And A Weight Is Lifted Off My Shoulders…

I just got the following email:

Congratulations! We are pleased to inform you that you have passed the Certified Information Systems Security Professional (CISSP®) examination – the first step in becoming certified as a CISSP.

Now to get endorsed (which should be easy, given my experience), and to get my exam fee reimbursed.

And It’s All Over But The Waiting

I’m back home from the CISSP exam. A few observations (and no, I won’t give you the exam questions — ethics rules forbid that… however, the one way hash of the correct answers, if you can reverse it, is “SECURITY·TRANSCENDS·TECHNOLOGY·(ISC)²”):

  • The Millenium Biltmore, while beautiful upstairs… is ugly downstairs. The exam was held in the “Regency Room”, a low-ceiling ballroom industrially decoraged, with florescent lighting and restrooms that looked like they hadn’t been cleaned in 3 weeks. Yes, I reported the restrooms to hotel management. (to quote one description of the room: “The Regency Room is below the Biltmore Bowl with nearly 17,000 square feet of exhibit space near the hotel’s loading dock. The Regency Room is carpeted wall-to-wall and brightly lit with florescent lighting. A staircase and elevator connect the Regency room to the Biltmore Bowl.”
  • I have no idea how I did. Out of 250 questions, I was unsure of my answers on about 73 of them. You need 70% to pass, which nominally would be no more than 75 wrong…. but 25 questions are test questions and aren’t scored, and the other questions are weighted, so I have no idea how I actually did.
  • There were some subjects I was suprised to see on the exam, perhaps because they were newish (VOIP, global Privacy laws) and not in the mainstream books. But then again, there is a lag: the test lags behind the current technology as the CBK catches up, and then the published books lag behind the test due to publishing deadlines.
  • I did see more Common Criteria on the exam then the books lead you to believe (which is a good thing). However, I’m pretty sure I could write better questions.
  • A number of questions had problems of poor writing, which lead to ambiguities, making the questions harder to answer than they should have been. They really need to scrub the questions to make them unambiguous. Just like with Kerkhoff’s Law, there’s no need to obfuscate the question — make it clear and let people demonstrate their knowledge. Perhaps once I’ll pass I’ll volunteer to help them write better questions.
  • I don’t know how Warren Pearce (a long-time “grey beard” in the field) does it — he predicted who the proctor would be.
  • I got done with the test in about 4.5 hours. Actually (and the proctor saw this and commented on it to me when I turned in the test), I got done in 3 hours, ate my sandwich, and then went over the test again making sure I had filled in the bubbles correctly, agreed with my answers, and calculating how many answers I was unsure about.
  • I’ll note that a high percentage of the “unsure” quetions were either (a) badly written questions that I wasn’t sure I interpreted right, or (b) questions about areas that weren’t in any of the books or study tools I had. I think I did OK on those areas I studied.

Overall, I don’t begrudge the process. I learned things I didn’t know, and think I understand some of the government documents I have to read and interpret better. That’s a good thing, in my book.


Last Day of Study

Today is the last day before the CISSP exam. Today I’m going through the total tester that came with the Shon Harris book, taking my time with the questions and developing my way to think about examining the multiple choice answers. Note that the exam tomorrow is 250 multiple choice questions, and we have six hours.

  • Domain 1: Security Management and Practice. 95% correct. 104 questions/65 minutes (including interruptions): .625 minutes/question. 250 questions= 2.6 hours.
  • Domain 2: Access Control. 92% correct. 123 questions/64 minutes (including interruptions): .52 minutes/question. 250 questions = 2.16 hours.
  • Domain 3: Security Models and Architectures. 98% correct. 86 questions/26 minutes (including interruptions): .302 minutes/question. 250 questions= 1.26 hours.
  • Domain 4: Physical Security. 98% correct. 87 questions/26 minutes (including interruptions): .298 minutes/question. 250 questions= 1.25 hours.
  • Domain 5: Telecom & Networking. 89% correct. 113 questions/54 minutes (including interruptions): .477 minutes/question. 250 questions= 1.99 hours
  • Domain 6: Cryptography. 94% correct. 130 questions/43 minutes: .33 minutes/question. 250 questions= 1.38 hours
  • Domain 7: Business Continuity Planning. 91% correct. 67 questions/26 minutes (including interruptions): .388 minutes/question. 250 questions= 1.61 hours
  • Domain 8: Law and Ethics. 95% correct. 83 questions/31 minutes (including interruptions): 0.373 minutes/question. 250 questions= 1.55 hours
  • Domain 9: Applications and Systems. 93% correct. 95 questions/36 minutes (including interruptions): 0.378 minutes/question. 250 questions= 1.57 hours. My big problem here is that I keep putting things in the wrong phase of the software development lifecycle–I’m “off by one”
  • Domain 10: Operations Security: 91% correct. 69 questions/25 minutes: 0.362 minutes/question. 250 questions= 1.51 hours.

Some overall observations. I seem to be well over the 70% that the test requires to pass, although my worst subject (not surprising) is networks. It looks like I should be done with the test in about 2 hours, but I’ll actually try to take things slower to ensure I make less errors. I’ve also noticed is that I really need to carefully read all answers before making my selection. This may be less of a problem on the paper test.


CISSP on the Brain

Now I know the exam is getting to me:

  • I just figured it out: they give us all the answer when we take the test. Now, if I can just figure out how to reverse the one way hash of “DIXONTICONDEROGA#2”.
  • (ISC)2 ethics prevent those who took the test from telling folks what the questions were (we all know the answers: A, B, C, or D). So here’s what I think happens: You go in the room to take the test. They close the doors. Then then tell you that you pass for just putting your name on the test form, and we’re going to watch a movie for three hours. Of course, the ethics rules prevent you from telling anyone this. So, here’s what you tell them if they ask…
  • Of course, since the rules prevent those who took the test from telling what the questions are, they also prevent those who took the test from confirming that a question on those sample tests aren’t the real questions. So I think some number of those questions are the real questions, and they just can’t tell us.

One more day of study to go….


Six Days…

Another study day. Mostly physical security (bollards, electrical systems, HVAC, fire extinguishers, etc), but some BCP/DRP, Information Risk Management, Networks, Operations Security and Cryptography thrown in. Tomorrow is work… and more study in the evening, and the rest of the week.


Just Keep Shovin’ It In

Next week, at this time, I will have been done with the CISSP exam for at least an hour. This means this week is “crunch” week. I’ve been spending all day studying, reviewing, and quizzing myself (most of today has been cryptography, with periodic inclusion of the other domains I’ve reviewed: Business Continuity Planning, Risk Management, Telecommunications and Networking, and Operations Security. This is tiring work, combined with the fact that something (quite likely stress) has me feeling less than 100%.

As for tomorrow: Alas, more of the same. Ditto for Tuesday. Ditto for Wednesday. Ditto for Thursday. Ditto for Friday. That’s right — I’m planning to take four vacation days to study for this.

I will be so glad when this exam is over… and I’ve hopefully passed.