Took new CISSP test in May 2015

maxer

Sheiko, you are right about the answer D, but not because a potential risk for the human life but because in front of a potential risk, you have to perform a risk analysis giving the threat and provide for controls of the risk management, then the controls to be in place should preserve before everything the human life.

Sheiko37

maxer wrote: »

I think that ISC2 with the new organization is bringing the certification toward a business managerial security perspective different from the more technical one that was before.

It's always been described as a managerial style exam, a common exam tip is to "think like a manager", the ISC site describes it as "the ideal credential for those with proven deep technical and managerial competence"

maxer wrote: »

i don't think that you will be able to pass anymore the exam just because you learn this or that book or read some fast notes

When has this ever been true?

abelamorales

Sheiko37,

You are correct - approach this exam as a manager, however don't take BrenBrenOK's comments lightly. The post April 15th exam could be open book and you would still walk out of that exam room saying FML.

Sheiko37 wrote: »

It's always been described as a managerial style exam, a common exam tip is to "think like a manager", the ISC site describes it as "the ideal credential for those with proven deep technical and managerial competence"


When has this ever been true?

brenbrenOK

Sheiko37 wrote: »

I know we're having fun and that's not meant to be a real question, but the answer would be clearly D imo, the reason is potential loss of life.


I believe you because (I'm repeating myself) it's exactly like what I've experienced and what we've been told to expect for a long time with the CISSP.

So you would think that might be the answer, but look at what the answer is again. "Call the weatherman so he can GUARANTEE that the hurricane is really going where it's headed since it's 500 miles out?". Maybe I was too specific about the region of the country where I live, but no weatherman can GUARANTEE any path of a hurricane when it's still 500 miles out. I should have had answers that were equally close enough where it wasn't specific to loss of life. Now is this the best worst answer? Probably. But what if the answers were more like this:
A. Check the RAM, because backups have been taking too long and you potentially would not have a full backup if the hurricane hit and would lose important sensitive data
B. Speak with the IRT and find out what they are doing to contain the infected email. The last email infection cost the company a serious amount of money
C. Speak to the cloud provider to see how quickly data can be moved from the primary site to the cloud
D. Perform a test on the warm backup site so that no interruptions will occur if the hurricane if the hurricane destroys your primary site.

Like Corran stated, most of the questions are like this, and they are not specific enough in order for it to be an "easy" answer that you have been told to expect. I probably took 500 scenario based practice questions, and it was obvious what the answer was, this time not so much.

brenbrenOK

Sheiko37 wrote: »

It's always been described as a managerial style exam, a common exam tip is to "think like a manager", the ISC site describes it as "the ideal credential for those with proven deep technical and managerial competence"


When has this ever been true?

It has been true since the test began. Pre-April 15th, you might have gotten at most 35 scenario based questions, and the other questions were something you could learn from the book e.g. Networking, Cryptography, OSI model, Security Models for integrity, confidentiality, EAL levels of assurance, very high level forensics questions. High level BCP/COOP, BIA questions. Abelmorales is correct even with an open book you walk out of there, scratching your head. Imagine 200 scenario based questions now, with each question having very reasonable answers. It will make you rely on more of what your professional life experiences have taught you. I'm still thinking I MIGHT have passed, but I really have know idea, only have about 4 more weeks until I find out.

rajeshkalluri

Brenden,
In one of the posts, you mentioned that you have taken around 500 scenario based questions before the exam. Is it from CCCure or from some other material ?

brenbrenOK

rajeshkalluri wrote: »

Brenden,
In one of the posts, you mentioned that you have taken around 500 scenario based questions before the exam. Is it from CCCure or from some other material ?

I took more than 5,000. McGraw Hill has some pretty good questions. Skillset, Shon Harris end of domain questions, CBK end of domain questions, Eric Conrad free practice exam questions. Questions from the Shon Harris CD that comes with her book. CCCure, Transcenders, Safari Books Online, where you can sign up for a free 10 days subscription and take as many questions as you want. I think there might be over 2,000 there. Good Luck.

adohen

I just passed the 2015 CISSP yesterday, it was printed out immediately after my exam. I walked away thinking I failed. There was about 5 or 6 drag/drop type questions which were easy. There was about 30-40 scenario based questions where each scenario had like 4-5 questions on it. There was a lot of DR or BCP. Quite a bit on access control ( DAC, MAC) and understanding which security model associated with each policy. That was the toughest for me. The attacks, encryption and network design was all easy for me.

All in all though, from my knowledge in the field and just common sense, that's how I passed.

I have to agree mostly with brenbrenOK that most of the study material I used (Boson, CCCURE.training and a Shon Harris book) was not specifically on the test, it was worded differently. I was not expecting the scenario based questions. I knew about the drag and drop. There was quite more on actual details of attacks and type of attacks, for example What does a SYN attack try to do.

It took me 3.5hrs to finish. On questions I was not 100% sure I used the elimination method. Then took the best of the two.

Good Luck

brenbrenOK

Congrats!! It appears to me that they must have changed the test somewhat and added back encryption and network design. I didn't have one question on encryption or network design when I took my test. I'm still waiting for my results.

!nf0s3cure

brenbrenok......When you get your result let the community know. Good post, let this forum help new exam takers know what ISC2 is not telling them on how they will be tested or what to expect. Again not getting into the 'NDA' side of things which I believe is just useless (and works like locks that only keep the honest people out while the crooks still get in with ease) but information here is of great help to new test takers to know what is the style of testing. Lot of people can attribute their success to forum like this one on various topics not just exams. Keep up the good work!

brenbrenOK

!nf0s3cure wrote: »

brenbrenok......When you get your result let the community know. Good post, let this forum help new exam takers know what ISC2 is not telling them on how they will be tested or what to expect. Again not getting into the 'NDA' side of things which I believe is just useless (and works like locks that only keep the honest people out while the crooks still get in with ease) but information here is of great help to new test takers to know what is the style of testing. Lot of people can attribute their success to forum like this one on various topics not just exams. Keep up the good work!

I passed, waiting this last 6 weeks has been terrible, but I logged in and it says I passed. Haven't heard anything from ISC at all, and I found out Monday.

riyan

brenbrenOK wrote: »

I passed, waiting this last 6 weeks has been terrible, but I logged in and it says I passed. Haven't heard anything from ISC at all, and I found out Monday.

Congrats man!!! What else do you need to celebrate?
Are you expecting an official email from ISC2 then you will start the celebration?

Trustedguy

brenbrenOK wrote: »

How can you know if somebody has passed the test yet when not enough people have taken the test for it to be scored yet. I know 50 CISSP's who have taken the test earlier and who are friends of mine. Where did you imagine my saying I was mad at people who passed the test because I didn't. If you would have read any of my earlier posts, I'm mad at myself for not following the strategy when I took the test the first time. I understand auditing and I have done that, auditing is based on known security controls you have in place and how effective those controls are. I audited four of our security plans. Yes I have audited system and security event logs, network logs, etc. Yes I know that we will only have post fact, post exam change to go on when such numbers are posted. I can tell you first hand that the test I took was a radical change. I don't have a network centric background and I never said I did. I know this is a broad security exam, I have broad security knowledge, somehow you are not getting what I'm saying. I'm not hating here. And you're being a condescending....not so nice guy. And I didn't say I failed, I don't know, I might have I have to wait and see, I'm simply giving my experience after taking the previous test and the new test so close together. If you don't want to believe me then you don't have to. So you lighten up, you don't have first hand knowledge of what the new test is. I do. After you talk to more people who have taken the new test, then come back and tell me that they didn't tell you it was completely different.

I went with a group of highly experienced people in late April and we ALL failed. There was nothing in any of the 3 books I studied that was covered in the exam. Something is terribly wrong.

brenbrenOK

riyan wrote: »

Congrats man!!! What else do you need to celebrate?
Are you expecting an official email from ISC2 then you will start the celebration?

Oh I celebrated allright. LOL. Still hurting from Friday night.

brenbrenOK

Trustedguy wrote: »

I went with a group of highly experienced people in late April and we ALL failed. There was nothing in any of the 3 books I studied that was covered in the exam. Something is terribly wrong.

I agree, that's my experience from the test I took too. That's what I have been on here trying to explain. I'm sure we all took some kind of beta test to see how many questions people got right, and what they were going to add to the new test once scores started coming in. But I'd bet if you took it again, it would be closer to the test that is based on all the books and all the training.

cyberguypr

@Trustedguy, which three books did you use?

JazzPilot56

I took the CISSP on 4/11 and passed first time. My study was based on ~120 hours over 3-4 weeks.

Read the most important Shon Harris Chapters (the ones I was weakest on), the Conrad book (cover to cover), and Conrad's 11th hour (twice). I also took LOTS of test questions from Shon Harris (the enclosed CD), Conrad (free online), CCCure (paid subscription), Allegis / Skillport (company subscription). I did not take a bootcamp (as this was coming out of my own pocket).

For the record, I'm not in security (directly), rather I've been a CIO for over 15 years with obvious interest in security. I wouldn't call my security skills a core competency, rather an adjunct to my other responsibilities.

So here's my secret (with requisite Caveat Emptor's, and so-on and so-forth as your mileage may vary), If what works for me doesn't work for you...., figure out what works for you!

My trick was to take ISACA's CISM first (in Dec 2014). It is a pretty grueling test, that only has a 50% pass rate. However, it provides a framework for understanding security subject matters and the nuances of security questions.

The CISSP is more technical, but that should come easy to any season security expert. What's most challenging with the CISSP is the 250 question, 6 hour marathon.

Taking the CISM first is like running a couple 10K's before the big one (the CISSP). As mentioned, the CISM is only 50% pass rate; fortunately I scored in the top 10%. To some degree CISM / CISSP were cumulative. You get the theory & principles from the CISM, and expand them with the technical detail in the CISSP, and you should be good.

Again, this feedback is based upon the PRE-4/15 exam, and your mileage may vary.

PS - I just took the ISACA CISA last weekend, and am planning on following it up with the PMP, CGEIT, CEH/EC-Council, CEH/EC-Council (assuming I pass each preceding exam).