My CISSP Experience

Richard R, CISSP, FITSP-M, PMP, MBA, Security+, Network+, Project+
Last Revised: August 2015

Purpose

While many candidates briefly share their experiences in becoming a CISSP, there are not as many who share their complete story.  I have thoroughly documented my experience in an effort to share my experience with others who are hoping to obtain the CISSP certification.  I welcome feedback and questions which will help me improve this memoir as a resource for those who are working towards the CISSP certification. To ask a question or provide feedback, please contact me by email at cissp at avitria dot com - I'm always happy to answer questions from other candidates who are working toward their CISSP certification. I also do one-on-one mentoring for the CISSP and other certifications. Connect with me on LinkedIn if you'd like to establish a mentoring relationship.

If you enjoy this memoir, you might also appreciate my thoughts on how to Become (and stay) a CISSP on a Budget or how to go from CISSP to PMP certification.

 

*Note - I prepared for and passed the CISSP exam before it was available in computer-based test (CBT) format. While the test experience itself is somewhat different, the methods to prepare for and accomplish the test are essentially the same, except you don't have to practice filling in tiny bubbles!


First My Background

I’ve been an IT professional since late 1998 and have spent time supporting a variety of industries including telecommunications, higher education, non-profit, commercial managed services and defense contracting. The list of job titles include GIS Analyst, Systems Administrator, Network Administrator, IT Support Director, IT Manager and most recently, Information Assurance Manager.  As part of these positions, I have worked extensively with enterprise architecture including Windows, UNIX and Linux systems.


Heading in the Right Direction

When I started my current job as Information Assurance Manager, my supervisor asked me what training I wanted to take and what certifications I felt would be helpful in performing my job duties.  I stated that I wanted to obtain the CompTIA Security+ and ultimately the ISC(2) CISSP certification.  In March, 2010, I took a one week Security+ course from Computer Minds (http://computerminds.com/). This firm occasionally holds courses in the area and they had a competitive price which included the exam on the last day of the course.  The opportunity to dedicate a single week to the Security+ was exactly what I needed since I routinely have a number of major of distractions that emanate from home.  I sailed through the course and was able to score a pretty solid 875 out of 900 on the exam.  I felt that I now had a sufficient foundation so I started working on my study plan for the CISSP.


Building the Right Study Plan for Me

Since I’ve always been one to have a plan laid out in front of me, I started working thoroughly reviewing the CISSP-related materials on http://www.cccure.org/. This helped me understand a few important concepts of the study plan which include:


There is no magic pill for this certification! People learn in all sorts of ways and a successful study plan depends greatly on your study habits and learning style.


There are a lot of resources out there! Some resources are worthwhile and some are not so it’s important to separate the wheat from the chaff.


Preparing for the exam is as important as the exam itself! Remember, if ye are prepared, ye shall not fear.


Study Habits and Learning Style

I designed a study plan that relied on computer based training (CBT) resources, videos, books, practice questions and ultimately a review seminar before the exam at the end of my journey to CISSP certification. I found that my best bang-for-the-buck in preparing for the exam was CBT training and videos.  I’m not a big fan of reading and some of the CISSP source material and guides are downright dry if not impossible to read.  I find that visual and auditory learning works better for me and allows me to internalize it and map the teachings back to experience already in my mind.  This learning style was reflected in my study plan, and I cover this further on in my materials review.


The Wheat and the Chaff

When it came down to it, I was surprised at what materials I found to be useful and what I found to be utterly worthless in my studies.  I found that some materials that others considered to be a holy grail were a waste of time for me.  I’ll cover these disparities in my materials review.


Be a Good Boy Scout and “Be Prepared”

Yes, I am an Eagle Scout.  Did that help me prepare?  I don’t know.  But what did help me prepare for the exam was my bell curve shape approach to my study plan.  I started slowly with high-level materials and covered the entire breadth of the CISSP Common Body of Knowledge (CBK). Upon establishing a solid familiarity with the CBK domains and the concepts thereof I transitioned to materials that scraped a bit deeper into the concepts and discussed the more technical aspects of specific technologies, methodologies and processes.  Ultimately I reached the apex of my study plan, a point at which I was studying several hours each day.  I was taking hundreds of practice questions, watching detailed videos and researching weak areas in some of the resource materials and guide books.  Once that apex was reached and I felt I was about to start leaking CBK material from my ears, I backed off and started reading some of what I considered to be the “light reading” of the CBK concepts to help round off the corners and relax and let the content work on a long soak.


Putting All the Pieces Together

Early on, my supervisor had given me the option of which review seminar to attend, so I scoured the http://www.cccure.org/ forums and solicited feedback from a variety of folks who had attended various courses.  The feedback varied significantly, ranging from “it made all the difference in my success” to “I knew more about IT security than the yo-yo instructor”.  I ultimately selected Training Camp.com after receiving excellent reviews and encouraging correspondence from past attendees, including a few who worked in the same branch of the DoD as myself.  I booked a course for late November in Minneapolis and continued my studies.


Warning! Travel Plans…and Turbulence Ahead!

Study plan execution was humming along nicely and I was in the final weeks before heading to Minneapolis but I was anxious because Training Camp had not given me the hotel information so I could make arrangements for airport transportation. I wasn't renting a car since I was there to study - nothing else. 


Then, just a week before the session I got the news – the session was canceled owing to not enough registered attendees!  They gave me the option of moving to Bushkill, PA or Atlanta, GA during the same week, or I could slide to any other session that worked for me. I had to then settle on Atlanta, GA since I had already made all the arrangements to be away that week and that location would be least expensive to travel to.  I responded and told them that I would go with Atlanta, GA and made my travel changes.  No sooner had I changed my arrangements than I received another email  saying the Minneapolis session was back on.  Although frustrated by having to change flights again I was more than happy to switch back. The idea of the cold weather attracted me since it meant fewer distractions and I find a walk in the cold can help me relax.


Leaving On a Jet Plane

On November 28th I packed up my stuff and hopped on a plane for the quick flight to Minneapolis.  On the flight I entertained myself by reading some more.  As soon as I hit the ground I called the hotel (La Quinta Inn & Suites Bloomington West) and the shuttle pulled into the ground transportation just as I walked out onto the platform on a temperate 40 degree day. I had called ahead that morning and asked for an upgraded room in a quiet area of the hotel.  Management was accommodating of my request and gave me a nice efficiency room with a great view of the Minneapolis skyline. I made a quick trip to a local store to pick up some some groceries and returned just after dark. I then settled down and prepared for the start of the seminar by reading through what I considered my weaker areas.


Fire Hose On?  Check.

After a solid night of sleep I awoke early then went downstairs to check in with the front desk to find out where the seminar was being held.  I found the room and dropped my books off and grabbed a quick breakfast.  I found that maintaining a routine came in handy throughout the week, especially in the dietary realm. The seminar started promptly with our instructor introducing himself as Rob Slade (http://en.wikipedia.org/wiki/Robert_Slade), an industry expert, longtime ISC(2) member and course instructor.  I cannot say enough good things about him, but my experience was very similar to every other person who discussed their ISC(2) instructor as being very intelligent, experienced, and helpful.  Of the eleven people in my seminar, five were Training Camp attendees who received the extra evening sessions and Saturday session.


After that point the week turned into a blur.  Rather than attempt to break down every day I will simply give a rundown of one day was like, because from Monday through Friday each day was similar in structure with only the content changing.


The Daily Grind

We covered the CBK domains in the following clusters, with one domain in the morning and then another in the afternoon:


Monday: Access Control, Information Security Governance and Risk Management

Tuesday: Physical Security, Cryptography

Wednesday: Application Security, Security Architecture and Design

Thursday: Business Continuity Planning and Disaster Recovery Planning, Telecommunications and Network Security, Operations Security

Friday:   Legal, Regulations, Compliance and Investigations


0645 – Get out of bed, check email, turn on some music and take a shower.

0730 – Head downstairs, drop off study materials in the classroom and get breakfast while watching SportsCenter

0800 – Class starts promptly with review questions from the domains covered the day before; questions are done in group format and answers are reviewed along the way.

0900 – Death-by-PowerPoint through first domain of the day, with breaks every hour. Snacks and drinks are provided in the classroom.

1130 – Catered lunch provided in hotel restaurant; meals were EXCELLENT and varied each day between chicken parmesan, pasta bar, baked potato bar, pulled beef BBQ and more.

1230 – More death-by-PowerPoint coverage of the domains mixed in with comedic banter as we became increasingly more exhausted.

1430 – Afternoon snack break – again the hotel did a great job of mixing up snacks each day with chips & dip, cookies, popcorn etc. along with a selection of sodas.

1700 – ISC(2) seminar attendees end their day and head out, leaving only the Training Camp folks.  At this point the Training Camp attendees completed the practice quizzes in the seminar manual and then reviewed the answers with the instructor, covering any weak areas and discussing the answers.  During this portion of the day there were many heated conversations about the finer aspects of the CBK and the nuances of the ISC(2) approach to test design.

1900 – Class ends for the day for Training Camp attendees. We generally went our own way and most folks ordered delivery for dinner or ate food in their rooms.  I purchased enough dinner food to last me through the week so I generally returned to my room and stayed there for the night.

2000 – Review of CBK material – Each night I reviewed the seminar manual of the domains we covered that day, and those that would be covered the next day.  I felt that this routine helped with retention and prepped my brain for the concepts I’d hear the next day.  It also gave me a chance to make note of any concepts I was not clear on.

2300 – Lights Out.  A few days I had problems getting settled down and took some medication to help fall asleep.  I tried to maintain as much of a routine as possible throughout the week so as to not get my mind and body out of an established pattern.


This pattern repeated itself for five days.  I can confidently say that it was the most intense educational experience of my life.  The intensity is due largely to the fact that our instructor was truly an expert and was able to thoroughly dissect concepts and help us understand the details behind some of the concepts. To those who are not prepared ahead of time with a base knowledge of the CBK and the various domains, the seminar and related content can be instantly overwhelming and provide an unequaled mental pounding that would be tough to overcome in time to be prepared for the exam on Sunday.


Friday afternoon we took the official 125 question practice test provided to us.  I had not looked at it prior to sitting down for it. I blew through it in about 75 minutes – an average of .6 minutes (36 seconds) per question – which fell exactly in line with my practice quizzes.  I’m traditionally a fast test taker if I know the content well and fortunately this was no exception.  I felt good about it but felt that I had room for improvement.  After grading it I noted which domains I hadn’t done as well in. I had scored an 88 percent on the practice test and my instructor was very positive about my grade, stating that I ought to just “go upstairs and sleep until Sunday”.  According to my instructor’s experience, test scores are clustered tightly around 70 percent on the official practice tests. I’m not the type that can pull up before the finish line and walk across, so I had no intention of skipping the review session Saturday morning.


We had collectively decided to do a full review of the CBK domains Saturday morning, so that morning started out like the other mornings.  The instructor blew through the more basic sections of the presentation and we slowed down on focused on some of the more complicated concepts, including the ever-present Cryptography section.  We stopped for lunch and then broke for the day.  We said goodbye to the instructor and he wished us the best on the exam and encouraged us to relax for the rest of the day.


Relax?  I Can Do That!

By mid-day Saturday I was about as confident as I was ever going to be about the results of my study plan and the review seminar.  I knew at this point that there was nothing more I could do to prepare myself and that I needed to go blow off some steam and relax for the day.  Being in Minneapolis I knew where I needed to go… to the Mall of America of course! Just a short shuttle ride later I was wandering the halls of this metropolis of consumerism.  I found the movie theater and for the first time in my life I watched a movie… alone.  It was a new and exciting experience that really helped me relax.  After the movie I gave my wife a call and told her what I was up to, the first thing she said to me was “have you ridden the roller-coasters yet?... Well don’t call me back until you do.” At her urging I bit the bullet and rode all three of the roller-coasters in the mall with just enough time to spare to get back outside and wait for the shuttle.  I then capped of the night by eating dinner at one of my favorite burger joints, came back to the hotel and packed up most of my stuff, and then collapsed into bed around 2330 hrs.


Into The Fray

After my usual breakfast I wandered back to the classroom where the exam was going to be administered.  To my delight all three of the proctors were already there and setting up signs and getting the room prepared.  Only the five of us from the Training Camp group were sitting the exam, so the instruction and preparation phase went pretty quickly.  I had my pencils, a bottle of water and some granola bars in case I got the munchies.  At 0900 sharp we flipped open our exam booklets and I was off like a shot. The next 2.5 hours are largely forgotten to me.  I simply pounded through the questions using this process:


1.    Read the question, twice

2.    Note any significant wording (ie. NOT, MOST, LEAST, EXCEPT, etc.)

3.    Look for obviously wrong answers

4.    Eliminate any additional answers using the proper approach

5.    Make sure the selected answer answers the question being asked

6.    Reword the question to ensure the answer fits

7.    Mark the answer on the Scantron form

8.    Rinse and repeat


Just as I expected, I was moving along at a relatively fast pace.  For the vast majority of questions I was easily able to eliminate two answers and then use logic to determine the correct remaining answer.  In only one case I remember making a complete and total guess due to not having ever heard of the concept/technology that was referenced in the question.  In a handful of instances it was a guess between two answers, but that was by far the minority.


After 125 questions I stopped and took a quick break to walk to the bathroom, stretch my legs and eat a granola bar to keep my energy up.  I sat back down and cruised through the rest of the exam, finishing in exactly 2.5 hours.  I reviewed my answer card to ensure that I had not miss-aligned any answers or incorrectly filled any bubbles and proceeded to turn in my exam.


And The Wait Begins

I left the exam room feeling confident.  If I had not passed, then I was going to be totally shocked and I would not know what I could have done to be better prepared.  I called my wife and other family members and shared the good news and then sat down with my box lunch the hotel had arranged for and watched some football to mellow my nerves.  A few hours later I was at the airport and by 2000 hrs that evening I was back at home with my wife and the kids.


To keep myself busy over the next few weeks I had decided to pursue my FITSP-M certification so I worked on that after I got back home and having been working towards it as a distractor while I waited for my results.  I also got more involved in the http://www.cccure.org/ forums and mailing list as I could finally provide authoritative information on the preparation and exam experience, having now ran the gauntlet.


So How Did I Do?

On January 7th 2010 I received the official notification that I had passed the exam. On January 10th I submitted my endorsement paperwork which was filled out by a co-worker of mine who works with me on various C&A activities. That evening I received the acknowledgment email stating that they had received my paperwork and that it was in the queue for validation.  After an initial four week wait I received the unhappy news on February 14th that I had been selected for auditing!  I quickly responded with the requested information and after three more grueling weeks I received official confirmation of CISSP status on March 4th 2011.  In the meantime I kept myself busy by successfully sitting for my Network+ and Project+ exams and I also obtained my FITSP-M certification from the Federal IT Security Institute as well as my PMP certification from PMI.


In Summary

Overall it took me nine months of studying to arrive at the day of the exam.  As I stated before I used a bell-curve approach to my studying, which peaked about 6 weeks before my actual exam.  The last month before my seminar I read some high-level materials but by that point many of the concepts had become solidified in my mind so I did my best to maintain a good level of situational awareness and float into the seminar ready to knock out any weak areas.  The Training Camp/ISC(2) review seminar was the kill shot I needed and it gave me ultimate confidence in my ability to pass this exam and function as a certified expert in information systems security.


Materials Review

Leading up to the seminar I used a number of resources which I’ve listed and rated below.  My ratings and insights are purely my own objective opinions and there will probably be some who do not agree with my feelings towards some of the materials which are often considered the gold standard in exam preparation.


(ISC)2 (TM) CISSP (R) Prep Version 2 CBT Course  - https://www.vte.cert.org/  - 8/10

I completed this as the first step in my study plan. This resource is available to all .mil and .gov email account holders, including active-duty or civil servants as well as contractors.  The course is 27 hours of pre-recorded lecture sessions which are accompanied by a number of high-quality labs and quizzes.  For those who benefit from a more interactive learning experience this is a good substitute for live training if you’re on a budget.  I gave this resource an eight out of ten because I felt that too much of the training focused on the Telecommunications section – but this fact may benefit someone with a weaker background in this domain.


CBT Nuggets CISSP CBT Videos - http://www.cbtnuggets.com/ - 7/10

These videos followed the VTE course in my study plan.  Many have complained that these are too fast-paced, but I enjoyed them and found them to be a perfect tempo for me as anything slower becomes boring for me and then I have a hard time staying on task. I found the level of detail to be good, going into more depth than the VTE course, but not too deep. The domains are covered in a series of 30 videos totaling 16 hours of study time. I gave these 7 out of 10 because it’s a good continuation that goes into more detail, but at times there is a tendency to get off-topic.


Shon Harris CISSP Video Mentor DVD - http://www.amazon.com/CISSP-Video-Mentor-Shon-Harris/dp/0789740303 - 7/10

I used this video after completing the CBT Nuggets videos and found it to be a good summarization and reinforcement of the concepts covered by it.  It is not a full course, but contains a few CBT videos of Shon Harris and a few of her compadres presenting specific topics including Cryptography, the OSI model, IPSEC, and wireless networking.  Unless you’re struggling with one of these specific areas, this DVD will be of no worth.  I would have given this resource more than 7 out of 10 if Shon had let her co-workers do more of the videos – I found hers to be dry and full of indifference.  The ones done by her counterparts were much more enjoyable and educational, especially the video covering the OSI model.


Shon Harris CISSP Video Seminar (2007 Edition) - http://www.amazon.com/Shon-Harris-CISSP-Video-Seminar/dp/B000VAUVRG - 2/10

My disclaimer on this resource is that I did not watch many of them, as I found them to be that painful to sit through.  Shon’s voice is like nails on a chalkboard to me and I could not stand her presentation skills.  34 hours of lectures full of “umm” and “uhh” is not worth the steep price for these videos, in my opinion. I would suggest that you gain access to a system like VTE if at all possible.  If you’re stuck on a concept and don’t have to pay for these then they *might* be worth your time.   Two out of ten is all I could muster up for this resource.  Some folks worship Shon Harris’ study materials, but that flavor of Kool-Aid just doesn’t suit me.


The CISSP Prep Guide: Mastering the Ten Domains of Computer Security - http://www.amazon.com/CISSP-Prep-Guide-Mastering-Computer/dp/0471413569/ref=sr_1_1?ie=UTF8&qid=1293121297&sr=8-1  8/10

I’ve made many friends during my CISSP journey and one of them who was following a very similar path to me highly suggested this book.  I was skeptical because it was one of the first books published as a CISSP prep guide.  I picked up a copy for a few bucks used and took it with me on a trip to Arizona, leaving me with plenty of time in the airport and on the plane to read through it.  I finished the entire book over the course of a weekend and was impressed with the layout, delivery and depth of content.  Having now completed the review seminar I can say this book was most on-par with the level of detail required when learning the CBK.  A potential reason for this was explained to me by my instructor – apparently Ron Krutz used to be affiliated with ISC(2) and my instructors opinion was that the book was essentially a re-formatted copy of the seminar manual from the early days of the CISSP certification.  This book is one of my top-three materials for the exam, and thus the high score of eight out of ten.


CISSP For Dummies (3rd Edition) - http://www.amazon.com/CISSP-Dummies-Lawrence-C-Miller/dp/0470537914/ref=sr_1_1?s=books&ie=UTF8&qid=1293121964&sr=1-1  - 7/10

This book was my final ramp-up to the review seminar.  I read most of it the week before my seminar and finished it up on the flight to Minneapolis.  It’s relatively high-level, but does a good job of covering all of the necessary “core concepts” from the various domains.  It also talks extensively about how to become a CISSP, how to prepare for the exam, and other security industry information. This would probably be a good book for someone just getting started or looking to review or brush-up on their knowledge.  I gave it seven out of ten because it is a solid resource as a high-level go-to book for understanding the basics of a specific concept, explained with graphics and charts. It is not however, a complete guide and should not be used as such.


CISSP All-in-One Exam Guide (5th Edition) - http://www.amazon.com/CISSP-All-One-Guide-Fifth/dp/0071602178/ref=sr_1_1?ie=UTF8&s=books&qid=1293122390&sr=1-1  4/10

The Shon Harris Kool-Aid strikes again.  After reading through portions of this book (commonly known as the AIO) I could not understand why people were so enthralled with this book.  Even further, I could not comprehend the fact that people actually read this from cover to cover.  It’s a good book, but to me it was merely a reference to go to when another source did not adequately cover or explain a detailed concept.  I feel that this book gets too far down in the weeds – and while this approach may help teach concepts I can see how it would lead to increased anxiety in those preparing for the exam.  I found the practice questions from it were either too detailed in nature or designed to trick the test-taker with trivial content.  My opinion was shared by many of the others in my seminar and we were very close to having a book burning with these overgrown paperweights.  If this book works for you, all the better – but as for me and my study plan, this one sat gathering dust except when I needed it briefly.  I could have easily not used it at all and been just fine. I think four out of ten might even be a bit generous.


Official (ISC)2 Guide to the CISSP CBK (2nd Edition) - http://www.amazon.com/Official-Guide-CISSP-Second-Press/dp/1439809593/ref=sr_1_1?ie=UTF8&s=books&qid=1293122900&sr=1-1  7/10

So you can’t argue with the official word of ISC(2), right?  Commonly known as the OIG, this book makes no pretenses, it is thick, it is heavy, and it is devoid of any entertainment value, and has only minimal graphics and charts.  I used this book as nothing but a reference, and it did that very well. My biggest gripe is that they really skimped on the index and there is no glossary – resolve those issues and it would be a far more useful reference book.  Similar to the AIO, it gets way down in the weeds, but it does so with the express intent of providing meaningful technical explanation of the concept or technology being covered. This book was the second in my “Study Triad” and contained the second-best practice questions of any book I read, behind the next book in my list. A seven out of ten puts this book in its spot as a reliable producer, but nothing flashy.


The Official (ISC)2 CISSP CBK Review Seminar Student Handbook (9th Edition) - http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=CBK+Review+Seminar&x=0&y=0  9/10

This was by far the most useful written resource of my study plan.  Whether you attend an official seminar or not, this book combines visual references with text that covers material at a level deeper than the CISSP Prep Guide or Dummies book, but not as detailed as the OIG or AIO. At the price you can find online for a used copy, this book is a solid investment that can be virtually guaranteed to provide results.  It doubles as easy reading material and an excellent reference source, with a much better index than the OIG and although the practice questions are about the best you can find, they are not quite to the high standards of the actual exam. Remember that since only attendees of the official review seminars receive this book, used copies are not plentiful and you may have to settle for a previous edition, but when you can find it using sites like Amazon, eBay or Froogle, pricing is generally very reasonable (generally under $10). Since the CBK material has not changed significantly, only minor differences can be found between versions - I compared the 9th (2010) edition to the older 5th (2005) edition and did not find any glaring differences. Be advised the "current" edition is the 10th edition. My rating of nine out of ten shows my confidence in this resource.


Training Camp ISC(2) CISSP Review Seminar Manual (The Blue Book)  Not Available Online  5/10

This is the booklet you receive as a Training Camp attendee.  It’s nothing fancy, just a bound booklet of powerpoint slides, worksheets and a study guide. If you’ve done a lot of research on test-taking tips for the CISSP Exam, have hands-on, real-world experience and a copy of the “CISSP aide memoire” discussed below, then this book has little to offer you. Some of the attendees used the worksheets to test their comprehension, but I found them to be overly basic and not really helpful for my learning style. I gave it five out of ten because the slides on testing philosophy and techniques are solid gold, but nothing new if you’ve poked around the http://www.cccure.org/ forums at all.  The rest of it may or may not be worthless depending on the individual.


CCCure Quizzer - https://www.freepracticetests.org/  8/10

Don’t let the URL fool you – the site is not entirely free.  A limited number of quizzes and questions are available to “free” account holders – to get the most from this resource (and to support http://cccure.org) you should either A) pay the subscription or B) help Clement by providing questions and/or corrections to existing content (so Clement will upgrade you to a paid account at no cost) and benefit from the unlimited quizzes and full test bank offered here.  This resource is widely believed to be the best resource and many post-passing CISSPs have no qualms about shouting this fact from the hilltops (or in the forums).   In the course of my studies I took almost 150 quizzes covering nearly 4,000 questions.  My overall average score topped out at 74.9% but by the end I was averaging well over 85% on the quizzes.  If I could make one suggestion to Clement on this resource it would be to add custom reporting to the results so I could build stats on my own (i.e. my best domains and average score on the past X number of quizzes) and if that feature was in fact added, my rating would shoot up from the assigned eight out of ten to a high nine.  The biggest drawback of these questions is that A) The become repetitive (this can be overcome by using the “show only unanswered questions” option) and B) there are quite a number of spelling/grammar errors – but this serves as an excellent way to “give back” to Clement by sending him corrections.  When an answer is answered incorrectly an explanation is generally provided along with a listing of the source content for the question – this “source” listing is also a good way to see a wide variety of the CBK source materials.  I don’t consider this resource a part of my “study triad” because it’s not a physical resource but it played a large part in preparing me for the real exam and teaching me my weak areas.


Secondary Resources

These were resources I looked at to some extent, but were not primary sources in my study plan. I’m not scoring these, just offering some insight into their usefulness.


CISSP Exam Introduction and Overview - http://www.cccure.org/downloads-cat92.html

One of the first things I did after getting serious about preparing my study plan was watching this flash-based tutorial.  Clement does an excellent job of providing a basic overview to those who may be trying to understand what the CISSP certification is all about, and how to become certified.  Certainly a must-watch tutorial.


CISSP Aide Memoire - http://home.cogeco.ca/~ericallaire/index.htm

Considered a favorite last-minute study aid, many CISSPs stated to me that this was the last thing they looked at before the exam.  It is well written and thorough.  I read through it near the mid-point of my study plan and used it to identify weak areas I had not adequately covered.  It’s not a holy grail, and will not helping anyone trying to “cram” at the last minute, but a valuable resource to any student of the CISSP CBK.


CISSP Summary v1.1 - http://www.xs4all.nl/~mfrank66/CISSP/CISSP%20Summary%20V1.1.pdf

This could be considered a close cousin of the aide memoire, in that it presents as much information as possible in a small package.  It’s more professionally laid out with a cleaner look, and certainly has more pages if printed in original form.  To save space I printed two pages per sheet.  It’s a solid reference that is a bit easier for the brain to absorb thanks to a more aesthetic layout.


SearchSecurity.com CISSP Essentials Security School - http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1330306_mem1,00.html

Speaking of cousins, this collection seems to be a compressed version of the Shon Harris DVDs.  They’re useful for reviewing the core concepts of the domains and the price is right (free).  I watched them and found them to be somewhat useful, but no better than the DVDs if Shon’s voice grates on your nerves.


Veridion CBT CISSP Tutorials - http://www.cccure.org/link-172.html

Speaking of death-by-PowerPoint, these tutorials are each roughly 90 minutes of pure computer-narrated concept inundation.  If you’re looking to reinforce concepts without the incessant rambling of Shon Harris, this is the place to go.  Direct and to the point, I’d put these just under the VTE course in terms of quality.


PrepLogic CISSP Mega Guide - http://www.preplogic.com/products/mega-guides/mega-guides-details.aspx?eid=139

I didn’t really look at this one much but PrepLogic was running a sale on these and I picked it up for one dollar.  It cost me more to print it out and hole-punch it and put it in a binder than for the material itself.  I liked it as a high-level review, but others have stated that it contains serious errors.  I tended to not focus on finding errors in specific resources since I was pulling information from so many places that all the good overruled the bad in the end anyways.


NIST IR 7298 Glossary of Key Information Security Terms - http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf

Just released as revision one, this document is a thorough reference document which provides definitions and source references for many information security terms. An excellent resource to help track down the NIST docs which reference specific technologies and techniques.


Handbook of Information Security Management 1st Edition -

While you *could* purchase this book to carry around with you, you can also read the entire text online at the link above.  My seminar instructor told our class that this series of books comprises a large amount of the CBK.  After reading through both this edition and the fourth edition I feel that if you read something in the OIG and need further clarification, this is the place to go.  An excellent reference resource.



The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage -

http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/ref=sr_1_1?s=books&ie=UTF8&qid=1297132996&sr=1-1

A classic book written by Cliff Stoll, who in the mid eighties was involved in tracking down hacker Markus Hess.  While this is not truly a study guide, it is an excellent resource which contains numerous examples of the application (and lack thereof) of various concepts surrounding information security and digital forensics.  This book would be a great way to relax after a long day of studying and identify the same concepts you're reviewing in study guides.


CCCure.org CISSP Forums - http://www.cccure.org/modules.php?name=Forums&file=index&c=2

While this isn’t a physical resource, it is a valuable source of all kinds of information from those who have obtained their CISSP certification or are in the process of doing so.  Especially helpful posts include the following:


    Mnemonics/Tips/Study Aids - http://www.cccure.org/ftopict-2968.html

    All About the OSI Model - http://www.cccure.org/ftopict-3245.html

    Most Important Domains - http://www.cccure.org/ftopict-6556.html

    Question Analysis Tips - http://www.cccure.org/ftopict-7854.html


These posts include some of the most crucial information needed for the exam, and are a sampling of the countless helpful posts and forum members that are willing to assist others in obtaining the knowledge required for certification.


Special Thank-Yous

First and foremost I thank my wife for her support in this endeavor.  During the months leading up to my exam I was taking 12 credit hours of classes for my degree and those studies along with the CISSP studies were far more than I should have tried to handle. Without her support and understanding I would not have been able to achieve this milestone.


Additionally I thank my parents and my brother who were supportive and confident in my ability to conquer this beast.  


Lastly, I wish to thank Rob Slade for his superb guidance and instruction, Clement Dupuis for running cccure.org, as well as cccure.org forum users "Independence-Day" and "ShaneWhite" who shared their experiences with me as I developed and progressed through my study plan.