213

Chapter Ten
Domain 10 - Physical Security
Definitions 221
Administrative and Physical Controls 221
Elements of Physical Security 226
Facility Requirements 226
Noise 228
Fire Access and Controls 229
Physical Access Controls 230
Technical Controls 231
Environment/Life Safety 231
Test Your Knowledge 233

Chapter Eleven
Methods of Attacks
Definitions 239
Other Attacks 241

CISSP Practice Exam 245
Bibliography 257
Recommended Study Aids 258
Glossary Terms 259

Copyright 1996-2004 by Dr. Nikolai Bezroukov

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SNDP or any other organization the author may be associated with.

We do not warrant the correctness of the information provided or its fitness for any purpose.

Links and bibliographical information about the books are prepared in association with You can buy any book listed here from simply by following the link for the book.

This document is an industrial compilation created for educational purposes only and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Please read, understand, acknowledge, and abide by this license before copying, translating, quoting, or distributing this document. was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. 

Click here to submit your comments!

Last modified: March 12, 2019