Home  ›  How Do You Know if Your Experience Is Good for Cissp

How Do You Know if Your Experience Is Good for Cissp

Written By Saturday, March 12, 2022 Add Comment Edit

The Certified Information Systems Security Professional (CISSP) is a very well regarded qualification from (ISC)2 ("ISC squared") that, importantly, seems to hold its value.  I attended a half-dozen day intensive training course for the CISSP run by a company called Firebrand, and was privileged to have my costs paid by my employer thanks to some funding made available by the Local Government Association.  This was a residential grade and, given the pandemic times we live in, I fabricated a point of checking the venue was "covid secure" earlier I travelled.

What do yous hateful "holds its value"?

Qualifications can see their value drop over time, the aforementioned way that a car's value depreciates.  In the example of applied science qualifications it tin can be as elementary as the information from the qualification is largely no longer used, for example a Windows NT4 MCSE [i].  The CISSP teaches processes and methodologies, rather than literally how to accomplish a specific task, and so doesn't devalue in the aforementioned way.

I can say that I've seen old CISSP exam manner questions that did test yous on how to preform a specific task and that did have me concerned.  During a do test I saw a question nigh the pop up blocker in Net Explorer, a browser I've not used in anger since IE6.  Fortunately that seems to be gone now.

OK, but what is the CISSP?

There are eight domains in the CISSP certification that you must show proficiency in, listed below.  It should be noted the CISSP is a management qualification and not a technical ane, then while there are technical elements y'all're non taught how to build a secure system merely are shown how to pattern 1.  That sentence probably worked amend in my head but hopefully it makes sense.

Importantly, the CISSP teaches you that the security team is there to facilitate the needs of the business, not to hinder the business organisation.  Sadly It and security teams are often considered blockers to business goals and I've certainly had to adjust from proverb "no" to "yes, just I recommend you do it similar this".

The domains are:

  1. Security and risk direction
  2. Nugget security
  3. Security architecture and engineering
  4. Advice and network security
  5. Identity and admission management (IAM)
  6. Security assessment and testing
  7. Security operations
  8. Software development security

Pre-study

While not mandated by Firebrand I took it upon myself to do some pre-course study.  Equally a subscriber to Pluralsight I'd found a good CISSP course path by Kevin Henry so I spent some time watching those videos.  I was a passenger for some long auto journeys so was able to use the time studying rather than watching the world go by at 70 miles per hour.

I'd also been studying for Cisco's Certified Cisco Network Associate (CCNA) which helped with domain 4 (communication and network security) and worked as a network & security engineer in my previous role.  Courses as part of my Master's degree also helped with a number of the domains and I have lectured in some of them likewise so I was feeling reasonably confident.  Quite by gamble I'd proofread a book on DevSecOps at the stop of August[2] which helped with domain 8 (software development security).

Arriving on the Sunday nighttime I attended the opening lesson where we were handed our books, stationery[3] before cracking straight on with domain 1 (security and risk management).  Afterwards that lessons started at 08:00 and finished at 18:thirty with one hour for tiffin.  Don't be fooled by what looks like a ix-and-a-half hr 24-hour interval though; the expectation is that you study further in the evening.  Revising the previous domain, or two, is certainly recommended.

Progress during the form itself was swift and then for those that don't piece of work in security you may want to opt for either a lot of pre-written report or avoiding an intensive grade.  There wasn't a lot of time to become back over material during lessons only the tutor did make himself available in the classroom each evening to help with that.

Preparation material

As part of the course we were each given the official (ISC)2 student guide, a behemoth of a tome at over 750 pages.  It's a weighty volume, as demonstrated to my daughter past dropping information technology on the floor when I got home - it made a reassuring thud.

The green and white front cover of the Official (ISC)2 Student Guide.

Likewise provided were some revision questions, the outset set we were actually asked to do earlier we properly started the class on the Monday.  I was pleased to score in the threescore% range.

The exam

From the experience of past colleagues I knew the exam was likely to be tough, but fortunately information technology's changed since they sat the paper.  The exam used to be half-dozen hours long and included time for you to go back and review your answers.  That'south no longer the case for people doing the exam in English[4] every bit the exam is now adaptive.

An adaptive exam is one that changes the questions based on your previous answers.  For example, if y'all answer a question on domain iii incorrectly your side by side question on that domain will be easier.  Conversely if you answer correctly your adjacent question in that domain will be harder.  As a result you lot cannot go dorsum.  This caught me out once (that I know of) when I clicked submit and then realised I'd picked the wrong pick.

It'southward widely said that you lot'll feel like y'all're failing during the exam and I definitely fitted into that bracket.  You sit down a minimum of 100 questions and a maximum of 150 and 25% of the questions y'all answer won't count (they're beta questions for hereafter exams).  Your exam will finish when you either have enough points to show you're good in each domain, run out of questions, run out of fourth dimension (3 hours) or the software determines that you cannot pass with the questions remaining.  I finished expressionless on 100 questions and assumed I'd failed, but to be told I'd passed.  Moreover, I'd passed in 75 questions as 25 of them wouldn't accept counted.  Happy days :) .

Isn't the CISSP American?

(ISC)ii is an American organisation just the CISSP has very much diversified to encompass more than simply American law.  European topics such as GDPR are covered in the syllabus, for example.

Working through some do papers courtesy of the CISSP Official (ISC)ii Practice Tests (available on Amazon) there were a lot of do questions on US law but this didn't seem to exist the case for the actual examination I saturday.

Exam tips

Obviously I tin't discuss the questions in item, I'm bound past not-disclousure agreement and the (ISC)2 lawmaking of ideals, but some tips I can share:

  • You definitely demand experience of working in the field - the volume lone is unlikely to pass you
  • Information technology's worth knowing about some laws (e.g. Sorbanes Oxley Act (US) and the GDPR (Europe)) and the difference between trade secrets, patents and copyright
  • Don't contend with the question[5], it may not be what you'd do in exercise but you need to follow the (ISC)2 scenario
  • If the question asks what's the start matter you'd practise, the answer could be to assess the situation (a tip from our tutor)

Endorsement & almanac maintenance

Once y'all've passed the examination y'all're non certifed until you've completed the endorsement process.  A requirement is that you take a minimum of v years paid work feel in at least two of the CISSP domains.  As part of the endorsement process you have to pay an annual maintenance fee of $125 (about £96 at the time I paid) and yous'll then hear if your certification has been approved, at which point yous'd go a member of (ISC)2.

Each yr you have to gain xl points of continued professional person education which tin include attention events, online training or writing professional weblog posts.  I'grand hoping some of my posts on this blog volition count (technical ones, not ones almost my pen collection!).  If you lot've not amassed the right number of CPEs over three years (120) you'll demand to resit the exam.

Conclusion

I certainly enjoyed getting my teeth into the course although it was definitely hard work.  In theory the CISSP will stand up me in adept stead for future jobs and the certification tends to command a higher salary in England (no bad thing) simply I incertitude I'll see a change in my wages at work.  I've certainly had to alter some of my thinking away from being in "the team that says no" to "the team that helps them be safe for themselves" - a useful lesson in itself I experience.

Banner image: Role of the official (ISC)2 CISSP educatee guide.

[1] Microsoft retired the NT4 exams in 2000.

[two] I'll release details on that once it'south published, but for now I'm under a non disclosure agreement.

[3] Regular readers will accept correctly guessed I took my own fountain pens and paper with me.

[4] For speakers of other languages the test is still "linear" meaning you have a maximum of six hours.

[5] A tip from my not-CISSP boss, because he knows what I'one thousand like!

nicholsetwithe.blogspot.com

Source: https://blog.jonsdocs.org.uk/2020/10/11/my-cissp-experience/

Related Posts

0 Response to "How Do You Know if Your Experience Is Good for Cissp"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel