CISSP is a managerial certification which requires at least 5 years of hands-on experience in 2 of the 8 domains of security. It is one of the elite certifications, the knowledge and practical application of which is highly sought after. Candidates sitting for managerial positions have an upper hand if they hold CISSP. The exam is not as simple since it tests the candidate’s knowledge of the concepts as well as his/her ability in practical application.
After shadowing much of the CISSP interviews, the inference is that the knowledge is testable and not just conforming to the books. The interview is not that tough if you know the concepts.
The interview process goes something like this:
Vacancy in the department reported by the team.
Job description preparation: CISSP as an added advantage.
HR shortlists the candidates, CISSP will be another tick in the box for HR at least.
You land the interview
Strong core conceptual knowledge
Problem management skills- since some will not have a black and white answer.
Result and feedback
The content of the exam was previously split into 10 domains, which is now reduced to 8 as per the new pattern. Nothing has been removed, it has just been shifted to other domains. All domains are important and testable; but, from an interview perspective, there are a few that cannot be left out:
Communications and network security
Security risk management and mitigation
Asset and Access management
The knowledge of these areas, as well as the practical application, is testable in the interview. Do not miss out on brushing up the concepts from these domains, if you are sitting for the interview.
Discover more about The CISSP® Certification – Building Next Generation Information Security Experts
The interview process is majorly split into four phases as explained below:
A formal introduction followed by some basic questions about the present organization, etc. The session will also cover some very basic questions like what is a risk, what is an incident, standard processes, and frameworks, recent news related to the subject, etc. This is done to ensure two things: basic knowledge testing and setting up the momentum for the interview. Ace this session to make a positive impression.
This part will have direct questions that will test the CISSP knowledge. This part will confirm that you actually have retained the knowledge. Any goof ups here can result in the interview reaching unexpected discussions. Be sure about what you say, and be aware that “I don’t know” is an answer that can be used once or twice.
Now your experience will speak in this phase. What have you done in these years and how have you applied the CISSP knowledge. Projects handled by you, challenges faced and how they were mitigated, etc. If the resume is not magnified, this should not be a tough nut to crack.
Sometimes senior management will have a round; nothing to worry, it is mostly a discussion round which will help the management in the candidate’s selection. If you have made it till here, you are likely to get selected.
Below is a short summary of questions that can be asked in a CISSP interview. These questions are in random order and will just provide you an overview of the frequently asked interview questions.
The question is general in nature, but the answer can determine your interest in the field. If you do not continue to improve, the CISSP certification will expire as it requires credit points to remain valid after 3 years. You may plan to join short courses, attend conferences or plan to undergo a CISSP concentration course.
Audit trails can help organizations in multiple ways. They ensure that the organization remains compliant to various standards. Many standards; e.g. PCI-DSS, have a requirement that audit trails need to be maintained for a specified period of time. They help in the investigation process, in case there is an incident which calls for backtracking of events. Audit trails can be referred to get the details of the events that can be later arranged with respect to the timestamp and get the conclusion.
The type of fire extinguishers on the floor depends on the industry and the type of work done on the floor. If the fire is expected to involve wood, paper, etc., then type A (water) should be present. If the fire is from oils and flammable liquids then type B (foam) should be used. If a fire occurs from flammable gases then type C should be used. If the fire is expected to be in some place like the server room; where saving other equipment is required, type D should be used. (This question is just to check your knowledge and not what is required on that floor, that can only be told post floor assessment)
An organization should not be dependent on tools fully. Tools are often used for two things- one is to perform a task that cannot be performed manually; e.g. antivirus. The second is to complete a time-dependent task on time; e.g. firewall. The third reason why we need a tool is to speed the tasks. The team should ensure that they have enough understanding of the tools and how they work. Now, if a tool fails we can determine what might have gone wrong. Enough dependency on the tools can be dangerous and alternative methods or back up plans must be in place. If the third party is involved then proper maintenance and audits can be done. Both hardware and software hygiene must be maintained for proper functioning.
A VPN service can be used by the employees. VPN stands for virtual private network and helps users to set up a tunnel to the office network over an untrusted network. This does not eliminate the need for other security devices like firewalls and access controls. A VPN service must have two-factor authentication to enhance the security architecture.
If we talk on a high level then the architecture has 3 zones- untrusted zone; i.e., the internet, trusted zone; i.e., Office network and DMZ (demilitarized zone). A few standard architectures are: Bastion host, where the host is connected to the internet but has a firewall in between. The second is a screened subnet. A special zone called DMZ is present here; all public services are hosted here and can be accessed by both trusted and untrusted networks. The third and most expensive topology is dual firewall architecture, in this architecture, all three zones have firewalls in between. The untrusted network can access the DMZ with a firewall in between. The trusted network can access the DMZ with another firewall in between. This ensures that, there is another layer in between for the attackers to penetrate if the services of the DMZ get compromised.
There can be multiple ways in which the offices can be connected. One way is to connect using 10 T1 connections running from different sites to the headquarters. The second way can be to have MPLS connections between the offices. The optimal way is to use MPLS instead of T1 lines because the use of T1 will require 10 different T1 handling circuits at the headquarters, whereas this is not required in case of MPLS.
A phishing attack is a social engineering attack in which the users are tricked to reveal sensitive information by clicking on malicious email links or attachments. This attack is used to spread malwares and compromise the networks as well.
Proper monitoring of the logs to ensure that there is no trace of unauthorized access. Servers can be configured to generate alerts for successful and unsuccessful login attempts. Proper monitoring will ensure that the unauthorized access gets detected and response measures are taken on time.
The Internet is the untrusted part of the network and cannot be opened like a freeway. Blocking the internet is a solution but that will hamper the work as most organisations will require internet for their work. The internet should be restricted as per the company policies. Some websites can have restricted access; i.e., blocking the upload functionality to prevent data leakage. Monitoring of the internet logs can be done to ensure that the internet is used under the limits and not for personal benefits; e.g. downloading movies, etc.
From an organisational point of view; there are two types of firewalls, a network firewall and a web application firewall. A network firewall can provide protection against layer 3 attacks; whereas, a web application can filter the layer 7 traffic and protect against web application attacks.
Data can be classified depending on the sensitivity of the document. Data can be labelled public, confidential, secret and top secret; or in ways that the organisation may think is appropriate. The document labels can then be used to decide how that can be handled, and who can access them. Data classification is necessary for determining who has access to what and how the critical data is accessed, protected and destroyed.
BCP stands for Business Continuity Planning and DR stands for Disaster Recovery. BCP is like an overarched umbrella which ensures that the critical business services are maintained in case of a disaster. DR on the other hand is IT focussed and ensures that the IT related critical services are protected. BCP has other plans under it like COOP, migration plans, etc.
A hot site is up and running at all times just like the primary site. A hot site can even serve as a load balancer. A warm site not up and running but is configured in a way that it can be started in little time. The services need to be started, and it is then good to go.
They both have their own pros and cons. Symmetric encryption is faster but key exchange is an issue with this. Asymmetric encryption is safe but not suitable for communication due to its slower encryption and decryption rates. Modern day communication systems rely on hybrid encryption that uses both symmetric and asymmetric encryption techniques. Asymmetric encryption is used to share the keys and then the communication is continued with symmetric encryption.
Recovery point objective is the maximum time for which the data will be lost and RTO is the maximum time duration the business can survive without the services in case of a disaster/incident.
An organisation must have an incident management policy, which will define what has to be done in case of an incident. The cycle for managing an incident can be: Prepare, Detect, Analyse, contain, eradicate, recover and manage. The responsibilities have to be clearly defined for who will be accountable for what. (An example of an incident can be described here to display the practical understanding of an incident response procedure. The example can be a Ransomware attack on an organisation)
Access management can be implemented on the discretion of the senior management but that leads to access leakages as employees leave, get promoted or move to a different role in an organisation. Access can be either rule based or role based: Rule based access will ensure that the rules will be applied to all irrespective of the designation, roles, seniority, etc. Role based access will ensure that the access is granted on the basis of a role in the organisation. A senior manager may have access to files which may not be accessed by the other members of the team. This will ensure that the access is not leaked.
The answer is again left to the discretion of the candidate. The candidate can answer this on the basis of the roles they have played in the previous organisations or something new that they want to try. The management will be keen to listen to the fresh thoughts you have and what you can add on to what they already have.
This is just to ensure that the candidate is aware of the ISC2 code of conduct as that is a must to pass the CISSP. Cramming the questions will not get you through.
We have discussed the things that are expected from a CISSP certified candidate in an interview, now we discuss how to achieve that. First thing is to ensure that you have all the prerequisites; if you do not have the experience, you can still opt for the CISSP and in this case you will be granted an associate of CISSP. You can either prepare yourself or go for an instructor-led training program. Self-training will be more time consuming and may not be sufficient at times. Instructor-led training is more structured and will focus on the key areas that you may have missed otherwise.