Synopsis: Its the first time i decided that i have to cut the book in parts to actually read it! Yes i took the biggest knife i had at home and cut the book in 5 parts.

Second part of the book is even a bigger disappointment than the first one. I read chapters 4 to 5 which amount to about 250 pages.

Chapter four is a very vague description of access control methods in the organization. It is a ton of fluff and very little real concrete information.

Chapter five is about security architecture but I am very confused with the selection of topics within. Author jumps between access control, memory chip types, through read only devices, memory management, stacks, cpu, security models and so on.

From very high level no-details-at-all-nonsense book becomes an introduction to operating systems. All off the sudden you feel like on third year of college again.

I am not saying its a bad thing but I really feel the book has no good structure and contains huge amounts of useless words. CISSP is considered to be exam for security professionals. You need at least 5 years in IT security to even take the exam. So if you cant even take the exam as a noob why would you need to read all these basics? Is it not a bit too low detail and too basic stuff?

Chapters again are too long. Paragraphs drag forever even that they have one sentence of real meaning. Examples and explanations are simplistic and anecdotes are just an insult to the reader's intelligence.

The funny thing is how authors try to explain criticism of the overly high level nonsense: “Based on author's experience, most technical people have a negative visceral reaction to models like this. They feel it's too much work, that it's a lot of fluff, is not directly relevant, and so on. … This is because they are technology focused and they do not understand all the other components of security, which are just as (or more) important than technology”.

Yes I think it is irrelevant, yes it is fluff and yes it is 'and so on' ; -)

Why do IT people despise models, methods, processes and other junk? Because they are not stupid and they can see the difference between knowledge and fluff. Most technology people come from math, physics or electronics backgrounds. They are used to strict thinking, theory-proof-solution.

Of course you need procedures, backup plans, failure scenarios, risk assessments, projections, audits, policies etc etc etc. What you do not need is a bunch of people with shiny job titles trying to earn money on you. What you do not need is people who may not really understand many of the things they are talking about.

So far my respect for CISSP exam and the book authors is really decreasing fast.

To summarize these chapters I have to say they are just poor.

Partial Book Score: 4/10