Passed CISSP on 31st October 2015
I have been a silent visitor of this forum. This forum proved to be key for my inspiration in clearing CISSP at 1st try.
I have 4 yrs IS Audit experience with CISA designation and 4 yrs InfoSec experience.
Although I started collecting various study material of CISSP in last year but due to workload, family, and lack on motivation didnt studied until last month.
Study Material used:
NO BOOKS** (Being Honest)
Cybrary videos (Only Crypto, Telco, Security Engineering, Operation Security --watched twice)
sunflower note
cccure quiz (reviewed 1500 out of 1800+)
I also took cccure learning subscription but didn't used them much.
I have working experience in BCM, Access Control, IS Risk management, governance and Vulnerability Management and Penetration testing. I gained confidence solving cccure quiz in these domains so I moved on to the other domains. I took only 2 weeks to prepare and at some point I even wanted to reschedule, but going through this forum members success stories got inspiration and didn't rescheduled.
Exam was tough. Came across some question (10-15) which I had no clue what they talked abt. some very easy question Which i could answer without even reading full question (20-25). Now comes the hard part, most of the question made me think deeply, apply concept from multiple domain. When I was able to apply the concept it was easy to get the right answer and I was confident abt the answer. Reading answer choice first, and applying elimination technique works well. I took 2 breaks, and finished answering all question in 4.5 Hrs. I flagged 48 questions for review. I even changed some of the flagged questions.
Exam Advice:
like others, I also found the exam Risk and governance focused. Technical coverage was wide, not deep. You may face completely different exam scenario then mine but I think some topic are worth focusing. As InfoSec Professional you will need those at your work.
Know the content of IS Policy, APU, DLP, and difference between policy, procedure, standard and benchmark. Element of InfoSec i.e People, process & Technology. Focus on people, as making them aware will save u from lot of trouble. Management Buy in, management is Ultimately responsible/Accountable for IS (provided Board of Directors are not an option), Risk Should be mitigated based on cost benefit, In your professional life you may need to make decision utilizing quant, be well prepared in ALE and making mitigation decision based on calculation. know well abt CIA.you will probably apply other concept with CIA i.e. PKI. All Controls. IS Risk Management, each and every steps. I got quite a few question from risk mgt.
Each and every steps in BCP, purpose of each steps i.e BIA- to document criticality and dependency. DR.
familiarize yourself with social engineering- MOST successful technique, ID theft, Dumpstar diving, piggybacking etc
Reading through the forum I became scared abt Cloud Computing, which was good for me and I went through the following
https://cloudsecurityalliance.org/group/top-threats/
Dont need to go very deep, just good to know stuff. I got nothing very technical or tough from cloud. Iaas, Paas data remnance, X border issues, SLA, things to consider if you want to take cloud service, data breach etc may be good to know info. CISSP is for IS professionals of all industry, so they may not expect us to be CISO of Cloud provider. Not to fear.
Fire fighting, human life comes first, physical security, deterrence control, fence height, light, security guard, etc worth knowing.
knowing the Steps in Incident & prob mgt, change mgt, vulnerability mgt, security testing, 3rd party security assessment are very useful in your professional life. Think as a manager, not a technical person. I think in any organization senior mgt gives value to the findings (in non technical term)of security tester/3rd party assessor. And no matter what the finding is mitigation/patching etc should always follow formal process (Change Mgt)as applicable. Before any change, proper testing, roll-back plan, documentation, mgt accreditation should be in place.
cryptography was one of my weak area. I focused on common terms and watched cyberary video twice. felt it was enough.
Telecom is the area I spent most of my preparation time. I felt I over prepared, although many questions from telco. Focus should be on OSI, common protocols, vulnerabilities, attacks(L3,L4 of OSI), Authentication protocols, WIFI security, SSL/TLS, PAP, CHAP, PPP, DMZ, IDS, IPS, VPN, Proxy, ARP, Task of each OSI Layer, network media and devices etc are worth knowing.
Other key terms could be data security - PCI DSS may help, again not very deep just basic, Web app security - Owasp top 10 (basic again), SQL Injection, Xss/CSRF etc.
finally Sunflower note is awesome. go through it as many times as possible.
Best of Luck
I have 4 yrs IS Audit experience with CISA designation and 4 yrs InfoSec experience.
Although I started collecting various study material of CISSP in last year but due to workload, family, and lack on motivation didnt studied until last month.
Study Material used:
NO BOOKS** (Being Honest)
Cybrary videos (Only Crypto, Telco, Security Engineering, Operation Security --watched twice)
sunflower note
cccure quiz (reviewed 1500 out of 1800+)
I also took cccure learning subscription but didn't used them much.
I have working experience in BCM, Access Control, IS Risk management, governance and Vulnerability Management and Penetration testing. I gained confidence solving cccure quiz in these domains so I moved on to the other domains. I took only 2 weeks to prepare and at some point I even wanted to reschedule, but going through this forum members success stories got inspiration and didn't rescheduled.
Exam was tough. Came across some question (10-15) which I had no clue what they talked abt. some very easy question Which i could answer without even reading full question (20-25). Now comes the hard part, most of the question made me think deeply, apply concept from multiple domain. When I was able to apply the concept it was easy to get the right answer and I was confident abt the answer. Reading answer choice first, and applying elimination technique works well. I took 2 breaks, and finished answering all question in 4.5 Hrs. I flagged 48 questions for review. I even changed some of the flagged questions.
Exam Advice:
like others, I also found the exam Risk and governance focused. Technical coverage was wide, not deep. You may face completely different exam scenario then mine but I think some topic are worth focusing. As InfoSec Professional you will need those at your work.
Know the content of IS Policy, APU, DLP, and difference between policy, procedure, standard and benchmark. Element of InfoSec i.e People, process & Technology. Focus on people, as making them aware will save u from lot of trouble. Management Buy in, management is Ultimately responsible/Accountable for IS (provided Board of Directors are not an option), Risk Should be mitigated based on cost benefit, In your professional life you may need to make decision utilizing quant, be well prepared in ALE and making mitigation decision based on calculation. know well abt CIA.you will probably apply other concept with CIA i.e. PKI. All Controls. IS Risk Management, each and every steps. I got quite a few question from risk mgt.
Each and every steps in BCP, purpose of each steps i.e BIA- to document criticality and dependency. DR.
familiarize yourself with social engineering- MOST successful technique, ID theft, Dumpstar diving, piggybacking etc
Reading through the forum I became scared abt Cloud Computing, which was good for me and I went through the following
https://cloudsecurityalliance.org/group/top-threats/
Dont need to go very deep, just good to know stuff. I got nothing very technical or tough from cloud. Iaas, Paas data remnance, X border issues, SLA, things to consider if you want to take cloud service, data breach etc may be good to know info. CISSP is for IS professionals of all industry, so they may not expect us to be CISO of Cloud provider. Not to fear.
Fire fighting, human life comes first, physical security, deterrence control, fence height, light, security guard, etc worth knowing.
knowing the Steps in Incident & prob mgt, change mgt, vulnerability mgt, security testing, 3rd party security assessment are very useful in your professional life. Think as a manager, not a technical person. I think in any organization senior mgt gives value to the findings (in non technical term)of security tester/3rd party assessor. And no matter what the finding is mitigation/patching etc should always follow formal process (Change Mgt)as applicable. Before any change, proper testing, roll-back plan, documentation, mgt accreditation should be in place.
cryptography was one of my weak area. I focused on common terms and watched cyberary video twice. felt it was enough.
Telecom is the area I spent most of my preparation time. I felt I over prepared, although many questions from telco. Focus should be on OSI, common protocols, vulnerabilities, attacks(L3,L4 of OSI), Authentication protocols, WIFI security, SSL/TLS, PAP, CHAP, PPP, DMZ, IDS, IPS, VPN, Proxy, ARP, Task of each OSI Layer, network media and devices etc are worth knowing.
Other key terms could be data security - PCI DSS may help, again not very deep just basic, Web app security - Owasp top 10 (basic again), SQL Injection, Xss/CSRF etc.
finally Sunflower note is awesome. go through it as many times as possible.
Best of Luck
Comments
-
clarkincnet Member Posts: 256 ■■■□□□□□□□Congrats! Thanks so much for the post!Give a hacker an exploit, and they will have access for a day, BUT teach them to phish, and they will have access for the rest of their lives!
Have: CISSP, CISM, CRISC, CGEIT, ITIL-F -
Mike7 Member Posts: 1,107 ■■■■□□□□□□Congrats!
Good to see exam review from auditor perspective. Thanks! -
rony1234 Member Posts: 27 ■■■□□□□□□□Congratulations on passing the exam. I agree with the comment about the Sunflower notes, they helped me too during the last 2 days revision.
-
Robicus Member Posts: 144 ■■■□□□□□□□Congratulations-- and great write-up! For some reason I love when people conquer this without books. I realize people have varying learning styles but this coincides with my opinion that AIO is way more than what's needed.What's Next? eLearnSecurity's eCIR
MSISE, CISSP, GSE (#202), GSEC, GCIA, GCIH, GPEN, GMON, GCFE, GCCC, GCPM, eJPT, AWS CCP -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□Congratulations-- and great write-up! For some reason I love when people conquer this without books. I realize people have varying learning styles but this coincides with my opinion that AIO is way more than what's needed.
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□Hi, can anyone tell me where is that sunflower notes? please...
Search on Google and you will find it. Sunflower pdf