In a previous entry, I described the 10 domains of knowledge that a Super-Star Security Engineer (SSSE) would have to have. In this post, I'm going to lay out the basics of the first domain.
This one's a bit of a no-brainer, actually. While I'm not a huge fan of the CISSP certification, my problem with it isn't the education that you get in studying for the CISSP. The biggest issue with the CISSP itself is the way that ISC2 bills the certification: on the official certification page, they call the certification the "Gold Standard" for "Top Information Security Professionals". (The problem is, no multiple choice test can truly function as a gold standard for excellence. Minimal competence, perhaps, but not excellence. But that's another blog entry.)
I think the CISSP is actually a great starting point for information security education - the education on the basic concepts that you get in the way that information security works is a foundational one. In many ways, the CISSP books provide an entry-level information security education - call it "InfoSec 101". The set of knowledge required for mastery of this domain is covered by the CISSP CBK domains:
Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security
Required Reading for this Domain
The CISSP "Gold Book" - This was the book that I originally used to study for the CISSP, and provided the best all-around description of the material (without trying too hard to be focused on the test). It's a great all-around reference for information security concepts at a high-level... exactly what you need for an initiation into the concepts.
An Introduction to FAIR - FAIR is absolutely the most comprehensive, intuitive and easy to learn method of risk analysis that I have seen to this point. It describes the basic concepts of information security risk, and should be required reading when trying to become an SSSE.
Supplemental Reading for this Domain
Network Security Bible - A great all-around reference book that can be used to supplement the material in this domain and many of the others. Contains wide coverage of a lot of topics.
Enterprise Risk Management - This book is one that I discovered earlier this year, and while it's a bit arcane, it covers risk management from a true enterprise perspective. It comes from the perspective of financial risk management, so it has a slightly different approach than most of the traditional information security books. I loved this one, but knew I was really on to something when I saw the book on Scott Blake's shelf when I interviewed with him recently - this is an important picture of risk from the executive perspective.