CCT 282: CISSP Rapid Review (Domain 5)

Show Notes

Ready to master the critical domain of Identity and Access Management for your CISSP exam? This comprehensive rapid review demystifies Domain 5, which accounts for 13% of all exam questions—knowledge you absolutely cannot skip.

Dive deep into the fundamentals as we explore controlling physical and logical access to assets—from information systems to facilities. Discover how properly implemented controls protect your most sensitive data through classification, encryption, and permissions. As one cybersecurity veteran wisely notes, "It's all about the data," and this episode equips you with the frameworks to protect it.

The podcast meticulously unpacks identity management implementation, breaking down authentication types, session management, and credential systems. You'll grasp the differences between single-factor and multi-factor authentication and understand why accountability through proper logging and auditing is non-negotiable in today's security landscape.

We explore deployment models that fit various organizational needs—from on-premise solutions offering complete control to cloud-based options providing scalability, along with the increasingly popular hybrid approach. The episode clarifies authorization mechanisms including role-based access control (RBAC), rule-based access control, mandatory access controls (MAC), and discretionary access controls (DAC)—essential knowledge for implementing proper security boundaries.

Particularly valuable is our breakdown of authentication systems and protocols—OAuth, OpenID Connect, SAML, Kerberos, RADIUS, and TACACS+—demystifying their purposes and applications in real-world scenarios. Whether you're a seasoned security professional or preparing for your certification, this episode delivers the practical knowledge you need.

Ready to accelerate your CISSP journey? Visit CISSPcybertraining.com for free resources including podcasts, study plans, and 360 practice questions—plus premium content with over 50 hours of focused training. This episode isn't just exam prep; it's a masterclass in identity and access management principles you'll apply throughout your cybersecurity career.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Podcast Introduction and Resources
• 2:20: Domain 5 Overview and Controls
• 5:20: Managing Identification and Authentication
• 12:15: Identity as a Third-Party Service
• 14:10: Authorization Mechanisms and Access Controls
• 20:35: Identity Lifecycle Management
• 24:15: Authentication Systems and Protocols
• 29:45: Closing Remarks and Resources

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Speaker 2: 0:22

Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and this is CISSP Rapid Review Exam Prep for Domain 5, identity and Access Management. If you're new to this, this is the CISSP Rapid Review for the Domain 5, and we have all eight domains on CISSP Cyber Training. So if you are wanting to get that quick last minute review before you go take your CISSP exam, this is a great tool for that. And this is domain five to kind of go over what you should expect to see in the domain five aspects. So let's roll into what we're going to talk about today. So domain five, as you can see in this chart, basically covers 13% of the questions you will get for the CISSP will be covered in domain five. So, as we talked about before, this is a pretty even split amongst all the questions and you really can't just say, well, I'm going to skip domain, let's say two, because there's not that many questions. You really can't do that, but it's a well-defined list of questions that you will run into. Now you can get all of this at CISSP Cyber Training. You have weekly resources that are all available to you that are like over 250 episodes of podcasts that are there. I have a three to five month study plan that's available to you and there's a 360 study questions as well as various stuff on my blog and my YouTube channel. That's all the free resources that are available to you and I continue to add more on going each and every week. As it relates to the paid resources, there's over 50 hours covering all the CISSP content 1500 plus CISSP questions. There's audio and video content, there's deep dive topics and mentorship. All of that's available to you at CISSP Cyber Training. So, again, that's the paid resources. But it's pretty amazing, guys. I mean, realistically, this is all the information you need to study and get ready for the CISSP exam. So if you go through this information and you take it to account, you will pass this exam. You really truly will. So, bottom line, go to CISSP Cyber Training and check it out. Okay, let's move on to domain five. All right, so this is domain 5.1, control physical and Logical Access to Assets. So we're going to start off.

Speaker 2: 2:27

We're talking about information systems and devices. Now, information this is implementing the controls to ensure that only authorized individuals or processes can read, modify or delete sensitive information or data. This is what is important around the information pieces of this, and this is achieved through data classification, encryption and permissions that are set up specifically on files, databases and the applications themselves. The bottom line is the information is extremely important, and a friend of mine told me this a long time ago. It's all about the data and you really want to have good controls in place allowing these authorized people to read, modify or delete the sensitive data. If you don't have these controls in place, it opens you up to a substantial amount of risk to your organization, and this again is done through classification, encryption and permission settings. Now, systems these are managing who can log into, execute commands on or configure these systems specifically, and this involves operating system level controls, application level access and network access specifically. So these are the systems.

Speaker 2: 3:29

Now we're talking about the devices. This is controlling the physical access right. These are the locked offices, the device encryption all these are these physical devices that are set up specifically and the logical access to operate these systems or managing the interfaces that are tied to them. This applies to workstations, mobile phones, servers and network equipment. So you get your information, your data, then you have the systems that are. Everything is kind of tied to. This is the application level stuff and then you have your specific devices themselves, which is your workstation servers and your network equipment.

Speaker 2: 4:01

So now we're going to talk about facilities. This is implementing physical security measures to restrict entry into locations that contain or house the information systems that you're currently working with. This could include fences, guards, locks, access cars, biometrics, surveillance cameras, etc. So this is what controls the physical access to these facilities and you you need to understand how are these all work together and how do they all tie together. How are guards involved? How are access cards? How are biometrics? Are they good, do they work, do they not work, and so forth. Applications this is managing the user authentication and authorization within the application itself, and this is how is it taken care of and managed, and this defines the functions, users, what they can perform and what data they can view or modify based on their specific role. Now we talk about the fact that the application is an important part. It's probably one of the most crucial parts of this, but they all work together as a kind of a triad, because if you don't have the physical aspects taken care of from the facilities getting in, if you don't have the operating systems taken care of, if you don't have the applications taken care of. All of these things build upon themselves, so any one of them can lead to and create more problems and challenges to you and your organization.

Speaker 2: 5:15

Domain 5.2, manage identification and authentication of people, devices and services. So identity management implementation. So this is the framework. Idm is a framework for managing digital identities through their entire life cycle. And when we talk about a life cycle, what does that mean? It's a big word that people go. You have a life cycle for this. No, it's how things are created and they go to the end of the beginning to when they actually go and terminated and are basically erased. The point of it is that you want to have a beginning and the ending thought out from the beginning through to the end. This includes processes for provisioning, deprovisioning, modifying user accounts and their attributes that are associated with it, and again, this can be very daunting and I recommend, as you're going through this as a security professional, you need to consider.

Speaker 2: 6:00

What step do I want to do? First, look at this as a journey. This is not something you can do overnight. You need to really understand the lay of the land and then start in your life cycle journey around managing identifications. Now you have single and multi-factor authentication. Single factor is authenticating with one piece of evidence, ie just a password. Multi-factor authentication is with two or more distinct types of evidence. Something you know, something you have that's your MFA. An MFA will significantly enhance security by requiring multiple forms of verification. Now, is the MFA perfect? No, and especially when you're considered texting as an MFA option, it is not perfect, but having multiple different ways to authenticate you is an important factor and in the CISSP, you're going to have to understand what are some of the different multi-factor options that you have.

Speaker 2: 6:46

Accountability ensuring that actions are performed by an individual or entity can be uniquely traced back to them, and this is where, specifically, you have your applications, your different types of units that you're using, the different systems you're using. They need to be able to have identifiably back to you. One example that would be a challenge is if you have a username that is shared amongst all many people and there is not a unique password for each individual username. That's another one that could be. That really limits your accountability. And this is achieved through strong authentication, unique user IDs and a comprehensive logging and auditing system. Now, again, we talk about this. This is very broad and this is very generic, but you want to make sure that you have. What you have in place is the beginning phases of this. From the point that you start this process, you have an auditing process in place, you have a logging process in place and then, at the end of all of it, you have the ability to kind of provide these metrics and this data for your senior leaders and for yourself to understand what you're actually trying to measure.

Speaker 2: 7:49

Now, session management this is the process of securely managing a user's interactive session with the application or system. This includes session ID generation, secure transmissions, expiration and the invalidation to prevent session hijacking or replay attacks. You have to have the plan to be able to do this, to control the sessions of your employees and of the systems that are working on. If you have a service accounts and so forth, you need to have a way to generate or to basically limit the ability for these devices to be able to use these sessions.

Speaker 2: 8:23

Now registration, proofing and establishment of identities this is registration. It's the initial process where the user provides information to create an identity. You have to begin this process right. When you log in and you go to a company, they give you a registration process, by which you then would actually become part of the company and you will have your username and identity, username password and so forth. Proofing this is where you verify the authenticity of the identity presenting during the registration. Again, government ID cards, background checks, things that provide that, you provide that prove who you are Social security cards, birth certificates, etc. The establishment this is the creation of a digital identity within their system. After successful registration and proofing has completed. This is the establishment of the identity and, again, these are really important that you have a good process in place to do this. Now, there's gonna be plenty of accounts that you have within your company that won't have an identity that tied to them, but you want to have, at least with your users, a good path and a good plan for this specifically. So, again, when the CISSP is going to talk about this, they're going to be asking you what is registration? What is establishment? Are you connected with how that works? They're going to give you a scenario on how this would potentially happen and then you, in turn, would go and say is this true, is it not? How would I understand the establishment of my identity and access management process within my company?

Speaker 2: 9:46

Federal Identity, federated Identity Management, fim. This allows users to authenticate once with a trusted identity provider, idp and then access multiple service providers without re-authenticating. So your company may have an IDP and this is where they would federate that information of your identity to multiple other service providers, and this all you have to do is authenticate one time, and this enables cross-domain identity sharing and management and it does allow for a much more seamless and better user experience for your people. Credential management systems these are securely store, manage and distribute user credentials ie, passwords, keys, tokens, anything like that is being stored and then distributed through ie, passwords, keys, tokens, anything like that is being stored and then distributed through a credential management system. This includes features for password vaulting, automated password rotation, just-in-time credential access. A good example of this is CyberArk. They have a really good process in place for this as well, and I don't think CyberArk got bought by somebody recently for gazillions of dollars, so very, very good company.

Speaker 2: 10:49

A user authentication process that allows users to log in with a single ID and password to gain access to multiple related but independent software systems. This is SSO and this is basically. You'll see this in a lot of different places with just your one single ID and that password and allows you access in. Google is a good example of that. You log into Google, it can gain you access to various other areas because it's a service provider and it passes those federated credentials throughout the entire cycle. This enhances user convenience and it can improve security by reducing password sprawl or password reuse. A lot of people reuse passwords on a routine basis.

Speaker 2: 11:27

Just-in-time access this is a security principle where access privileges are granted only when needed for the shortest possible duration. This is a really good thing. Now, just-in-time access can be very, very secure. It also can be very complicated and can break things. So you have to have a good plan of how you want to deal with just-in-time access. It minimizes the window of opportunity for attackers to exploit the standing privileges that are there, and then particularly for privileged accounts. And one thing is potentially like just passing the hash. This would be mitigated with. You wouldn't have pass the hash issues, because it's just provided for the information that you have for that moment and then it goes away for any other access. So just-in-time access is a really good thing you can put within your organization if you have the ability to do so.

Speaker 2: 12:11

Domain 5.3, integrate identity as a third-party service. So we have the on-premise of the IAM deployment model. This is where identity and access management infrastructure and the services are hosted and managed entirely within the organization's own data centers. This provides full control over systems, but requires significant capital expenditures and operational overhead. So when you're dealing with IAM, deploying it within your own organization, it does work really really well, but it is extremely expensive. So a lot of times smaller companies will just go with a service provider to help them with that, such as they'll use Google or they'll use some other authentication mechanism to provide this. But if you want to put it within your own company, you would need the infrastructure and the services behind it, along with the people that understand how to deploy it. But it does allow full control over the data and the systems, but it is a significant capital expenditure and operational overhead.

Speaker 2: 13:06

Cloud IAM deployment model this is where identity and access management services are provided by a third-party cloud provider. This is identity as a service. So they have it in the cloud and you're using their model. You don't have it on prem. You're not using necessarily Google. I mean, you are kind of using Google because it's acting as this, but let's just say that you have a cloud provider. You have ping in the cloud. That is their model. Then there's a third-party cloud provider that's providing this identity as well. This offers scalability, reduced infrastructure costs and often integrates easily with other cloud applications. Amazon has the ability to do that. You can use Amazon's products as well. So there's that process that's set in place.

Speaker 2: 13:46

Hybrid this is where it combines on-premises and cloud IAM solutions, often synchronizing identities between two environments. So this is where you work between both the cloud and the on-prem solutions, and it's common for organizations with existing on-prem infrastructure that are migrating to cloud or using multiple cloud services. So you have your on-prem, your cloud and your hybrid domain 5.4. So this is implementing and managing authorization mechanisms. So we're going to get into role-based access and the different types of that, and then rule-based access as well. So, role-based access this is where access permissions are grouped into roles, ie like an analyst, a manager, administrator, air quotes God. Yeah, you're not going to put that, that would be a bad idea, but they're different, grouped into different roles. The users are assigned these roles and these roles are assigned permissions to the various resources. Again, this is a great process, but it does take management and it does take the ability for you to have a good coordinated plan around doing so, it simplifies the management into large organizations by abstracting permissions from individual users. So, again, very good process works really really well, but it does take something to implement.

Speaker 2: 14:58

That's RBAC, rule-based access controls. This is where access is granted or denied based on a set of predefined rules and or conditions that you may have in place. The rules are often based on attributes of the user's resources or environment and basically an example would be allowing access to financial data only from internal IP addresses during business hours. So you can see the big difference. Right, your analyst has access to these specific systems, which is very granular. Then now you have a little bit not so granular aspect to it. Now, rule-based access controls can be very useful, especially if you're not dealing with individual user accounts. If you're just dealing, maybe, with a service account, you may want to put definitely want to put in a rule-based access controls, depending upon what data you're actually using. Now you also have to understand, based on risk, you may not be able to put rule-based access controls everywhere, and the same with RBAC, you may not be able to do that, and the same with RBAC, you may not be able to do that. So therefore, you need to understand the overall risk to your organization and then put these different types of controls in place based on the risk to your company.

Speaker 2: 16:01

Mandatory access controls MAC this is access decisions are enforced by a central authority, basically an operating system or of the kernel, and it's based on the security labels assigned to the subjects and the objects. Users cannot override these controls and they're usually used for high security environments such as the military or the government. These are mandatory access controls that are in place. It will deal a lot. An example with potentially is around multi-level security systems, such as secret, top secret, confidential. That's where mandatory access controls do come into play. They are enforced by a central authority. So, as an example, at the central, if I'm dealing with a security systems computer like top secret, secret type of systems, I do not have the authority to make any changes on those. Those are all changes. All the controls are pushed down from a central authority, a central management system.

Speaker 2: 16:50

Discretionary access controls these are the owner of the resource or object can grant or revoke access permissions to other users or, your quote, subjects at their own discretion. It's common in many commercial operating systems and the applications that are associated with it. So you're allowing individuals, the owner of that data, to grant or revoke the permissions. The downside of DAC is that people just don't pay attention to it and they just grant access to everyone. That's a problem, right? So you have to have a real good thought process out of what you're going to allow individuals to have access, to allow them to use discretionary access controls. So, as an example, a user can create a file and then decide who can read, write or execute that file. So discretionary access controls again, they play a part in this entire process. But you need to be very control on these different types of controls. Uh, and rather than most companies just say, well, you know what, we're just going to use discretionary access controls everywhere and you can take care of it, your data, you work through it. It's a bad idea, really bad idea. So having a good plan in place is imperative.

Speaker 2: 17:56

Attribute-based access controls these are ABAC Access is granted or denied based on the evaluation of attributes associated with the subject, the object, the action and the environment. So, again, that's based on this situation of the overall attribute. You may find these are highly flexible and dynamic and they allow for very granular access decisions based on complex conditions. So, as an example of this, you would allow any user with the air quotes manager role or from marketing and from the marketing department to approve the expense reports if the amount is less than $500. So there's very granular controls that you have put in place based on the attribute that you're coming up with. These are good. But I'm just going to be very transparent. They can be extremely challenging to try to negotiate when things don't work well. You may put them in place, they work great for a while, but then you may be not like me, but I forget what I did yesterday and then all of a sudden something breaks and now you're trying to remember why did I do this? So attribute-based can be a bit of a challenge.

Speaker 2: 18:59

Risk-based access controls these are access decisions are made dynamically based on real-time assessment of the risk associated with the an access attempt. Now it considers factors like user behavior, device posture, location and time of day, the sensitivity of the resource being accessed as well. So an example would be a user's attempting to log in from an unusual location and might be prompted for additional MFA type or authentication aspects to gain access to the information, or maybe denied access entirely. So these are really good. Again, they don't fit every need, but if you have a very global company, you're going to want to consider some level of risk-based access controls, and understanding the behaviors, the device posture and the location of the day is really, really important. Now, can this be spoofed? Yes, can it cause issues where it says, especially if your network is maybe the VPNing in, does it give you wrong type of information? Yes, that can happen. But again, you have to decide the risk that you're trying to associate or trying to protect against and then determine is this an important part of your company? So, again, risk-based controls are important and I highly recommend them, but you do need to have a really good understanding of the data and the systems that are critical within your company.

Speaker 2: 20:17

Domain 5.5, manage the identity and access provisioning lifecycle. So, account access review. This is the users, the systems and the service. You regularly review users, systems and service accounts to verify that the assigned access privileges remain appropriate. This is you going in and checking the accounts on a routine basis. You identify and remove dormant, unauthorized and ones with excessive permissions. You should be doing this on an annual basis. You may do this more than that, depending upon the systems and the data that's being controlled. But you should at least look at this on an annual basis. The first time you do it, if you're just coming into an organization, it may get very painful, but if you do it annually, it is a very quick and easy process.

Speaker 2: 21:00

Provisioning and deprovisioning this is the on and off, boarding and transfers. This is provisioning, basically is granting access to new users or systems based on their defined roles and needs. So you're onboarding an employee. This is where you'd be provisioning them something, granting them access to it. Deprovisioning is you're revoking all access privileges when the user leaves an organization or the system is decommissioned. That's what they call offboarding. Some people just say exiting, so you could do the one, but the bottom line is you need to have something in place for provisioning and deprovisioning. Now you also need to consider transfers. This is where someone moves within a company and modifying the access rights promptly when the user changes roles or the department. Transfers are a huge thing and that's where we talk about in CISSP, cyber training, credential creep. You will get a lot of credential creep where people will gain access to something they should not have access to because they moved to a new role and then they didn't lose the access they used to have and they keep that access, and that's bad. So seen it happen time and time and time again. So credential creep is a real problem.

Speaker 2: 22:04

Role definitions this is where people are assigned to new roles. You clearly define and document the specific permissions associated with each role within the access control model. So roles are defined, you understand those permissions tied to those roles and each one is understood and well-defined within your organization. It ensures that when individuals are assigned new roles, their access is updated to reflect only permissions required for that new role. There's some great tools out there that can help you with that, and it's automated tools, but they have to be more or less kind of integrated into your HR system. They are awesome, but they they're very painful if you're trying to bolt them on after the fact. Their sale point, I think, is one that does a really good job, but you do have to have a good plan in place to work with these guys. If you can bring them in at the beginning, that's awesome. The problem is they're very expensive and so a lot of times they get avoided till the end and then, when there's a problem, then they're brought in.

Speaker 2: 22:59

Privileged escalation this is where you're managing your service accounts using the use of pseudo, like in Unix systems, which is supervisor do something along those lines. I can't remember. Yeah, supervisor do or super user do. Those are the pieces where you're allowing elevated privileges to be using. You should minimize its use. Obviously you don't want your domain level privileges to be used on a routine basis. Those should only be in case of emergency break glass kinds of things. The process these are the process by which users or attackers will gain access to privileges more than they're initially authorized. So they will use this. They will migrate from one place to the next place. The next place to try to gain access to increased user accounts and therefore and they will not necessarily use our accounts could be just any account to escalate the privileges they have. Management practices include using managed service accounts, strictly controlling and auditing the use of tools like sudo or similar commands, and minimizing the standing administrative privileges. So this is an important part to watch out for privilege escalation within your company. I highly recommend that if you're a large organization, you consider doing a red team to your company in certain areas that you feel are your highest risk. It will go a long ways in making sure that you have the proper protections in place for your data Domain.

Speaker 2: 24:12

5.6, implement authentication systems. So OpenID Connect OIDC and OAuth open authorization For the CISP. You're going to have to know each of these and understand how they're being used. Oauth is an open standard for delegated authorization. It allows users to grant a third-party application limited access to their resources or other services. A good example of this would be the photo app accessing Google's photos without basically sharing your credentials. That's the goal, right. So it allows you another service. It doesn't share your credentials, but it gives you delegated authorization to do so.

Speaker 2: 24:48

Oidc is in the authentication layer built on top of OAuth 2.0. So OIDC and OAuth do work together. You can have OAuth separate from OIDC, but OIDC needs to have OAuth 2.0. It allows clients to verify the identity of the end user based on the authentication performed by the authorization server, as well as to obtain basic profile information about the end user. So again, it adds a little bit more granularity on top of OAuth and it gives you with the user and the identity of that individual Security Assertion Markup Language, or SAML.

Speaker 2: 25:22

This is an XML-based open standard for exchanging authentication and authorization data between the IDP, which we talked about as the identification provider and the service provider. So when you have the IDP and the SP, this is where SAML comes into play and it will help exchange authentication and authorization information. It's primarily used for federated authentication, such as single sign-on. You'll see SAML in some of the questions that may come up, so you need to kind of understand how would SAML be integrated with your IDP and your SP, just to make sure, as they're asking this question, you truly understand what they're asking for. So this is done in web-based environments and allows users to log in once and access multiple applications.

Speaker 2: 26:03

Kerberos it's a network authentication protocol that uses secret key crypto and it provides strong authentication for clients' server applications by providing their identity to each other across non-secure network connections. It relies on trusted third parties, such as a key distribution center, and it also issues tickets for authentication. It's common in Active Directory environments, so Kerberos has been around a long time and it is used a lot, especially with your AD environments. So you need to understand the use of crypto. Kerberos is not going away, so you need to really, truly understand how Kerberos works within your environment and how it could work within an active directory environment.

Speaker 2: 26:40

Remote authentication, dial-in user service, radius yeah, as you notice, people don't say remote authentication, dial-in user service a lot. You'll hear them say RADIUS a lot, but not that big big words. No, they don't say that. And then you have TACAC. I actually did a podcast out there on RADIUS and TACAC specifically. That was done. This was a good one to kind of go back to and it'll help you specifically around this. But TACAC is your Terminal Access Control, access Control Systems Plus. Yeah, lots of big words. It's very confusing. But just remember RADIUS and TACAC Plus.

Speaker 2: 27:15

Radius is a widely used networking protocol that provides centralized authentication and authorization and accounting so they call it AAA, right and management for users connecting to the network service. So it's basically it's widely used for any sort of networking protocol and it provides a centralized management for users connecting to the network service. Radius it's a widely used networking protocol that provides centralized management for users connecting to a network service. You'll get this centralized authentication, authorization and accounting, which is AAA. This is what is used specifically for that and it's often used for network access, such as in Wi-Fi or VPNs. You'll get that in a lot of small network well, not even small networks. You'll get them in large networks as well, but the use of RADIUS is widely used.

Speaker 2: 27:59

Tacacs is a Cisco proprietary protocol that provides AAA, which we talked about, authentication, authorization and accounting services. It separates authentication and authorization and accounting into distinct processes, not just one. It also offers a much more granular product than RADIUS, particularly for device administration. So you'll see RADIUS and TACACS. I've seen RADIUS is used in a lot of older type systems definitely a lot of older systems and then they've migrated to a TACACS type system. You may get them in both your environment. In the enterprise I was in, I had Radius and I had TACACS that were both working together in the same enterprise. So you're going to see them in a lot of different places. But just you need to understand what is the difference between the two. Radius is focused on authentication, authorization and accounting right, and it deals with Wi-Fi and VPNs. Tacacs is. This basically just gives you more granular access to the same types of contact that Radius would give you.

Speaker 2: 28:57

Thank you again for joining me on Rapid Review Domain 5. I just wanted to do a shout out again CISSP, cyber Training. Head on over to get my free resources that are out there. I've got podcasts, I've got study plans, I've got study questions. There's tons of stuff that's available specifically for you at CISSP Cyber Training to help you pass the CISSP exam. There's also paid resources. I have over 50 hours of content that's focused specifically around the CISSP. I got over 1,500 CISSP questions. I have curated audio and video content, mentorship All of that stuff is available specifically for you at CISSP Cyber Training, whether it's free or it's paid. There's all kinds of stuff that's available. Just go check it out CISSPcybertrainingcom.

Speaker 2: 29:41

Okay, thank you all for joining me today and have a wonderful day, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.