Path to the ISSEP

redzredz Member Posts: 265 ■■■□□□□□□□
Well, I've finally bitten the bullet and decided to tie down and study for the Information Systems Security Engineering Professional (ISSEP) concentration of the CISSP. I have yet to schedule the exam, but am very tentatively planning for mid-September, pending how comfortable I feel with the material. I may bump it up to the end of this month.

I'm using the ISSEP CBK (With care, of course - It is a bit dated) and InfoSec Institute mentored-online training with their offline study materials.

I would be interested in hearing other people's experiences with this exam, positive or negative. Specifically, I'd like to hear any domains of difficulty, any tips, et cetera.

I will update this thread as I get closer to the test, hopefully it will end up as a resource that others who want to pursue this certification can use in the future.

Comments

  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    I took it a couple of years ago. It was a challenging test. It’s been said the pass rate is 30%. I don’t know about that but most people who sat the test with me failed. Could have been just the group I was in though.

    Study:

    Acquisition Lifecycle-Milestones
    Protection Needs Elicitation
    SSE Process (know this in detail or don’t waste your money on the test)
    IPP/IMP
    C & A process (including for non-military systems- 800-37)
    Risk Assessment
    DODAF
    Project Management
    Software development models
    Major Instructions and what they address

    I assume you work for the DOD. There is also some training on Skillport, it is dated but the SSE information is valid and helpful.


    I guess you could say my experience was positive...I passed. But it was a painful test, 5 questions in I was wondering why I was subjecting myself to it.

    Good Luck.
    Ph.D. in Information Systems Security
  • redzredz Member Posts: 265 ■■■□□□□□□□
    Sadly, I no longer work for the DoD... However, I do hugely appreciate your response, especially with focal areas for the exam (and the fact that it looks like you made an account just to reply to me). The only items I feel really strong enough in right now are C&A (800-37 & DIACAP, not so much NIACAP) and Risk Assessment. I have quite a bit of experience in the rest, but don't know that I have ISSEP-depth knowledge at this point.
  • redzredz Member Posts: 265 ■■■□□□□□□□
    After absolutely pounding Domain 4 of the ISSEP for the past 3 weeks, I felt comfortable enough to schedule my exam. It is scheduled for the afternoon of September 9.

    I've begun work on Domain 1, and feel fully comfortable in my ability to learn and be able to apply the information from domains 1-3 by then.

    I've at least read, in their entirety, every regulation from the ISSEP CIB. One thing specifically that has helped me was doing write-ups on the big ones (Privacy Act, ECPA, GLBA, CCA, HIPAA, etc) and their impact and applicability to the SSE process.

    I will update as I begin to use other study materials/methods and get closer to this exam.
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    I'd like to know how the studying goes and the outcome of your exam. I'm scheduled to take the exam on the 11th. As a contractor, I thankfully have access to www.fedvte-fsi.gov a virtual training environment that has instructor lead video on an assortment of IT certification, including the ISSEP. I'm taking Darxtar's recommendation and focus on those topics.
  • redzredz Member Posts: 265 ■■■□□□□□□□
    Acid,

    Good luck tomorrow. Seriously. Nothing I did prepared me appropriately for that.

    My study method:
    Watch sections of the InfoSec Institute video library each night for ~1-2 hours, read for 1-2 more. I did this for about 5 weeks. I took Thursday-Monday off work, and took the exam that Monday evening.

    Each day I drilled a domain for upwards of 14 hours, and purchased six more months of the CCCURE Quizzer for their ISSEP question bank, doing about 100 questions from the domain of study each day.

    My test was yesterday at 4pm. I woke up around 10, and just did questions until 2. Then I showered, ate, and left for the exam.

    If the CISSP is "hard", this test is "holy %^&$".

    Materials:
    InfoSec Institute Training: Do not waste the money. I regret doing so, because it came straight out of my pocket. Everything is brushed over, there isn't the level of depth you need to pass. It's not even close.
    ISSEP CBK: This is why I passed, the reading. I'm not even good at retaining what I read, but as dated as it was, this book carried me.
    CCCURE Quizzer: The questions on here aren't at the depth of the ISSEP at all, which was disappointing. It gave me a great confidence boost going in getting 90-100% on 150 question practice tests, though. If you have it, use it. In fact, I'd recommend it either way.

    Everything that made the CISSP hard (strangely phrased questions, buried meanings, listing 3-4 correct answers to questions), the ISSEP amplified at least twofold, coupled with the knowledge being at a more extreme depth.

    I honestly don't think I could pass it again if I sat down right now with the same 150 questions. This is one not to let lapse.
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Redz, you're not helping at all....:) I've been going over the virtual training that I have access to over and over and over again. Plus I did read through the ISSEP CBK but that was extremely tough to get through. I'll try out the quizzer but tomorrow is the day. Crossing my fingers..... Any last hints or recommendations?
  • redzredz Member Posts: 265 ■■■□□□□□□□
    I assume you have DoD specific ISSE experience - USE IT. When you get a scenario question, think about that scenario in terms of a full-lifecycle DoD project you were an ISSE on and who performed what functions and how and when it was done. There is a ton of 'best judgement' stuff.

    The CCCURE Quizzer is only ~$50, I would honestly drop what you're doing and do 100 question tests over each domain in the ISSEP mode. They aren't that similar to the real exam, but they will grind some useful information home that you may have otherwise missed.

    The last thing you do before you take the test - go through IATF again. Trust me on that.

    Know your laws and regs.

    Apparently (ISC)2 realizes they're all easily accessible from csrc.nist.gov, so knowing which NIST number is which document is way less important than understanding the content of the documents. Understand the content of every referenced document in the CIB at a "broad strokes" level - at a minimum.
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Thanks Redz, that's what I was looking for. I have been doing IA (ISSO/ISSM type stuff) for a DoD contractor for 3 years which consists of DIACAP type workflows in addition to what closely relates to the SDLC/RMF. Basically standing up an Information System all the way to sanitization/disposal. This also includes DoD security regulations that are applied to the IS. We are in the process of going full-blown RMF but it hasn't gained much steam lately.

    So when you say "best judgement" I feel this is the CISSP concept all over again, which is fine.

    I'll see how much I can squeeze in for the CCCURE Quizzer but I don't have much time left. I'll go over the IATF one last time. I did get to the point of actually knowing what NIST number applies to what, but as you said, it's better to know what's actually in it. I believe the virtual training environment I did provided some great information without going to far into the weeds. It did provide the "broad strokes" type level and I was able to retain much of the information. The ISSEP CBK book was tough, really tough.

    Last but not least, I wouldn't consider the CISSP a "hard" exam. The problem I had was the length of the exam. At question 200 I was about to call it day (obviously I wasn't, but you know what I mean). Thanks for the "inside" info Redz. My exam is at 8am tomorrow morning. With a good breakfast and 3 cups of coffee in by that time, I should be ready. I'll let you know how it goes. Again, thanks.....
  • redzredz Member Posts: 265 ■■■□□□□□□□
    Come back as soon as you're done, let me know how it goes!

    It sounds like you have the related experience to draw from - definitely use that.
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Will do! Congratulations by the way! Hope to be part of "crew" tomorrow.
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    Congrats to redz on the pass. Seems like they have migrated to an online test. In 2011 it was still paper based and took a month to get the results. At about the 3 week mark I had convinced myself I had probably failed and started studying again. It was a relief to get the pass email!

    Acidhorse, when I took the test they asked several questions which described a process or activity and asked which relevant NIST or instruction number covered it, so actually knowing the main ones was important. And I will say it again, in 2011 you had to know the SSE process in detail or you were wasting your money on the exam. Since Engineering is the focus of the cert I would expect nothing to have changed. Good luck tomorrow!
    Ph.D. in Information Systems Security
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    I took the training on Skillport and on CERTVTE which is now FEDVTE. Both were dated even in 2011, focusing on DITSCAP.
    Ph.D. in Information Systems Security
  • redzredz Member Posts: 265 ■■■□□□□□□□
    I saw one number, and it was a pretty basic one... I also didn't see a single DITSCAP question... It's probably a massive question bank, though... Or the test changed rather dramatically when they went to computer based testing last year.

    (and yeah, thank god for that, because waiting four weeks on an email from ISC2 would driven me mad)

    EDIT: Oh, I read bad. Sorry Darx, I got your point.
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    The test did not have any DITSCAP, but the training did. As I said, as far as C & A the training available on Skillport, CERTVTE, and Hanche's book, was dated.
    Ph.D. in Information Systems Security
  • LarryDaManLarryDaMan Member Posts: 797
    Congrats on the pass! I have heard the exam is challenging

    Outside of DoD, are employers recognizing or looking for this concentration anywhere? I've considered it, but I feel like I'll just have to explain to everyone what it means.
  • redzredz Member Posts: 265 ■■■□□□□□□□
    I don't really see job postings for it. I figured I would just, you know, get it for fun...

    ...fun.

    I want to go back to working with the DoD primarily, though, I just have to find a remote position where I can do so.

    EDIT: Acid, did you pass? It's a 3 hour test you should have finished by now! Unless you're in a different time zone. I guess I didn't think about that.
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    I work for the DoD, the cert is pretty much an expectation of the group I work in. I would think that anyone working with government (Federal) ISs would find the cert valuable, but outside of that another concentration might be more known/useful.
    Ph.D. in Information Systems Security
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Hello all.....Redz, just got back and yes I'm on the Pacific time zone. It's a very challenging test and well, I didn't make it. Both of you guys were spot on as to what to expect. I even recognized a CISSP question in there as well. I'm going right back into it and focus on the top two domains I did the worst on. But Darxtar is right, know the SSE inside, out, and sideways because of the bulk of it was there.
  • redzredz Member Posts: 265 ■■■□□□□□□□
    Well, I think it has a silly low pass rate. You'll get it though, stick with it!
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    Too bad, but according to everthing I have ever heard the test has a high bar as it was developed for and with the NSA. With first hand knowledge of what is currently on it I would study and go right back ASAP for another shot while the information is fresh.
    Ph.D. in Information Systems Security
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Thanks Darxtar. As of this moment my nose is back into that book and I plan on re-taking it ASAP. I did remember several of the questions and was able to find them in the book, almost word for word which was strange. In any case, I'll give it another shot and let you know how it goes. Thanks again.
  • acidhorseacidhorse Member Posts: 7 ■□□□□□□□□□
    Took the test again yesterday and passed. It was a long 6 months. I know others probably studied in the half the time, but it was a little challenging for me with having a 2 and 3 year old climbing all over me. I'm obviously glad that's over with but I'm also glad that this cert may open some doors at my job or any other defense industry position. Thanks again for all the help fellas!
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    Congrats, welcome to the club.
    Ph.D. in Information Systems Security
  • dijital1dijital1 Member Posts: 64 ■■□□□□□□□□
    acidhorse wrote: »
    Took the test again yesterday and passed. It was a long 6 months. I know others probably studied in the half the time, but it was a little challenging for me with having a 2 and 3 year old climbing all over me. I'm obviously glad that's over with but I'm also glad that this cert may open some doors at my job or any other defense industry position. Thanks again for all the help fellas!


    Grats mate
Sign In or Register to comment.