2/8/11

CISSP Obtained

It's been awhile since I've connected with this blog, I figure I should update it a bit. After roughly 8 months of study I tested and obtained CISSP certification. I view the certification as a rigorous process that covers many different facets of security. In my IT circle of friends I'm commonly asked about the exam's difficulty as well as what advice I could give for anyone interested in taking the test. I offer the below tips that I've collected both of my own experience and helpful advice from others. This will be a little more advanced than my previous postings, so I apologize if this goes over some people's heads. Stay tuned, I plan on getting back into the swing of things with regular security updates.

The Exam:

The single most important thing when taking this test is to be prepared. One of the first things I set out to do was figure out what made the exam tick, so here are the basic stats;

You are given six hours to complete the test, and I clocked in at roughly four with my brain feeling scrambled.
The test consists of 250 questions, 25 are used for research and won't be graded.
At the time I took the test, it was a pencil and paper test. You were not able to take the exam via a computer like most Tech certs. So make sure you are accustomed to the old scan tron/test book formula.
Six hours is a long time, you are allowed supervised breaks.
The test will be proctored so there will be a person in front of you most of the time and possibly people walking around answering questions and monitoring.

Tips: Make use of breaks, after I went through the test book the first time I was feeling a little nervous and antsy. I took a restroom break and it helped to dramatically put me at ease. Within a few minutes my head was clear and ready to focus.

Eat a decent breakfast and try to get some sleep the night before. This is easier said than done when you are nervous about whether or not you've studied enough. The more rest you get, and the better your breakfast is will help keep your batteries charged on test day.

Bring a snack. Although I didn't end up eating the one that I brought, it was nice to have it there just in case. If you are feeling run down and ready to bash your head on the table in frustration it's a good excuse to leave the test for a few minutes and refocus.

Network with people prior to test start. Chances are you'll be early and surrounded by equally nervous/excited people, use this time to meet others, find out what they do for a living, share some of your study methods. Networking is huge in IT Security, and often times more important than the cert itself!

Bring three or four sharpened pencils and a large eraser as well as a pencil sharpener. Likely you will be given pencils to take the exam, as one fellow said as they were passing them out "This is the most expensive pencil I've ever bought!" But just in case it's good to be prepared. I went through two sharpened pencils while taking the exam. By the time you are done marking the test book and scan tron you might go through as many as three. The psychological impact here is that you've taken care of all the ancillary worries, and are freed up completely to focus on the test. Don't forget your forms of ID and exam forms as well.

How to prepare for the exam:

This section is a bit subjective. We are all different learners and what worked for me may not work for anyone else. I logged about eight months worth of study time. Others bragged they prepared for less than a few weeks. Don't let the length of prep time discourage you. Since this test is pricey, it's better to err on the side of caution. It's possible I could have passed only with four months of study. Given the test schedules in my area, I made good use of time between when I scheduled and test day.

I recommend the following books:

Shon Harris' CISSP All-In-One
The Official ISC2 Guide to the CISSP CBK (2nd edition at the time of this writing)

Go with the most current versions of the books that you can. I read them cover to cover, and if you need a cure for insomnia look no further...

I can't recommend one book over another as I felt that both overlapped in some areas but they also worked together to fill in gaps. It's a small investment when you consider the price of the exam.

I didn't attend any bootcamps, nor did I do any video training. Both were out of my price range as I personally funded my exam and self-study. If you have the cash to front for video courses, I'd say go for it. It can't hurt any besides your pocket book. I've used CBK nuggets for Cisco training and was quite pleased with how their system was set up. I can't vouch specifically for their CISSP videos, but they do a good job. Shon Harris' videos are well done that I've been told as well.

My personal feeling is to avoid boot camps for this particular exam. There is just far too much material to cover to cram it all into a few days. I have heard people touting success after doing self-study and then using the bootcamps as a refresher shortly before taking the exam. So if you are dead set, it works as a good compliment. Just don't utilize it as your only course of study.

Know the domains! No matter which method of study you use, learn the domains like you've learned the OSI Networking model. It's so important I'm going to list them below.

Access Control
Application Development Security
Business Continuity and Disaster Recovery
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigation, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security

Once you are armed with the CBK (Common Book of Knowledge) domains and have read through the above books, you can start to speed up your study methods.

Hit up http://www.cccure.org/ and invest in their practice tests. I was lucky as back when I studied their practice test engine was free. It's a decent set-up with test questions written by the community to test your understanding of the CBK. This isn't an "actual test" engine, that would invalidate your certificate. Their forums are fantastic for answering questions and are a wealth of knowledge in and of themselves.

The practice tests are set up so you can pick which domains and how many questions you want. The important aspect is they break down your correct/incorrect answers within each domain. Weak in Operations Security? Hit the books and study a little more, then take a new test to see how much you've improved.

Be mentally prepared for the wait:

After you take the test, do you think the worst is behind you? Unlike computer based exams, there's a wait period of up to three months for you to get your results back. If I remember correctly it took them six weeks to email me my test results. The wait is brutal, do you study in case you failed? Do you relax since you were so stressed out over the ordeal? Did they lose my answer sheet? The wait was the worst for me, and I found myself checking my email constantly. Don't be me. Try your best to forget it, and enjoy the results.

Nothing beats that moment when you read the email that says you have passed. I'll probably remember it the rest of my life, and strangely it had a much more emotional effect on me than getting my Master's.

But you're not done yet:

The next part can be difficult or easy depending on whether your know a CISSP. You now must find a CISSP to vouch for you, review your resume, and validate that you have had five years worth of full-time security experience in two of the ten domains. Chances are if you've been in the industry for five years this won't be a problem. If you don't have five years, you can still qualify for an Associate of ISC2 until you reach the five year period. The entire process is pretty painless, but will take a few more weeks before you can send off for your certification.

Good luck everyone, it's a long but worthwhile journey!