CISSP study strategy for the next 3 months

papadoc

Hello all:

I've been in Infosec for the past 15 years handling technical security, forensics, legal, BCP/DR and vulnerability management. I've been managing staff for about 10 years, recently taking on more of a leadership role so I often view security now through the lens of "management." From looking over the 10 domains, I can say with much confidence that my weakest area is definitely crypto. I do have a network engineering background from many years ago so I would put that as one of my stronger areas next to the ones that I covered above.

I had purchased the materials a few years ago but never was really motivated to get the credentials. It seems that every security position I look at now either has the CISSP as REQUIRED or PREFERRED. While I interview very well and am often a cultural fit for many companies, I have a nagging feeling that not having the credentials is causing some rejections as hiring managers/HR are using it as an objective measurement of your skills, whether that's fair or not - be it as it may, it's the way HR screening is done.

So with that said, I have an aggressive 3 month plan for studying in front of me. I checked the Pearson VUE website and noticed that all of December is open with multiple test sites within 10-20 miles of my area. I am the type of person that tends to work better if there is a mental "deadline" set out there. So I am thinking of just scheduling the test for late December sometime this week.


Daily/Weekly Time Plan:
I plan to dedicate 2 hours a night to studying. After coming home from work, I need to spend time with my kids and plan to sit down at 9 pm and start cracking and run till about 11 pm. Weekends are better since my wife takes the kids out so I can get a solid 4-5 hours of studying/review in. So I'm looking at targeting between 18-20 hours per week. I am curious to hear what other people here with kids did and how they scheduled their studying times.


Study Material:

I've compiled the following list of resources below:

1. CISSP for Dummies - 4th Edition. I plan to start with this as a primer. I want to be able to identify holes in my knowledge quickly.

2. Shon Harris AIO - 6th Edition - Not sure if I should go to this one after Dummies or go to ISC2 CBK (#3)

3. Official Guide to the ISC2 CBK - 3rd Edition. Heard from many this is dry and difficult to get through, especially at 900+ pages, however since many test questions are taken from this book (true), it's necessary. Looking for your thoughts here.

4. CISSP Guide - SYBEX - 6th Edition - Was told this was less verbose than the AIO.

5. CISSP Guide - Eric Conrad - 2nd Edition - Reviewers have stated this is too concise for those that lack extensive experience.

6. CISSP - 11th Hour - I plan to use this mostly for review

7. McGraw Hill CISSP Practice Questions - A fellow CISSP told me that he used this because it most accurately reflected the type of questions he saw on the test. Not sure how true that is since from reading many posts here, lots of contributors have stated that there is no accurate "**** of questions"

8. CCCcure - Subscription - For their testing module to build stamina and timing/pacing myself.

9. I also have a variety of CBT Nuggets and BootCamp type CISSP videos. I plan to switch the videos up with the reading when I am page 272 and just can't go any further.

A little bit about my learning style. I am a visual learner, sitting there reading thousands of pages, well I'm sure I would only retain 1/3 of the material, has more to do with the code/cone of learning than anything else. This is not a memorization test but from what I understand, there are many technical areas that you just need to straight up memorize. I am going to use flashcards for that along with the following two resources:

A. Trottet's heralded study notes
B. Sunflower CISSP notes

I also am going to try to pay close attention and have a fixed bedtime so I can get at least 7 hour of rest per night. Some studying blogs I was reading stated that it is more unproductive to study into the wee hours of the morning since your retention goes way down after a certain point.

Interested to hear from others with regards to how many hours they spent per day and if they felt they had better retention/understanding in the morning or at night.

Looking forward to your hard criticisms and strong opinions as I really need/want to pass this test,

Thx

papadoc

Figured I owed the forums an update and revise my post. My test is coming up this Saturday (March 28th). Yes, I had rescheduled once since I got a position with a new company. Hope to have good news this Saturday.

I did not use the AIO cover to cover. I skim read various chapters. I am going to use it this week for drilling specific areas that I am weak in. Right now, I am doing practice tests and looking over any last minute weak areas and using Sunflower and other PDFs here to review as well.

I plan to take all of the tests in the AIO as well to see where those put me and then re-focus on areas.

I watched all CBT Nugget Videos
Read Conrad Study guide cover to cover
Read Conrad 11th hour cover to cover
Listened to MP3s from Shon/SANS etc.

Been using a combination of Transcender, Elsevier and SkillPort to drill. Will also start taking some more CCure tests as I dabbled with those.

Took all of the quizzes (5 hardest questions x 10 domains) in the Conrad 11th hour, got a 70%.

Been scoring in the 80% using Transcender, took both Conrad/Elsevier tests, got a 70% and 65% (there were some errors and I think because many were focusing on my weak domain, it showed). This is very good, practice tests help to show which areas you may be confident in, but you really don't know the concepts.

One thing I don't suffer from is mental fatigue. This past Saturday, I did two back to back 250 question tests and was fine.

I also took a 250 question test at 9 pm after coming home dead tired and managed to finish it at 12:45 pm. This is what I call the extreme brain boot camp.

I am figuring out where I need to concentrate in the next few days, this is my SWOT charting

Access Control - 83%
Information Security Governance and Risk Management - 86%
Business Continuity and Disaster Recovery Planning - 88%
Software Development Security - 83%
Physical (Environmental) Security - 77%
Telecommunications and Network Security - 77%
Security Architecture & Design- 44% (totally need to work on this area some more)
Cryptography - 93%
Legal, Regulations, Investigations & Compliance - 80%
Security Operations - 80%

astudent

I passed the exam last week. You will be fine according to your SWOT charting. I read 11 Hours cover to cover last week and STUDIED the glossary in Conrad Study Guide at the night just before the exam.

papadoc

astudent wrote: »

I passed the exam last week. You will be fine according to your SWOT charting. I read 11 Hours cover to cover last week and STUDIED the glossary in Conrad Study Guide at the night just before the exam.

Congrats!

Thanks. How much studying other than that did you do?

Spin Lock

I saw in your original post you planned on using the McGraw Hill practice exams, but no mention of them in the update.

If you haven't taken the MH practice tests, I'd strongly recommend taking them, especially if your plan between now and test day is to go back and repeat exams you've already taken. The problem I've found with re-taking practice exams is that I remember the answers, so your results tend to be overly optimistic.

If you're weak domain is SAD, definitely take the MH SAD exams. Compared to the other practice exams available, I found the MH exams to be the most challenging.

Best of luck this Saturday!

papadoc

Spin Lock wrote: »

I saw in your original post you planned on using the McGraw Hill practice exams, but no mention of them in the update.

If you haven't taken the MH practice tests, I'd strongly recommend taking them, especially if your plan between now and test day is to go back and repeat exams you've already taken. The problem I've found with re-taking practice exams is that I remember the answers, so your results tend to be overly optimistic.

If you're weak domain is SAD, definitely take the MH SAD exams. Compared to the other practice exams available, I found the MH exams to be the most challenging.

Best of luck this Saturday!

Spin,

Yes, I started dabbling with those. Let me go through those tonight. Thanks!

astudent

Papadoc,
I have studied about 6 months.
You are in good shape. I got 69% on Transcender for twice, I intentionally ignored some questions I did not see in Conrad's book. However, I did read AIO from cover to cover before moving to Conrad's books.

papadoc

The Crypto questions on MH seem to be going quite deep than just "concepts." I need to brush up on this stuff.

Example below:

Spin Lock

Yeah, this one got me too. I didn't think I'd have to remember the difference between OFB and CTR. That does sound like it's going too deep. The only argument that it's not going too deep would be that CTR is used in IPSec, and 802.11i - which are mainstream protocols. So maybe the authors felt CTR should get extra attention.

But don't let this question throw you. The author of thread below felt the MH practice exams went too deep compared to the actual exam:

http://www.techexams.net/forums/isc-sscp-cissp/107192-cissp-passed-first-time-1-14-summary-writeup.html

GForce75

Good luck PapaDoc. I know you will own this test or die trying, lol. Let me know how you do!

mjsinhsv

@papadoc

The MH crypto question isn't going very deep.
They do want you to understand the differences between the encryption and coding modules.
I used a study guide located at this link that very helpful.
The notes are a bit dated but it is great information.
www.oocities.org/gdnl/pguide.doc

papadoc

Spin Lock wrote: »

Yeah, this one got me too. I didn't think I'd have to remember the difference between OFB and CTR. That does sound like it's going too deep. The only argument that it's not going too deep would be that CTR is used in IPSec, and 802.11i - which are mainstream protocols. So maybe the authors felt CTR should get extra attention.

But don't let this question throw you. The author of thread below felt the MH practice exams went too deep compared to the actual exam:

http://www.techexams.net/forums/isc-sscp-cissp/107192-cissp-passed-first-time-1-14-summary-writeup.html

Thanks, I read that as well too Spin. Just didn't want to make assumptions. Appreciate you reposting it.

papadoc

GForce75 wrote: »

Good luck PapaDoc. I know you will own this test or die trying, lol. Let me know how you do!

Certainly, you've been a great help to me!

papadoc

mjsinhsv wrote: »

@papadoc

The MH crypto question isn't going very deep.
They do want you to understand the differences between the encryption and coding modules.
I used a study guide located at this link that very helpful.
The notes are a bit dated but it is great information.
www.oocities.org/gdnl/pguide.doc

Thanks for the guidance and great guide. Will read through that tonight. I have a few of the other study guides as well, including SunFlower which I am almost done reading. 72 hours and counting.

philz1982

The MH and 11th hour are what i used. I spent two days doing 11th hour and two days doing MH ?'s and reading associated SANs articles. With 15 yrs exp you should be able to pass with a few days studying.

mjsinhsv

Welcome Papa.

Final 24 hour tips for ya..

Tip #1.
Get Some rest the day before the test. Go see a movie. Play video games or whatever you do to unwind.
Make sure you get a solid night of sleep and eat a good, healthy breakfast before testing. Being well rested and getting the proper nutrition the day of the exam will serve you much better than pulling an all-night cram-session.
Give yourself plenty of time to get to the testing center. Do a quick review of your notes before you walk in.

TIP #2
Don't Be Intimidated
Some people can take almost any test cold and still pass. Others may have dedicated themselves to studying and learning everything they possibly can for months, and freeze up on test day. Don't let the 250 questions or the six hours intimidate you.
When exam day comes, you either know the information or you don’t. Have faith in yourself that you’ve done all you can to prepare for and pass the CISSP exam and don't pop a blood vessel trying to second-guess yourself.
What one man can do, another man can do. Thousands of us have passed and you can do it too.

Tip #3: Read Carefully
When you first start the exam, you might be excited just to find out you actually understand the questions. The terms used and information covered may seem to be exactly what you’ve prepared for, and you could become a tad cocky or be lulled into a false sense of security.

No matter how familiar the information may seem or how easy the questions sound at first glance, it’s imperative you take a deep breath, slow down just a bit and make sure you read every word of every question to make sure you’re answering the question being asked.
Test writers like to use double-negatives or slide words in to change the meaning of the question. Missing the word "not" in a sentence can be catastrophic.

Tip #4: Watch the Clock
Time management is essential for the CISSP. You have six hours to complete the CISSP exam, which might seem like an eternity to take one test. It’s not.

Do the math: With 250 questions, you have less than 90 seconds per question in that six-hour time span. If you spend five minutes pondering one question, you need to answer three other questions in under 20 seconds to stay on track to finish within the allotted time. And you still have to read each question carefully, as pointed out in the previous tip; keep your eye on the clock as well to make sure you’re making sufficient progress to finish on time.

You should be able to answer many questions in the blink of an eye, so you’ll have some time to spare to dedicate to questions that stump you. However, you aren’t going to suddenly learn information you don’t know if you stare at the question long enough. Give yourself enough time to think about the question and try to remember the answer, but after a couple minutes just pick your favorite answer and mark it for review. The answer may come to you later.

Tip #5: Stretch and Relax
It’s difficult enough to think under pressure without adding discomfort. Six hours is a long time to sit in one place. If your mind is too stressed or tense, or you’re physically uncomfortable, it’s difficult to focus and think straight. I think Pearson Vue went down to the goodwill store and bought the most uncomfortable piece of junk chair they could find for me. The back of the chair pushed against my back so I could not lean back much less sit up straight ..but had to sit hunched over.

For many people , a short break to stand up, stretch and relax will prove invaluable. Stretching your muscles and giving your brain a few seconds of serenity will help you to concentrate on the questions in front of you and think clearly about the answers, rather than focusing on how uncomfortable the chairs are or getting so stressed out that you can’t think straight.
I went to my locker and drank a bottle of water while clearing my head by thinking about football. I took two 15 minute breaks and still had plenty of time to finish then review all the questions I had marked.

Good Luck.

papadoc

Thank you for taking the time to type that, seriously. Some of the tips I read before, but putting it all together makes sense to me. Definitely plan to relax on this Friday night. I will read through the guide you posted as well. Just last minute refreshers, it's a lot of material and permanence of memory disappears with some of the domains.

philz1982

Just make sure you think life safety, business continuity, cyber security in that order every time you answer a business question. The memorization is easy it's the thinking like a manager that trips most people up. In the words of my manager don't go all techie on it.

papadoc

philz1982 wrote: »

Just make sure you think life safety, business continuity, cyber security in that order every time you answer a business question. The memorization is easy it's the thinking like a manager that trips most people up. In the words of my manager don't go all techie on it.

Got it, thank you Phil!

mjsinhsv

Philz is spot on...for the test.

of course in the real world, you would do a risk analysis and then management would make a business based decision.

The GM scandal: a little math | ERIC POSNER

E Double U

philz1982 wrote: »

Just make sure you think life safety, business continuity, cyber security in that order every time you answer a business question.

Great tip! Thanks man!

GForce75

Haha, I was up all night the day before motivated to pass watching the Shon Harris videos and passed. If I went to sleep, tons of info would have gone out of the door. My motivation was to pass and then enjoy watching a movie lol

papadoc

GForce75 wrote: »

Haha, I was up all night the day before motivated to pass watching the Shon Harris videos and passed. If I went to sleep, tons of info would have gone out of the door. My motivation was to pass and then enjoy watching a movie lol

I feel you. The rest is important though. How did you watch all of Shon's videos in one night?!