CISSP All-in-One Exam Guide, Second Edition (All-in-One)

No book alone can inform a candidate to the level of familiarity with this topic needed to pass this very broadly scoped exam. But, this book helped me put my 20+ years of IS experience into perspective from the point of view of the ten domains of computer security. It helped provide the context and framework for organizing and thinking about the issues, helped to sort-out and standardize my terminology, informed me in some areas where I was weak and provided pointers to additional resources to supplement my understanding.

This book was helpful in spite of considerable shortcomings, including errors of fact, errors in logic, and an appalling number of typographical errors that must reflect a rush to publish and a lack of interest in quality control. Errors of fact included erroneous definitions of important terms, e.g., MTTR - improperly defined as the mean time between repairs rather than the mean time to repair. Some sample questions at the chapter ends included duplicate answers, and offered wrong answers as correct ones. While this occurred infrequently, it shouldn't happen at all. Without prior knowledge, the reader wouldn't know what was true and what was in error. The book was laced with exasperatingly trite examples that distracted from the theme development in the chapters. Moreover, many of the book's sections were far too wordy and could have been distilled or provided as an appendix for those who are interested in the tutorial material, e.g., over 150 pages on the telecom and security domain alone.

The sample test S/W included informative questions, but was unwieldy, error-filled and did not permit the user to suspend the exercise until later nor did it provide for printing the Q&A's in any useful way.

All in all I believe the book was a considerable help to me. If you can get by the multiplicity of errors and deal with the frustrating sample test software, it could be a helpful tool in preparing for the CISSP exam.

Rating:
Summary: can you say typo?
Review: this one is a poorly written book with lots of typos. Things that could have been easily caught by a spell/grammer checker. I "cannot not" believe that some one proof read this book and did not find something wrong with "that0" book. :-)
The material is also confusing at times. I don't mean to be picky but I saw some recursive definitions. For one thing, headers could have been numbered and that would have solved a lot of confusion. And, oh a lot of grammatical mistakes.
On the positive front, it does have web site references at the end of each section. That seems to be very useful.
I would not recommend this edition of the book. Maybe, the next revision would be better.

Rating:
Summary: OK, but too much fluff
Review: I thought the author did a good job of breaking down the material, but I felt that there was too much "extra" that was added in just to sell a larger book. For example, do I really need pictures of a tornado, a person showing a graph, and other silly things that really dont serve any purpose? With all the information that you need to pass this test, the last thing you need is to have your time wasted.

Again, the material is good, but dont use this book to cram with right before the test, you'll find that you're wasting your time.

Rating:
Summary: A (probably) good book badly in need of editing
Review: I seem to be in the minority here, but I found this book very disappointing, primarily because it apparently never was edited at all. It contains literally (I mean literally) hundreds of typos, grammatical errors, poorly organized sections, and awkwardly worded phrases. The content may be good, but I find the lack of care in assembling this book insulting. The result appears to have been created by hastily transcribing dictated material and taking it directly to press.

The "dictation" style requires careful use of headings to guide the reader/learner through the hierarchy of presentation. Intelligent heading use is largely absent, e.g., in a section starting on pg. 266, (A Few Threats to Security Models and Architectures), Covert Channels, Countermeasures, Back Doors, Countermeasures, Timing Issues, Countermeasures, Buffer Overflows, and Countermeasures are all presented at the same heading level. It is clear that the countermeasure item should be subsidiary to the threat preceeding it in each case. (This is an easy example to see and correct, but others are more obscure).

The conversational but awkward wording, e.g., "A covert storage channel is when a process writes data to..." can be repaired easily by someone with minimal experience.

Disagreements in number between verb and subject are too numerous to mention.

I don't mean to sound like an English teacher (I'm not), but I think shoddy work should not be rewarded. McGraw-Hill Osbourne can do (and has done) better. We should encourage them to spend more time in preparing an expensive book by buying the competition.

Although the examples were presented from one section, I have in fact read three-quarters of the book. I just happened to be in chapter 5 when my frustration peaked.

Rating:
Summary: Great Book To Get You Prepared For The Exam
Review: I picked this book up a couple of weeks prior to the exam, because I was frustrated with some of the materials that I had borrowed from peers or found on various websites. I started reading the book by skipping around through the chapters and focusing on the areas that I was weakest in first. This book is very well written and enables anyone to ramp up their base level of knowledge in any of the 10 domains. I immediately felt more confident that I had a grasp on the material because of the way it was presented to me. I took the exam last Saturday so I'm still awaiting my score, but I'm confident that I passed and I think that this book contributed tremendously.

Rating:
Summary: Is English Shon Harris' mother tounge? More than 110 errors!
Review: First some basics before I get down to the things that really tick me off.

1. Check the ISC2 blueprint for the exam, and then check the contents or index pages of this book. You will see that there are a LOT of things which this book does not cover. It is certainly not an "all in one" study guide.

2. The pages are padded out with large text and absolutely pathetic clip art. If you think you are getting 800 or so pages of good reference material, think again.

3. The author is obviously not well versed in some of the domains she covers, it seems as though she has just paraphrased a lot of material from other sources. Many sections contain technical errors, or demonstrate small points which show that she didn't know the subject she was writing about as well as she should have.

But what really bugged me the most was the absolutely poor quality control which permitted this book to be published with so many (110+) errors! I complained to the publisher who said that they had contracted out the proof reading (presumably to the local zoo).

What amazes me even more is the number of reviews here that praise the book for being well written! My advice is as follows:

If your reading experience is limited to the sport pages of your local tabloid paper, buy this book, it is perfect for you.

Or, if you prefer to read the more serious parts of a broadsheet paper, don't buy this book, it will irritate you. Buy Krutz's book instead. It also doesn't cover everything you need, but at least you won't feel the need to correct it as one might when reading a school child's essay.

In conclusion: This book isn't cheap, I think that if someone pays top dollar for a technical book they should expect that the author knows the difference between terms such as "regimen" and "regime", or that NAT doesn't run at layer 7, or that ARP is not a layer 1 protocol (just check the diagram on page 48 for an example). To summarise in one word: shameful.

Rating:
Summary: Good references.
Review: To understand the goal of this book you need to reference the ISC2 website to discover the outline of the exam this is supposed to be preparing you for. When you do and make comparisons of the syllabus with the contents, you soon realise that this book is NOT a one stop prep guide.

That said most of the material is covered in some detail. Ms Harris could very easily have reduced the explanations and should have placed the very American focused material to an appendix. The ISC2 is an international consortium and, as such, explicitly does not reference a situation or law unique or heavily biased to one country, even if that country is America.

I can well imagine that for an American based person, even after the examination, this work will continue to be a useful resource. The usage of online references is very helpful and helps elucidate the areas that Ms Harris clearly does not fully understand.

So what is not so good?

The English, from both a grammatical and style perspective, is very poor. This book is simply one of the worst written technical books I have ever read.

The superfluous content should be reviewed and placed in an appendix.

The facts should be accurate and reflected by accurate exam questions.

This final point is the most worrying. As an IT professional with extensive experience in certain areas, I was able to recognise when something was incorrect, in those areas. However, the CISSP covers the full spectrum of security from IT security to classical security and the laws pertaining to them. How am I to know the specifications of a PIDAS? In these areas one needs to be able to trust the book and I found myself not able to do that.

It is worth buying as a resource for passing the exam, but you would need to have other sources (Krutz & SRV are probably complimentary). The problem in this area is there are too few books providing the information that is really needed and to the level required, without additional non-relevant text.

***The quesitons on the CD are extremely useful and around the level of the questions on the real exam. **** Do them several times until you get an idea of the tricky style of questions asked. The real exam questions are designed to lure you into a wrong answer and the CD questions help you get used to that.

Rating:
Summary: Not studying this book for the CISSP is a mistake!
Review: Earlier this year, I submitted a review stating that this book is excellent if you are studying for the SSCP (the other cert offered by ISC2), because I passed that exam using Harris' book in part. I passed the CISSP on Sept. 28, 2002, and I studied Harris' work carefully prior to that test as well, in addition to the thin, orange volume by Krutz and the rest.

Once again, Harris' work has my hearty recommendation. It is an excellent resource for the following reasons:
* Despite what some of the other reviews say, the book is *very* well written. Harris' writing is lucid, and she provides a strong conceptual foundation for the test. The other book (by Krutz, et al.) is also useful, but for review purposes mostly. Harris does a better job providing complete information about security concepts.
* The "Quick Tips" at the end of each chapter are invaluable. STUDY THEM.

Rating:
Summary: Excellent book - extremely well written
Review: I've been reading a lot of security books lately. I sat for my CISSP this week. This book was without a doubt the best CISSP book and one of the best technical books I've read in a long time. Although the material is dense and diverse, the author handles complex information with grace, style, and intelligence. As a writer as well as a security professional, I was very pleased to have technical information presented in a manner that was both logical and interesting.

If you're getting ready for the CISSP - get this book. Even if you're not planning on getting your CISSP, this is an excellent book just to have around to learn more about security issues.

Rating:
Summary: The Basic Book Needed for the CISSP Exam
Review: An excellent text for preparing for the exam and expanding your knowledge of the issues within the ten domains that it covers. It is thorough, well organized, easy to read, and offers simple explanations of technical issues. The sample questions and exercises are good, although the actual exam questions may be more complex. Support your study with Krutz and Vines's "CISSP Prep Guide", which covers the few gaps in this book and offers a bit more detail on some issues, but buy this book first.