Re: CISSP Examination Practices ?

["Yousef Syed" <yousef.syed () gmail com>]

I'm thinking more about the approach that is needed to pass the exam -
not necessarily whom the exam is for.
The guy that asked the initial question was worried about the exam. So
i was just telling him what worked for me. He's already been on a
course and already has extensive Security experience (as you'd expect
for someone planning to take the exam). However, I know MANY security
professionals that are great with security issues at the techy level.
Hence my emphasis on the management aspects being necessary for
passing the exam.

I don't want to split hairs, however, the instructor that taught us
the CISSP course made a point of telling us that it was a Management
focused exam. That doesn't mean it is an ITIL or PRINCE style exam.
But rather that it has a management focus as opposed to a technical
focus - if it had a technical focus, I doubt there'd be many CISSPs
out there with the required depth of knowledge in all the 10 Security
Domains.
And to return once again to the original question, approaching the
paper from the management perspective (despite my extensive
techy/developer background) served me well.

ys


On 04/02/2008, David Harley <david.a.harley () gmail com> wrote:
> > It was a  generallization.
>
> Exactly my point. And that's why it's misleading.
>
> > The CISSP is a maagement exam.
>
> I disagree. It's a broad-rather-than-deep security certification for
> information security professionals, which is often particularly suitable for
> managers in the security field, but it's also perfectly suitable for someone
> with specialist expertise who wants/needs to prove they have a reasonable
> amount of knowledge in the other domains. It's certainly not a management
> exam in the same way that an ITIL qualification is, for instance.
>
> > If you focus on learning all the technical matters of each of
> > the domains (though commendable and useful) would not
> > necessarily mean you'll ace the exam.
>
> There, I agree. In fact, I wouldn't regard every CISSP question I've ever
> seen as technically correct, though (ISC)2 do go to some lengths to make
> their questions as good as possible.
>
> > When answering many of
> > the questions, you need to put a manager's "hat" on and that
> > means you have to weigh things up on a budgetary basis, or
> > policy basis, or HR/Legal/compliance basis, or Employee
> > safety basis; as well as weighing up the more technical
> > security pros and cons.
>
> You can't go very deep technically on a multi-choice question. I think you
> seriously overestimate the degree to which these are "different" to security
> knowledge as it's measured by (ISC)2.
>
> If you're saying that security professionals who qualify for CISSP may see
> things differently to freelance vulnerability researchers, for example, I
> won't disagree, but I don't think the exam particularly reflects that. It's
> not what I'd call a management exam, and I've taken a few of those.
>
> > I hope that helps clarify the matter.
>
> Likewise.
>
> --
> David Harley CISSP :)


-- 
Yousef Syed
CISSP

http://www.linkedin.com/in/musashi