CISM - not impressed
I'm sitting through a boot camp for CISM. I plan to test tomorrow and the overall theme I'm getting from the database, instructor, and others is that questions are purposefully obtuse.
CISM feels more like a reading comprehension test than actually learning anything security related (beyond what I already know and posses).
It's not a terrible course and I can see how someone could gain knowledge from it, but I'm not overly impressed at all.
Am I off?
CISM feels more like a reading comprehension test than actually learning anything security related (beyond what I already know and posses).
It's not a terrible course and I can see how someone could gain knowledge from it, but I'm not overly impressed at all.
Am I off?
Comments
While I agree that some questions could have been simplified and it looks like they were designed specifically using various inverse logic with many "NOT"s, I believe that the main idea is somewhat different -- it is to teach you to notice slight differences between the similar concepts.
To give you an example, here's a question of this type. You do an investigation in a typical enterprise and you learn that remote workforce who aren't on VPN cannot use Kerberos for authentication which breaks some application functionality. Your options: a) publish Kerberos AS/TGS to the Internet b) force always on VPN because Kerberos isn't secure over the Internet c) Publish it as in a), but configure it to use mandatory pre-authentication as without it it's not safe d) Make sure that the users logon with Kerberos at least once while on-premises so they can cache a TGT which can be used when they are offline to logon to their application.
It can be argued that all answers except maybe one are technically correct. And majority of people would choose b, because of two reasons: 1) it's a common practice to not publish Kerberos and force the remote force on VPN and 2) ADDS is by far the most popular Kerberos implementation and it is officially recommended by Microsoft not to publish it.
Seems plausible, but this would be a wrong answer. First, Kerberos isn't ADDS. We don't know all the reasons why Microsoft advises against publishing ADDS services, but most likely they have to do with publishing RPC and SMB which are required for ADDS to function. But people when they hear "Kerberos" almost automatically assume Active Directory. Wrong. Second, Kerberos was specifically designed to function in insecure untrusted networks and there's no issues with publishing it to the Internet if the application relies on it. But many people don't know that because it's not a common industry practice.
As you can see this question is specifically designed to collide the common and well-known notion that isn't true with a less known but true notion. Is it tricky and obscure? Sure. Was it designed to be obtuse on purpose? Not really.
I have many other examples like that covering various areas, not necessarily technical. People for the sake of simplicity just like to assume things, these assumptions lead to incorrect and damaging decisions in some scenarios and these questions are designed to teach you to not assume things.
I'm sure I'll pass the exam, but I hope I have the opportunity to interact with ISACA about my concerns.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I will start CISA QA DB. Any other advice.
I took a one-week boot camp from Trainingcamp.com and spend the extra money to get the official ISACA Q/A database.
That may or may not be true, but there is no argument that having a CISSP can open doors for you and many security jobs desire candidates who have it. The same can be said about CISM, with a good security background you may not have gained much of an increase in knowledge while preparing for the exam, but it is a cert that is reasonably marketable.
So, congrats and well done! That is on my to do list.
CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+