I've waited long enough

[boldin]

Time to hunker down and finally take the CISSP. I've got the big yellow official book already, only to find out today that there's a black 2nd edition out. I use cccure.org for their material. I've also got one other book - can't remember it off hand.

Does anyone have any advice, recommendations, etc.?

I've heard a few rumors about the test, as follows. Can anyone confirm/deny any of these for me?
1. Answer like a manager (from a manager's point of view).
2. The answer will be what ISC2 wants, not necessarily what is best practice or used in the real world.
3. The more general (least specific) answer is usually the right one.

Anything else I should know?

Thanks everyone...

[ShadowPeak.com]

The best way to think of the CISSP material is being 100 miles wide but only an inch deep. You need to know a little about a lot. When I obtained my CISSP in 2001 there weren't any prep guides other than a recommended reading list of 40-50 books published by ISC2. In my opinion it is most important to objectively determine which domains you are weakest in and study up on those areas. It is also important not to wonder how you are doing while taking the exam as you will have absolutely no idea whether or not you passed when you depart the test facility. So try not to waste brain cycles evaluating your own performance, you're going to need every last one of them for the exam.

[northlandboy]

I sat the exam in 2005, then again last year, as I didn't keep up my CPEs while I took over a year off work.

Both times I used Shon Harris' book (different edition each time), along with a few revision notes and practice questions from cccure. That, along with my experience, was all I needed.

I'm not sure I'd really agree with any of those 3 rumours you've heard. People talk a lot of rubbish about it, but I would say just read the books, practice with example questions, then use your knowledge and experience to answer the exam. Don't get too hung up on it.

In the exam, make sure you allocate your time properly, and DON'T WASTE TIME MARKING ANSWERS IN THE BOOK!!! They repeatedly tell you to mark your answers on the sheet, but there's always some numpty that marks the book, then gets in a mad panic in the last 5 minutes.

[belvdr]

Good luck boldin. I took a CISSP Prep Course with GlobalKnowledge and the instructor was very good. Now that I have my CCSE R70 out of the way, I'm aiming for the CISSP in August.

Good luck!

[cciesec2006]

Good luck boldin. I took a CISSP Prep Course with GlobalKnowledge and the instructor was very good. Now that I have my CCSE R70 out of the way, I'm aiming for the CISSP in August.

Good luck!

Belvdr,

I would have a lot of repsect for you if you pass either the CCMA, CCIE or Juniper JNCIP/JNCIE. Those are truly hard exams. No dis-respect to anyone with CISSP but the CISSP certification is completely useless.

It is a ridiculous and stupid exam that even my wife passed the exam after spending about 2 days studying for it. My wife also hold a CCIE Security and she manages about 5 people with CISSP and none of them even know how to run "tcpdump".

I myself also have CISSP as well and it took me about 3 days preparing for the exam. It is a stupid exam. Anyone who put CISSP cert on his/her resume, I will grill them really hard on during the technical interview.

My 2c

[northlandboy]

I know what you're getting at cciesec, but my guess would be that ISC2 doesn't care that those CISSPs don't know how to run tcpdump - they would say that it's not a goal of the exam.

I found plenty of the questions drew on my general experience, not necessarily stuff I had specifically studied for. Given that, it wouldn't surprise me that your wife, an experienced CCIE (is anyone in your family not a CCIE? ;-), was able to pass it.

Regards its worth, often it's just one of those things that you need to do if you're looking for a new job - it's just a way for HR to reduce the pile of CVs. Personally I found some of the study interesting where it covered areas that I don't normally have much exposure to. YMMV

[boldin]

In my case, I must have it before I get promoted - government contractor and all...

So, off to the races...

[belvdr]

Belvdr,

I would have a lot of repsect for you if you pass either the CCMA, CCIE or Juniper JNCIP/JNCIE. Those are truly hard exams. No dis-respect to anyone with CISSP but the CISSP certification is completely useless.

I would like to aim for the CCIE, but to be honest, I'm not in a consultant/services role. I'm an employee for one company so I'm not sure having the CCIE is really beneficial for me (I'm not engineering a lot of solutions). I'd also like to have the CCMA, but it seems nobody knows about it but Check Point.

It is a ridiculous and stupid exam that even my wife passed the exam after spending about 2 days studying for it. My wife also hold a CCIE Security and she manages about 5 people with CISSP and none of them even know how to run "tcpdump".

I myself also have CISSP as well and it took me about 3 days preparing for the exam. It is a stupid exam. Anyone who put CISSP cert on his/her resume, I will grill them really hard on during the technical interview.

My 2c

As northlandboy stated, it's a way to rise above the rest during the initial phases. Additionally, it's not a technical exam; it's aimed more for security managers and the like. They need to see the entire security picture, not just one aspect of it (which is another reason I want it). If someone has only the CISSP, that's one thing, but if they hold other certs, then it makes for a well-rounded individual, just like my B.A. in Business Administration. :)

You might also consider that you and your wife passed it easily because you are experienced in many domains already. Therefore, much of it is review.

[apachepro]

Belvdr,

I would have a lot of repsect for you if you pass either the CCMA, CCIE or Juniper JNCIP/JNCIE. Those are truly hard exams. No dis-respect to anyone with CISSP but the CISSP certification is completely useless.

That's funny, as I can support the opposite ;) So everything is relative and depends on situation. We have had a guy in our Support (Service Provider) with CCIE R&S that was still configuring Outlooks/DSLs/Edimaxes as he didn't fit "CCIE commensurate with experience" . And there was Security department manager (CISSP) that was very technical and earned almost trice as much (even before becoming a manager) .
So dont know about technical knowledge it gives but general impression is that
better job/salary it does provide (CISSP) . Not to say that all sort of auditing-comply market demands CISSP on auditors stff (take PCI e.g.).
About CCMA will have to agree - useless to the individual holding it.

Disclaimer: I hold none of those myself , yet [just bare CCSP,CCSE++]
Cheers

[dbrown3611]

Time to hunker down and finally take the CISSP. I've got the big yellow official book already, only to find out today that there's a black 2nd edition out. I use cccure.org for their material. I've also got one other book - can't remember it off hand.

Does anyone have any advice, recommendations, etc.?

I've heard a few rumors about the test, as follows. Can anyone confirm/deny any of these for me?
1. Answer like a manager (from a manager's point of view).
2. The answer will be what ISC2 wants, not necessarily what is best practice or used in the real world.
3. The more general (least specific) answer is usually the right one.

Anything else I should know?

Thanks everyone...

I received an email from SANS today regarding CISSP online instruction. It may be of interest if you have the funds available. See here for the details: SANS vLive! - MGT414 - Eric Conrad

They also have a bonus offer........
*BONUS OFFER!
We are excited to announce that any student who registers for MGT414 and enters promo code AUTHOR will receive an autographed copy of Eric's brand new book, "CISSP(R) Study Guide," when it is published by Syngress this summer. It will be a great supplement to your SANS course materials!
CISSP Study Guide

Kind regards,
dbrown

[boldin]

I've found that (ISC)^2 has released a second edition of the big yellow book, now affectionately known as the big black book.

Here's the Amazon link to it. A cursory review tells me it is a much easier read and seemingly more relevant/focused than the last book. It also seems a bit smaller (not much). The Transcender practice exam comes with it, but only like 100 or so questions. Not a bad deal around $45 for the "official" study guide and software - compare that with Check Point's courseware and that's a several hundred dollar savings.

Yes, I know it's not an apples to apples comparison.

[boldin]

Has anyone seen cccure.org's free quizzes? I went there last night after using their free engine for months and now it looks like they want to limit me to 25 question quizzes and a total of 30 quizzes before they start charging me money. Is this a new policy of theirs? I didn't see any reference to it on the site before last night when it all of a sudden asked me to provide a separate login for the quiz site, which was never required before.

Thanks...

[belvdr]

I had never seen that before either. For one reason or another, the CISSP seems to be taking the path of the MCSE in the late 90s. Everybody and their brother were scrambling to take it. It became more of a buzzword than a valid test of knowledge. I'm not sure I'm going to take it now.

[boldin]

I've noticed the same thing. Many of the CISSPs that I know are undeserving (or at least seemingly so) in that they are good test-takers but lack real-world knowledge. Don't get me wrong, I'm not saying all CISSPs fit this category, just some of the folks I've seen recently.

In my position, I can't get promoted without the CISSP or one of the other DoD 8570 equivalents, so I'm stuck with the one that is most commonplace and most widely accepted - the CISSP - just for practical reasons...

Thanks,

[boldin]

I've confirmed it - the cccure.org testing engine is now $39.99 US for 6 months. Otherwise, you get 40 quizzes, limited to 25 questions each.

This started literally the night that I was going to start using the quizzes. I'm scheduled to take the exam on August 15th and now I've got to pay money for something that has been free forever - 'til now. I log on to the site, setup my first quiz, then it stopped responding. The site went down, came up 10 minutes later and now it's a pay service.

Great timing!

Anyone have any suggestions for practice tests to help me gauge my progress as I study? I don't care if I have to pay for it. I've got an email off to Clement to see if there's a good reason why it went pay instead of free...

[RayPesek]

For whatever it's worth, back in 2002 when I took the test I found the cccure.org quizzes were the most help.

Ray

[boldin]

I've heard the same thing from every CISSP I know.

For what it's worth, Clement responded to my email and upgraded me to a paid account for free until I take the test on 15AUG10.

Just be sure to tell folks, if you recommend the site, that it's now a pay site. But from what I've gathered it's still the best source of information I've seen.

[boldin]

Wish me luck! I'm off to take the test first thing in the morning. Hopefully there'll be one more CISSP in the world by the time I'm done (or at least my test is graded).

Thanks for the support everyone. I'll pass along anything I can about the test once I get out of there (and back from the bar).

[boldin]

Ok, all I can say is study, study and then study some more. Use multiple sources: books, study guides, practice exams, etc.

Every version is seemingly different, but know the common criteria, architecture models, hashing algorithms and know how different connection and encryption schemes work and what they are primarily used for.

You have to know things well enough to describe the "most" or "least" relevant answer - even though they aren't necessarily completely correct.

Very tough - I feel like I failed miserably. But, from what I hear, that's a good sign...

[boldin]

It was a good sign. I passed the test - just found out today.

Now for the endorsement process.