Just sat for CISSP Exam to Become an Associate in Cincinatti

SchluepSchluep Member Posts: 346
Hello Everyone,

I have been an avid silent reader on these boards for a little less than a month. I have not made my introduction yet as I have been busy studying for the CISSP exam. I owe a lot of thanks to everyone on this board (even though I have not gotten my results yet) because it was here that I found recommendations for study materials/tips by reading a lot of threads here. While I learned a lot from individual posts of people that passed, I owe a special thanks to JDMurray and Keatron who I can almost predict their responses at this point after reading so many of their helpful posts specifically in the (ICS)2 part. Now is my chance to try and start giving back some while moving on toward other certifications. I also of course owe a huge thanks to Webmaster for providing this excellent resource. My next exam should have some technotes available that I will definitely put to use.

I saw very few people sitting to become an Associate of (ISC)2 so I thought I would post about why I made such a decision by using the CISSP exam. I have spent the last few years doing Database and/or GIS work, though primarily working as a DBA. After a while it started to get monotonous and I was looking for something that would challenge me a bit more. I did some light programming and improving the database processes, but for the most part it was standard DBA functionality. None of my experience was specific to information security so it does not count toward the time required to be a CISSP. After deciding to switch to InfoSec I wanted to start off what a very broad view of the many areas involved to see specifically what type of tasks I would be most interested in. For this reason I decided to sit for the CISSP exam since it seems to be the most broad based out of the certifications. I decided on August 9th, 2007 that I would begin studying for the CISSP exam after reading about the many certifications on these boards with the plan of becoming an Associate of (ISC)2 and then ultimately a CISSP. I booked the exam for September 15th, 2007 in Cincinnati, OH. If I didn't set a date I was concerned that I wouldn't stay focused enough so I immediately set a date to work toward.

After reading these boards I picked up the Shon Harris All-in-One, ExamCram2, and the Official (ISC)2 guide to the CISSP CBK. I also registered on www.CCCure.org. I had a lot of health challenges in the past and attended very little grade school or high school after 6th grade but performed the work at home so I was very used to self study and greatly prefer it to anything classroom based. I also read about some of the various laws and ethical organizations as well as looked at a number of NIST documents.

I started off first reading the Shon Harris AIO. I found it to be very informative and easy to read. It seemed to approach it from the view of someone having knowledge about each of the domains. I found this to be the most helpful of the three books I picked up as it was easy to read and had a nice flow to it. After finishing the AIO I took a few days to do a lot of reading about CBK questions on the CCCure.org forums and to go through the ExamCram2 book. I did not find the ExamCram2 book to be very helpful as most of the topics were not covered in any level of depth and even for an overview many topics important aspects seemed to be left out entirely. If I had to do my study plan again the only thing I would change would be to replace this book with a different one or do more practice quizzes later with that time. After this period I read the OIG from front to back. The information was good and I was very glad I picked it up in addition to the AIO, but it is a much harder read because it does not flow very well at all. It is very accurate for the exam and covers a lot of information, but the organization is what I had a bit of an issue with. I would highly recommend it though as there are a number of topics it covered not even mentioned in the AIO (although maybe since I had version 3 of AIO which was older than the 2006 OIG).

Without doing any additional memorization and just after the straight reading of these books I took the practice quizzes on www.CCCure.org and only scored a 62%. I wrote down all of the areas I had trouble with and reviewed the answers. I then pulled out my AIO and starting studying up some more. Straight reading of the book did not allow me to remember the differences between things like TCSEC B2 and B3 or the key length of various encryption algorithms. I did some of this straight memorization for just one day and scored a 76% the next day which was a huge improvement in just one day of study. I then studied up some more and did the practice questions on the CD that came with the AIO. I scored an 84% overall with a 76% in my weakest domain and a 91% in my strongest.

It was now Thursday night before the exam I was to take on Saturday, September 15th, 2007 in Cincinnati. I have a 5 hour drive from Cincinnati to Pittsburgh so I made an audio recording of myself discussing my weakest areas with the AIO as a reference for some of the charts and things I needed to memorize (such as TCSEC levels again). I listened to it on repeat for my entire 5 hour drive out on Friday (took off work for a travel day). I arrived in Cincinnati and immediately hit the exercise facilities in my hotel after the long trip. I booked my stay in the same hotel where the exam was being held so I would have no issues finding it in the morning. While exercising I needed to give my mind a rest so I did not bring my mp3 player that I had prepared with the same audio I used for my car ride. After exercising I studied up some more while eating at the restaurant in the hotel and after my meal. I laid down at 10:30 but couldn't fall asleep until midnight with my mind still spinning information around in my head.

I woke up at 6:00 a.m. to be ready for the exam at 8:00 a.m. I showered and then put on some Rocky music (Gonna Fly Now and Eye of the Tiger were both on repeat until I left my room to check out of the hotel). I thought it was more important to mentally prepare for success than to try and study anymore as I felt I had a very good grasp of the material at this point and could engage in intelligent conversation on any of the 10 domains. I signed in at 7:50 a.m. for the exam and it ended up being a packed room. I would estimate at least 40 or 50 people were taking the exam. It may have had something to do with the experience requirement change being too weeks off, but I never expected that many. They were primarily sitting for the CISSP with one for SSCP and one for the Engineering Concentration (can't remember the letters).

I started taking the exam and quickly realized that I was prepared much more on a technical level that what was likely needed for the exam. I was concerned about time going into the exam but finished it just as the 3 hour mark was being called. I spent 10 or 15 minutes starting to check over my answers and then decided it would be best not to second guess myself and handed in the exam. After reading many of the descriptions here and on CCCure I expected the exam to be more difficult than it actually was. I cannot know for sure if I passed or not since I don't know how the questions or weighted or which ones were the 25 that didn't count, but I felt that I was adequately prepared for the exam and really do feel confident that I passed it. I will post results once I get them and am really hoping for a pass so I can save the $500.00 plus travel expenses needed to take it again.

I should be posting here much more often now that I am past this exam. I plan to take the Security+ next as it can be used to reduce the amount of experience I need for the CISSP by one year and also can be put toward some other certifications. I do not feel this one will be a difficult one to study for as much of it seems to be covered under the CISSP though it will likely be more technical in nature.

EDIT: Corrected date typographical error


  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    Was the exam offered anywhere closer then Cincinnati?

    2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
  • SchluepSchluep Member Posts: 346
    I believe there was one in Pittsburgh in August just a few days after I decided I would plan to take the exam so I was not prepared to sit for it at that time.

    There was one per month at a training camp I did not plan to attend that is about 3.5 hours away. There was one in Virginia that was about 45 minutes further away than Cincinatti and more unfamiliar territory for me. There was one in Philadelphia on October 13th, 2007, but Philadelphia it is about the same distance as Cincinatti from my location though I would be travelling on a more expensive toll road to get there in that same time.

    Other than that there is nothing scheduled here in Pittsburgh at this time. Had I starting planning this a month earlier that August one in Pittsburgh would have been great. Cincinatti was definitely the best option for me so I don't know when the next one would even be held in Pittsburgh.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    There's often an exam offered at Bushkill PA. How far is that from you?
  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    Keatron - I think Bushkill is the one that was 3.5 hours away.

    Schluep - I didn't it had been offered in Pittburgh. I will have to watch the schedule more closely

    2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
  • SchluepSchluep Member Posts: 346
    Bushkill is North of Philadelphia. I actually thought it was more to the West than it is. That is the one I thought was about 3.5 hours away. After checking a map it is actually more like 5.5 hours from me which is farther than Cincinatti. That one is also usually tied in with a training camp that I didn't plan to attend so I was looking for a Hotel or Convention Center type location.

    I am definitely glad I made the trip to Cincinatti for it. Looking at the site again now I don't see any scheduled in Pittsburgh clear through the rest of the year (and some of the other locations are registered through until December).

    ajs - I am not sure how long it was up on the site. I only noticed it when I first started getting ready to take the exam. Keatron may know more about how much advance notice is usually given. It may have been a case where there was a lot of interest in Pittsburgh so they set one up without as much advanced notice. Since I wasn't looking for it over any period of time I can't say how long it was up.
  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    I don't check the (ISC)2 site that often. It will be awhile before I even consider studying for the CISSP. I would like to get through at least the Security+ and one of the Windows 2003 security exams before even considering it.

    Let me know how the being an Associate of (ISC)2 impacts the job situation around town. Most of the ads I have read for security positions want a BS in a computer related field, the CISSP or CISM, and specific types of experience.

    2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    You hit it right on. There are many times where a training company or for that matter, a company might have 10 or 12 people ready to take the exam. In these cases, an exam will usually be scheduled just for that group, and then anyone else who wants to jump in can. It's a good idea to send an email to [email protected] as many of these types of last minute exam dates are not even posted on the website.
  • securinatesecurinate Member Posts: 16 ■□□□□□□□□□
    Good luck, I've just started my long journey to becoming a CISSP as well. Took the summer off so now it's time to get back into the swing of things. Let us know when you find out!
  • SchluepSchluep Member Posts: 346
    I recieved the official notice from (ISC)2 this morning that I passed the CISSP exam as expected and am now officially an Associate of (ISC)2 (until I gather the neccessary work experience). There isn't anything I can add to my thoughts and impressions on the exam outlined above other than that my study plan clearly was a successful one for me at least.

    That plan was developed largely off of comments I read on these boards going back quite a long time so I owe a large thanks to all who posted on these forums, and especially to Webmaster for providing such an excellent resource.

    I might schedule Security+ for this Saturday but am not sure yet. I am testing a lot of different penetration techniques right now and am not sure which certification to focus on next. CE|H is one I might take a look at. I will post a follow-up where I decide for sure where to next.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Congrats on the pass! icon_thumright.gif
    All things are possible, only believe.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    Congratulations! Passing the CISSP exam a heck of an accomplishment! After that experience you'll be laughing while you are taking the Security+ exam.
  • snadamsnadam Member Posts: 2,234 ■■■■□□□□□□
    congrats on the pass. I have a good friend of mine who sat the CISSP on saturday. He was studying like a mad-man, so I can imagine you went through a similar ordeal. If you can pass this exam, then Sec+ should not be any issue to pass.
    **** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine

    :study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
  • SRTMCSESRTMCSE Member Posts: 249
    Schluep wrote:
    Bushkill is North of Philadelphia. I actually thought it was more to the West than it is. That is the one I thought was about 3.5 hours away. After checking a map it is actually more like 5.5 hours from me which is farther than Cincinatti. That one is also usually tied in with a training camp that I didn't plan to attend so I was looking for a Hotel or Convention Center type location.

    The bushkill site is about 2 hours north of Philly, I actually worked for The Training Camp at the Bushkill location. Excellent instructors and location.
  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    congrats on the pass.

    2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
  • SchluepSchluep Member Posts: 346
    Thanks everyone.

    I decided to pass on sitting for Security+ at this time. After reading through half of the Sybex book I picked up and all of the technotes I haven't seen anything new so and wouldn't expect it to be a challenge at all if I needed to pick it up for some reason in the future. My as well save the $250 and put it towards something more useful.

    Before embarking on another certification path I need to polish up my penetration testing skills quite a bit. My next goal is to learn how to use many of the existing tools and how they work. I also plan to become famliar making script modifications to existing tools and make sure I am comfortable writing some of my own if needed. The CE|H exam looks like it would be a good one for me but I do not meet the neccessary work experience requirement. I also plan to sit in with a group of Security Consultants for some hands on experience and to learn more in a practical environment. They mentioned in their FAQ they would consider waiving the experience requirement. Does anyone know what usually constitutes their waiving of this requirement? I would prefer not to spend a lot of money on a class to bypass the need for this requirement when I plan to learn everything neccessary through personal study and practical application (I learn much better that way than in a classroom).
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Congratulations! icon_thumright.gif
    Schluep wrote:
    They mentioned in their FAQ they would consider waiving the experience requirement. Does anyone know what usually constitutes their waiving of this requirement?
    Based on some previous/older members we had/have, the requirements for the CEH are a lot less strict than for the CISSP. Although it obviously needs to be relevant experience, it can be experience gained in other job roles than just 'full time infosec experience' the CISSP requires. if I remember correctly, taking the official course will also make the requirements more relaxed. I think Keatron can fill you in in more detail, but you can also contact EC-council directly. The fact that you passed the CISSP exam will probably have some weight too.

    Security+ is a good one to start with, as a guideline for the basics, and is also a nice one to add to the list for sys and network admins for example. I.o.w. I think there's nothing wrong with 'skipping' it, especially when you already passed the CISSP. And it doesn't have that much value on a resume especially for InfoSec jobs that require InfoSec skills.

    Again, welcome on board, and keep those good posts coming :D
  • SchluepSchluep Member Posts: 346
    Thanks Webmaster. I'll read through some of the posts in the EC-Council section and see what I can find based on the experience others had with the work experience requirement. My only experience so far specific to Security have been some small side jobs I have taken on.

    Even if the requirement is lighter than for CISSP I doubt any of my DBA experience will count since it wasn't specifically from a Security perspective, though security of the data was certainly an aspect of the being a DBA. Maybe I am incorrect in assuming that this experience does not qualify for C|EH. I will post a bit of what I have been working on the past few years and see what everyone thinks.

    There is a very high degree of data confidentiality, integrity, and availability that must be maintained. I worked with databases of geo-spatial data to provide protection for underground utility lines in 7 different states within the US. Certainly that information requires a high degree of confidentiality since you wouldn't want a terrorist knowing the convergance points of major gas pipelines for use in an attack or where the electrical/fiber mainlines run in order to cut power or communication to a target area. Integrity is also crucial because the worst case scenario of a corrupted record could mean loss of life, and the best case scenario is property damage and a financial hit through neccessary repairs and loss of utility service to excavators. State Law in most of the states we were involved in required the Call Centers utilizing this data to be operational 24/7 for emergency excavation that needs to take place, so availability of the data obviously had to be ensured as well. My title never had anything to do with security and my primary functions were performing the processing for these database updates, exchanging data with the owners of these underground facilities, ensuring compliance with various State laws and regulations, and ensuring the accuracy of the data prior to implementation of the updated databases. I also wrote a few macros and programs to make this processing more efficient and editting existing ones to improve performance.

    I would not expect this experience to qualify for the C|EH since I was not hired for a security position and none of it seems to be related to the topics covered in the C|EH exam. After looking over their website and seeing the recommended training outline of a 5 day course I definitely could not make such a time committment during those times specified to waive the experience requirement through training. Unless there are other acceptable training options that idea is definitely out for the time being. I still have to do some more research in this regard and realize that ultimately I will need to contact EC-Council.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    You might want to reconsider Security+ if you will be looking for DoD work. The DoD Directive 8570.1 establishes the certifications that the DoD wants its people in managerial and technical positions to have. The baseline cert combo seems to be A+/Network+/Security+ with CISSP. Sprkymrk can talk more about this. Also, never pay retail price for a cert exam when there are discount vouchers available for it.
    Schluep wrote:
    I still have to do some more research in this regard and realize that ultimately I will need to contact EC-Council.
    The email address Keatron is always dropping of the guy to contact at EC-Council is [email protected].
  • SchluepSchluep Member Posts: 346
    Thanks JDMurray. I love my Country very much and would gladly server in that capacity, however it is not so much my focus any more at this time. I feel that I need a lot more experience with various different systems and how they operate in order to secure them properly. I am doing some things on the side with a local consulting firm that I know through some shadowing and some hands on practical training while still doing the DBA work for the protection of the underground facilities. My immediate goal is to phase out of database and start doing the Security Consulting full time over the next few months as I think it will provide the greatest learning experience. Long term I plan without a doubt to own my own business, preferably InfoSec related. I cannot run such a business without the practical and technical experience neccessary however, so I need to take things one step at a time. I own a few other small business that are largely at a point where they require minimal effort from me personally.

    I am not ruling out Security+ entirely, but don't see the need to sit for it at this point especially with how basic it is. I didn't feel the CISSP exam was too difficult, and taking a quick look through the technotes and the Sybex book makes Security+ seem even easier. After realizing this I feel confident that I could be prepared to take Security+ within a week maximum if the need ever arose to have this certification and I would probably sit for it at that time. The same would be true for Network+. I have done a lot of work with hardware and desktop repair including a number of side-jobs I performed designing customer computers for people so I feel A+ would easily be in reach as well after a quick read through a book to memorize the different numbers and theories that go along with the technical aspect that I am famliar with. I think I would be better served practicing my skills Saturday morning than sitting for one of these exams at this point. The same is true of focusing on improving my penetration testing skills this week instead of reading through the rest of the Sybex Security+ book to ensure there are no surprises.

    Thanks for posting that link regarding the discount vouchers. I do see it in blue on the side of this site now that I look at it. Your post gave legitimacy to something I was concerned about when seeing similar sites. I was concerned I would pay nearly full price (but a little less with something extra included in most cases) and end up with a fake voucher that would not allow me to sit for the exam after driving over. Much like the people that pay scalpers $3,000 for Super Bowl tickets on game night and then can't get in.

    I'll wait to see what Keatron says before I contact them since he has the most experience in that area with his training that he does. If I can qualify to sit for the C|EH without taking a class it will definitely be the next certification that I go for.
  • SchluepSchluep Member Posts: 346
    I read through every single post in the EC-Council (back to 2003) forums now and as most of you stated the experience requirements are much lighter than that of the CISSP. I guess I didn't pay as much attention to the word related in "security related experience". Though it is certainly not "Direct Security Experience" that is required for CISSP, perhaps it could at least count for something toward the C|EH along with mentioned that I am an Associate of (ISC)2 after passing the CISSP exam. I saw a few posts by Keatron stating that Security+ helps as well. I will e-mail [email protected], explain my situation, and see if I would be permitted to sit for the exam. If needed I could always pick up Security+ to be able to sit for C|EH if I decide it is something I really want to do. I saw one thread where someone was a Software Developer and that qualified for the C|EH experience since his code shouldn't contain vulnerabilities, so perhaps maintaining a secure database would qualify as well.

    I have already been working with many of the pen testing tools on my own (and still have a lot more playing around with them and various OS's to do). I also need to modify some of them and write some of my own scripts to make sure I will be able to adapt. I plan to do this regardless of whether or not I can sit for the certification, but it would be nice to verify my familiarity with them and have a certification to put by my name for it.

    Thanks again for all of the help everyone. Had I not mentioned C|EH in this existing thread I had then I probably would have incorrectly assumed that I did not qualify and not even pursued it further for another two years.
Sign In or Register to comment.