By: Charles Owen-Jackson
August 13, 2020
CISSP Roles and Responsibilities
By: Charles Owen-Jackson
August 13, 2020
What are the roles and responsibilities of a CISSP?
Implementing security programs as a certified information system security professional
Cybersecurity leadership roles are increasingly relying on people with both technical and managerial skills and experience. It’s also a highly regulated sector that demands a thorough knowledge of all the key domains of information security. In today’s enterprise environment, cybersecurity leadership roles are highly prized and generously compensated. Furthermore, thousands of new jobs requesting a CISSP certification open up every day in the US alone.
What is a CISSP certification?
A Chief Information Security Systems Professional is an independent certification granted by the globally recognized (ISC)2. Those who have earned the certification include both seasoned employees and independent consultants. To prepare for the exam, trainees must demonstrate at least five years of security-related work experience across at least two of the eight CISSP common body of knowledge (CBK) domains explained below.
#1. Security and risk management (15%)
Security and risk management is the biggest domain, comprising about 15% of the exam. This domain provides a comprehensive overview of information systems management.
- Confidentiality, integrity, and availability of information.
- Security governance principles and alignment with business strategy.
- Regulatory compliance requirements, including privacy and licensing.
- Professional and organizational code of ethics.
- Development, implementation, and enforcement of security policies and guidelines.
- Business continuity (BC) planning.
- Threat modeling concepts and methodologies.
- Risk management for supply chains.
- Establishment of security awareness training programs.
#2. Asset security (10%)
The asset security domain covers the protection of data-bearing assets like servers, cloud-hosted resources, and mobile devices. It also covers the classification of data and the organizational roles involved in its protection.
- Classification of data and data-bearing assets.
- Ownership of systems and data for defining roles and accountability.
- Protecting privacy per the demands of regulatory compliance.
- Asset retention and secure IT asset disposal (SITAD).
- Data security controls and protection methods.
- Establishment of asset-handling rules and regulations.
#3. Security architecture and engineering (13%)
This domain provides a fundamental background on many of the core concepts of information security. It covers all the major computing architecture categories.
- Implementation of secure design principles in computer engineering.
- Selection of controls based upon information security requirements.
- Understanding the security capabilities of different information systems.
- Assessing and mitigating vulnerabilities across different architectures and systems.
- Application of cryptographic controls.
- Incorporation of security principles and controls in facility and site design.
#4. Communication and network security (14%)
One of the larger domains, communication, and network security, has a broad scope covering the protection of enterprise networks, including remote working and cloud environments.
- Implementation of secure design principles in networking architectures.
- Security of network components, such as NAC devices, and CDNs.
- Security of wireless networks and systems.
- Security of communication channels, such as remote access and virtual networks.
- Application and management of communication and authentication protocols.
#5. Identity and access management (IAM) (13%)
IAM is a set of business and security processes governing the application of digital identities and auditable access control to information systems.
- Physical and logical access to information, systems, devices, and facilities.
- Identity management and authentication for people, services, and devices.
- Integration of access controls in third-party cloud, federated, and on-premises services.
- Implementation of access controls, such rule- and role-based access.
- Management of the identity and access provisioning lifecycle.
#6. Security assessment and testing
In information security, the only constant changes, hence the need for ongoing assessment and testing. This involves regular screening of systems for potential risks and vulnerabilities.
- Design and validation of internal, external, and third-party auditing strategies and tests.
- Security control testing, such as penetration testing and vulnerability assessments.
- Collection of technical and administrative security process information.
- Analysis of test results and report generation.
#7. Security operations (SecOps) (12%)
Every enterprise needs a security operations center (SOC) framework. A SOC oversees the application and monitoring of security policies and controls and ensures they are up to date.
- Incident investigation procedures and techniques.
- Investigation types and requirements according to industry standards and regulations.
- Application of logging and monitoring activities and intrusion detection and prevention.
- Secure provisioning and inventorying of resources.
- Application of detective and preventive security measures.
- Backup and disaster recovery strategies and business continuity planning.
#8. Software development security (10%)
All software and systems must be secure by design, meaning that security controls shouldn’t merely be tacked on later. This domain governs the role of security in software development.
- Integration of security controls throughout the software development lifecycle (SDLC).
- Identification and application of security controls in development environments.
- Assessment of software development security controls.
- Definition and application of secure coding standards and guidelines.
How to get a CISSP certification
Provided the candidate meets the experience requirements to enter a CISSP certification exam, they will need to pass with a score of at least 700/1000. The training itself takes around 20 hours and will teach students the technical and administrative skills necessary to prepare for the exam. Before students take the exam, it’s also a good idea for them to participate in virtual practice labs. The exam itself takes around six hours and consists of 250 questions.
Certifications are valid for three years, after which certificate holders will need to re-establish their status. Most CISSPs do this by earning continuing professional education (CPE) credits, which qualify them for recertification without completing the exam again. Security professionals can earn CPE credits through various means, such as attending educational courses and seminars. It’s also important to note that, like information security itself, CISSP is constantly evolving.
Acquiring and maintaining a CISSP certification might seem like a grueling process, but, as an internationally recognized standard, it presents a clear path into a highly lucrative career. In the US, certified professionals can expect to earn around $136,000 per year. The job market is also wide open around the world, with upwards of two million available positions. Once someone has acquired a certification, their skills and knowledge will be in enormously high demand.
Cybrary helps people advance their careers with tailor-made training programs designed to accommodate different styles of learning. Take the next step toward becoming a cybersecurity engineer now with the CISSP course.