Passed: CISSP and Tips

dc403dc403 Registered Users Posts: 1 ■□□□□□□□□□
Just passed CISSP today. This forum has been of good motivation reading and seeing general feedback based on the exam. I'd like to pass on my insight, materials used, etc. No, I did not watch videos, no I didn't sit listening to audio.

Primary source:
Microsoft CISSP Training Kit - ISBN - 0735657823 <-- read through over a period of a month (between work, etc). Gives enough technical examples and explanation on how CISSP concepts could be applied in the 'real world' and also gives explanations on what you really do as a security practitioner vs. the ISC2 way.

Secondary source:
11th Hour CISSP: 2nd Edition - ISBN - 0124171427 <-- Reviewed within the week of exam.

Official Exam Sim:
Boson Exam Simulator for CISSP <-- used lightscreen to take screenshots of all 3 practice exams; reviewed any questions that I got right, but wasn't a 100% sure why and the ones I got wrong. Good explanations on why. Draws from Sybex, Eric Conrad, Official ISC2 book, and Microsoft so questions are very accurate with no omissions or errors that I found.

Review source:
The combined notes PDF in this thread; very good review for the 'day of'. Fairly up to date without outdated verbage from the Sunflower:

Opinions on other sources:
AIO Shon Harris 6th edition - Best used for a Type A fire extinguisher to put out - Read to the 2nd chapter and wanted to call a suicide hotline. Awful humor: made for people who shouldn't even be taking the CISSP (unless you just want to be CISSP-Associate)
ISC2 Official Book Official Guide (3rd Edition) - ..and I thought Shon Harris was bad - Read to the 1st chapter and donated it to Goodwill. The paper is too thin, poor explanations.

Exam Simulator Thoughts:
Total Tester - 5/10 - Terrible explanations to what you got right or wrong and why
McGraw Hill - 3/10 - Unfair questions that rely too much on the blind order of processes
Boson Exam Sim - 8/10 - Good all around has questions from a bunch of sources; questions were in my opinion harder than the exam from a deep memory dive.
Microsoft Simulator - 5/10 - Good for re-enforcing technical concepts. Too technical, doesn't have enough breadth in the questions

Guidance on the exam:
1. Like everyone else says; focus on mastering the concepts. Be able to re-cite why you got something wrong out loud to help you memorize the CISSP way.
2. Slow down and read and RE-read the question AND answers before making a selection; as everyone else says-- try to eliminate two to narrow it down. Also, USE the calculator they give you electronically on the exam so you don't fumble it in your head.
3. Graphic specific questions - They actually seemed easier to me than regular exam questions as they seemed to focus on "technical" aspects on items. These weren't on my exam but good example equivalents would be: Flow of Asymetric Crypto, RAID arrays, Firewall Segmentation, etc.
4. If you're not a 90% or more confident in your answer selection or don't know why you've selected something; flag it and go back to it later; sometimes running through the entire exam and then going back will jog your memory base don prior questions
5. The exam is NOT adaptive like GIAC exams. As much as you might think it, it doesn't sit there trying to "pick" on you if you thought you missed a question with more questions from the same domain. It's a set of well spread-out questions over a variety of domains. Don't panic.
6. Think about what the question is asking you from the fundamental concepts from that domain. Which part is it concerned with: CIA, Preventive, Integrity, etc? When you see a bolded word in caps. Repeat it to yourself and look for surrounding clues in the question. E.g. If there are words about privacy, then focus on that. They WILL put distractions IN your questions. If it's a long ass scenario with lots of detail question-- read over it and then look at the main question; and answer choices. Then, go back and pick out the information you need.
7. Also, nothing new-- if in doubt because you have some really messed up answer choices; pick the one that is most concerned with management principles, doing the right thing, human safety, etc. Think about how frameworks relate to standards, policies to programs, and how InfoSec programs related to business, etc.

General tips for doing well in studies or on the exam:
1. Get your ass in shape; or at minimum do some form of physical activity whether it be push ups, sit ups, or cardio.
2. Take a multi-vitamin before going in and bell well hydrated
3. Hydrate with water and don't eat anything messed up before the exam
4. Get a good night's rest not just before the exam but days leading up to it

Guidance as you take your practice exams:
1. Keep "CISSP" in your head daily-- some of you need video/audio; I personally needed to run through 25-50 practice questions within 2-3 weeks of my exam from my non-primary
2. Turn off your correct/score bar when doing a 250 question exam. Take note of all your right and wrong answers via screenshot or some other method to track your progress. Review them. You should do a full 250 questions once a week leading up to the exam.
3. You can certainly use multiple exam engine sources-- but you should master one first before switching.

Thoughts about the CISSP vs Other Certs (Yes, I hold all of them active):
CISSP - Concepts half way decent; nice thoughts in theory- I personally enjoyed learning a little more about the theories behind crypto and regulations. No it won't give you any tactical or 'hands on' skills. It's for HR purposes really. I think ISC2 needs to cut down the number of questions and focus more rather than make everyone memorize a whole bunch of theories only to lose it real fast later. But then again, the CISSP has been one of the oldest certs for a bunch of old incompetence everywhere so why change it now.
CEH v8 - CISSP value to CEH in practicality stand point is far better. CEH teaches you a bunch of windows point and click kiddie tools. CISSP concepts and theories you learn are still way better than anything CEH has to offer.
ECSA v8 - Semi-stolen material from the ISC2 CISSP theory regarding technical defense
L|PT v8 - You actually can practice a little of the technical items 'hands on' in a virtualized lab that the CISSP talks about in their telecom and netsec domain.
GCIA: Learn your packets, regex, bpf's, and snort real well here
GCIH: Puts into practice what you 'sort of' learned in the CISSP as far as incident response
GCFA: CISSP talked about binary backups-- you actually do it the real way without using cheater tools like EnCase
GPPA (Former GCFW): Firewalls, Proxies, etc. all those concepts are applied in much better detail

My advice for people: If you want to go technical and your memory sucks (like mine), go with SANS and you'll master the good foundations of actual InfoSec practice. If you're an entry level person, memory is alright, and or want to go into management; go get your CISSP (or CISSP associate) first. From an HR and promotion stand point -- I will say CISSP is where it's at. From an international recognition stand point; places around the world still want you to have your CISSP and CEH.


Sign In or Register to comment.