28. Audits with Roger Ison-Haug - Small Business Security - Part 7

in

Roger Ison-Haug is the head of Berigo AS, a Norwegian audit and consulting firm. [https://www.berigo.as/?lang=en] We also consider him a good friend, and he is one of the three people who listen to the show.

International audit/standards organizations mentioned during the episode:

- ISO (the International Organization for Standardization, which is odd, considering how it’s abbreviated) [https://www.iso.org/home.html]: a global standards body that publishes standards for performing just about every kind of human activity possible. Standards discussed on the show include:

-- The 9000 series: The Total Quality standards (sometimes referred to as “Total Quality Management (TQM),” or “Quality Management Systems (QMS),” collectively)

-- The 27000 series: Standards for information security, often referred to as the “Information Security Management System (ISMS),” which is actually the name of one of the standards in that series, 27001

- ISACA (originally the Information Systems Audit and Control Association, but has now legally changed its name to the abbreviation) [isaca.org]: Originally an American standards body that addressed information systems audit and security for manufacturing systems, but has since evolved into an international IT security and management standards body. Famous for:

-- Professional certifications, such as the CISA (certified information systems auditor) and CISM (certified information security manager) [full disclosure: Ben has the CISM certification]

-- Audit and governance standards, particularly the (unfortunately named) COBIT 19 standard (control objectives for information and related technologies)

Encouraging Words About CISSP

in

A former student wrote in yesterday to tell me:

” I passed the exam last Wednesday.  A few observations on my experience:

 

1.  Like others posting their results to LinkedIn recently, my exam cut off at the 100 question mark.  My elapsed time at that point was somewhere between 90 and 100 minutes.

2.  Candidly, the first thought that passed through my mind when the exam cut off was that I failed, because...

3.  A lot (I would estimate 60-70%) of the questions required a good deal of domain knowledge synthesis to answer.  By that, I mean the question wasn't just asking for a fact or straightforward application of domain knowledge.  I got about 50 questions into the exam and considered walking away from the test, I thought I was doing that poorly.  I really thought "OK, those first 25 or so were the 'evaluation' questions for future exams, now the real exam is starting" but the questions didn't change in style after that. 

4,  I really had to slow myself down to make sure I read the questions and answers correctly and thoroughly.  This is probably what saved me from failing, of course, since the result is only pass/fail there's no way to know if the answers I changed after re-reading the question and answer while thinking about every word were the correct choice.

5.  Notwithstanding the "synthesis" comment above, most questions did have 2 fairly obvious wrong or distractor answers.  It was deciding between the remaining two that created the most frustration.

6.  I did use current editions of both the Shon Harris and Mike Chapple texts and practice exams for preparation.  I guess that's why I was a bit surprised at the nature of the questions.  Practice exam questions from both books were for the most part more oriented toward straightforward domain knowledge demonstration.”

Great advice— SLOW DOWN, everybody. And remember that you can’t fail until you’re done. Good luck to you all!

One of the best pieces of advice I have found in a long, long time:

in

Saw this on reddit recently:

“So, to your primary question, during those best 90 minutes of my exam - I passed at 100Q at 90 minutes - this was what I'd written on my dry-erase board and what I focused on:

  • YOU ARE A RISK ADVISOR/CEO – think like one.

  • Do NOT fix things (unless asked to do so, or unless those are the only answer options)

  • Think END GAME

  • Read EACH question 3x and then THINK before responding

This said, during my last two weeks, I did a high-level but comprehensive review of notes from ALL domains, and I particularly focused on making sure I knew and understood processes like RMF, SDLC, IR, BCP/DRP, etc. I took several 100-125 question practice exams during the last 10 days and used feedback from those exams to further hone the things I needed to focus on prior to my exam. Good luck and all the best as you make final preps for your exam!”

https://www.reddit.com/r/cissp/comments/i1eshf/exam_tips/fzx8qth/

TSSOI - Episode 18 - Skynet is Racist

in

Recent CISSP Feedback

in

Pearson VUE test centers have reopened, and candidates for ISC2 certs have now been able to schedule their exams. I’ve been getting sporadic feedback from test-takers; here’s one recent message:

“I took and passed the exam on Saturday. 118 questions in 1:15.

I actually thought it was a little annoying.  A lot of awkwardly worded questions.

It was very little direct technical questions (no TCP ports).  Focused on policy and judgement.  Think  before you act.  You have to have a core of IT knowledge, but the bulk was thinking strategically and not tactically.  I think your course focused on that way more than the other materials.  The cccure tests are pretty good.  The McGraw-Hill material was outdated and a big distractor.  And just knowing that 25 questions don't count, and you have a 25% chance of guessing let me just keep going forward after picking an answer on the weirder questions.”

Good to hear, and great words of caution for those gearing up for the exam. Good luck, everyone!

The Sensuous Sounds Of INFOSEC - Episode 13 - Ryan Skelton

in

This week we talk with INFOSEC professional Ryan Skelton about information security training and awareness programs, tools used in live environments, and how Robin sounds like an NPR interviewer.

The tool mentioned by Ryan during the episode: https://www.knowbe4.com/

The Saturday Night Live sketch Ryan references (and yes, Robin does sound like that!): https://www.youtube.com/watch?v=RoysmfRxPLc