oy... Takes a peek and rambles on

So my employers forced my arm to re-take the CISM exam this June. I took it back in Dec 2008 and failed by 2 points or something measly like that. After snoozing through that bootcamp, running through the exam in about 1hr and 30 minutes... I was notified I failed. Arrogance? Not really. I don't care for paper pusher exams (no offense to CISSP's or other CISM's).

Anyhow... This time around, I'm actually going to study.

I have no more technical exams right now that I want to focus on. Maybe the OPST soon who knows... With that said... How are others studying? (I may have asked this before). Take two: How are others who potentially have ADHD studying. I tend to get sleepy reading about content I don't care about. For example, I'm happy reading Shellcoders Handbook, Advanced Windows Debugging but when I pick up anything related to management I seriously get sleepy. Its boring

Any hints? Tips?

Find more posts tagged with

Comments

Paul Boz

You have to break up the management certs with the technical ones or you'll burn out as you have. I couldn't imagine slamming the CISSP, CISA, or CISM at the same time. I'm going to have to crank down on the CISSP material for the September new orleans test date and I'm really not looking forward to that at all.

JDMurray

sexion8 wrote: »

I tend to get sleepy reading about content I don't care about. For example, I'm happy reading Shellcoders Handbook, Advanced Windows Debugging but when I pick up anything related to management I seriously get sleepy. Its boring

Any hints? Tips?

How did anyone make it through college classes in boring subjects? You created a study plan based on the class syllabus (exam objectives), scheduled study time in a place that forces you to study (at the library or in in a study group), had a TODO list of the items you would study at each study session, used different types of study aides (books, lectures, videos, short articles, Web site forums, practice exams), and focused on the material by high-lighting text and taking copious and detailed notes, as if you were writing a paper on the material.

Specifically for cert exams, you should schedule the exam 4-6 weeks out and don't allow yourself to reschedule. This should (hopefully) instill a sense of panic in you that forces you to forsake other activities in favor of studying. The final two weeks before the exam you should be studying only from your notes, as they will contain the distilled essence of what you have been studying.

GAngel

Read over the domains that relate to cism from this pdf then go study from your material. Read over the domains again. Write the exam.

home.cogeco.ca/.../CISSP%20aide%20memoire%20(e)%20v4.pdf

If you pass save yourself the trouble and schedule cissp for as soon as possible. Unless you want to start studying from scratch again.

Paul when i wrote cissp I found about 10% of the answers were directly related to gpen and ceh so you'll have a leg up for the exam. Plus the biggest section to study from is telecom and net security which you're far more of an expert in than I am. And if andrew manages to pass i'll be so dis-appointed if you fail.

subl1m1nal

sexion8 wrote: »

Take two: How are others who potentially have ADHD studying. I tend to get sleepy reading about content I don't care about. For example, I'm happy reading Shellcoders Handbook, Advanced Windows Debugging but when I pick up anything related to management I seriously get sleepy. Its boring

Any hints? Tips?

I have the same problem. I'm going over AD again for 70-648 exam. I get sleepy reading over the boring stuff. I usually use caffeine and take breaks. Since I already know most of the material, I'm looking at the exam objectives and focusing my attention on those.

If you get tired of reading, try taking a practice test or doing some labs.

Ye Gum Noki

Sexion8, if you were as smart as you seem to think you are, you wouldn't really need to ask advice from a bunch of paper pusher exam takers... and PASSERS. Just get the official guide and question bank and read them... try to retain the information this time. Shouldn't be too hard for a red hot techie like you.

Good luck,

Mr. Ye

sexion8

Ye Gum Noki wrote: »

Sexion8, if you were as smart as you seem to think you are, you wouldn't really need to ask advice from a bunch of paper pusher exam takers... and PASSERS. Just get the official guide and question bank and read them... try to retain the information this time. Shouldn't be too hard for a red hot techie like you.

Good luck,

Mr. Ye

Sorry Mr. Ye, I figured I'd ask those who actually don't get bored with reading. I tend to be a hands on person I feel it makes more sense to learn it (hands on) instead of theorizing and or relying on books. I certainly didn't mean to rattle your cage. The fact of the matter is, I get annoyed at books when their concepts are often outdated - sort of like the entire NIST line of documents. Sure those documents make sense - at that point in time and to that company where the document was written however, they (NIST docs) tend to be so far out of touch with reality it's sad to see that too many "managers" rely on these as "i noes security... I can accurately yelp the NIST numbah!" For me it's akin to trying to accept something that is wrong at times for the sake of appeasing the masses and not offending those who get offended when you call them "out of touch with reality". Sorry I suffer from toro[1]skata[2]phobia[3]... I can't help it

Sure, I've went through the question bank on ISACA's CISM for the past three years and the core focus - even though its called a security exam - is on business - not security. It's like the recent RSA study... The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf)." I get annoyed and easily deterred from focusing on books which teach: "money money money" wherein they're labeled: "Securing an Infrastructure - How to Become A Red Hot Certified Paper Pusher While Ignoring Reality and Security"

Sorry if I annoyed you Mr. Ye I will make sure it won't happen again

[1] translation - toro translate | Spanish dictionary
[2] Urban Dictionary: skata
[3] Phobia - Wikipedia, the free encyclopedia

JDMurray

AHEM

Please don't start tossing any flames back and forth in my forums, please.

PM your flames to each other all you want.

sexion8

Paul Boz wrote: »

You have to break up the management certs with the technical ones or you'll burn out as you have. I couldn't imagine slamming the CISSP, CISA, or CISM at the same time.

When I failed in December, I had attended a bootcamp for the CISM in VA but during the bootcamp I was actually doing some teleworking and instead of focusing like I should have, I wasted time like an idiot. Again, call it arrogance or a lack of caring for the CISM, I should have read the content and studied.

A big gripe was and is ISACA's methodology which is visible in some of their answers and explanations. For a certification to be labeled "Security Manager" I feel it imbues "Business Management of Security Systems" as almost all questions focused on the following: Business, Business, Business... Security.

Understandable that security needs to conform to business models but security isn't a "money maker" so any analysis (quantitative or qualitative) to me is theoretical. How does one in a logical (not theoretical) fashion interpret a financial gain from having security in place (without using fuzzy math/metrics). By the lack of compromises? Lack of attempted compromises? Visibly detected (alerts, etc.) and stopped breaches? Its definitely a hard pill to swallow when dealing with some of the content.

Paul Boz

Rather than trying to make a case for how security costs are justified through terms like "money maker" just make the case for what it would cost in case of a breach. Also make a case for regulatory compliance requirements. It is far easier to say "we HAVE to do this" versus "we SHOULD do this."

earweed

Paul Boz wrote: »

Rather than trying to make a case for how security costs are justified through terms like "money maker" just make the case for what it would cost in case of a breach. Also make a case for regulatory compliance requirements. It is far easier to say "we HAVE to do this" versus "we SHOULD do this."

+1 This is how the business and the tech side of things should look at security.

JDMurray

At the very pinnacle of the InfoSec pyramid is the domain of Risk Management. All security is justified based on the presence of risk. If there were no risks (i.e., threats), there would be no need for security. The justification of adding security by creating/modifying business processes comes from cost-benefit analysis. If you are will to accept a certain level of risk, there is no need to spend money to mitigate it. If the level of potential risk is unacceptable (i.e., the quantity of losses and probability of loss occurring are too great), then money must be spent to implement controls to mitigate the risks to an acceptable level.

This is the type of thinking that CISM people do every day.