I’m back home from the CISSP exam. A few observations (and no, I won’t give you the exam questions — ethics rules forbid that… however, the one way hash of the correct answers, if you can reverse it, is “SECURITY·TRANSCENDS·TECHNOLOGY·(ISC)²”):
- The Millenium Biltmore, while beautiful upstairs… is ugly downstairs. The exam was held in the “Regency Room”, a low-ceiling ballroom industrially decoraged, with florescent lighting and restrooms that looked like they hadn’t been cleaned in 3 weeks. Yes, I reported the restrooms to hotel management. (to quote one description of the room: “The Regency Room is below the Biltmore Bowl with nearly 17,000 square feet of exhibit space near the hotel’s loading dock. The Regency Room is carpeted wall-to-wall and brightly lit with florescent lighting. A staircase and elevator connect the Regency room to the Biltmore Bowl.”
- I have no idea how I did. Out of 250 questions, I was unsure of my answers on about 73 of them. You need 70% to pass, which nominally would be no more than 75 wrong…. but 25 questions are test questions and aren’t scored, and the other questions are weighted, so I have no idea how I actually did.
- There were some subjects I was suprised to see on the exam, perhaps because they were newish (VOIP, global Privacy laws) and not in the mainstream books. But then again, there is a lag: the test lags behind the current technology as the CBK catches up, and then the published books lag behind the test due to publishing deadlines.
- I did see more Common Criteria on the exam then the books lead you to believe (which is a good thing). However, I’m pretty sure I could write better questions.
- A number of questions had problems of poor writing, which lead to ambiguities, making the questions harder to answer than they should have been. They really need to scrub the questions to make them unambiguous. Just like with Kerkhoff’s Law, there’s no need to obfuscate the question — make it clear and let people demonstrate their knowledge. Perhaps once I’ll pass I’ll volunteer to help them write better questions.
- I don’t know how Warren Pearce (a long-time “grey beard” in the field) does it — he predicted who the proctor would be.
- I got done with the test in about 4.5 hours. Actually (and the proctor saw this and commented on it to me when I turned in the test), I got done in 3 hours, ate my sandwich, and then went over the test again making sure I had filled in the bubbles correctly, agreed with my answers, and calculating how many answers I was unsure about.
- I’ll note that a high percentage of the “unsure” quetions were either (a) badly written questions that I wasn’t sure I interpreted right, or (b) questions about areas that weren’t in any of the books or study tools I had. I think I did OK on those areas I studied.
Overall, I don’t begrudge the process. I learned things I didn’t know, and think I understand some of the government documents I have to read and interpret better. That’s a good thing, in my book.
