David S. Read

I am happy to report that I have been awarded the Certified Information Systems Security Professional (CISSP) by the International Information Systems Security Certification Consortium [(ISC)²]^a.

I started pursuing the certification in mid-2009, got serious about studying early this year (2010), took the exam in late April, was notified that I passed and had my background endorsed in May, had to update my resume for an auditor in early June and was awarded the CISSP designation at the end of June.

I felt that this certification was important both professionally and personally.

Professionally, the certification serves as a validation that I have a solid and broad understanding of information systems’ security.  People who have worked with me know that I have been focused on IS security for many years.

Whether performing security-centered code reviews, fixing flawed implementations or teaching designers and developers how to improve the security of their systems, I have been on a mission to mentor and train people to observe effective security practices and principles.  I’ve also had operational responsibility for system infrastructures.  With that experience I was able to pass GIAC’s GSEC and Red Hat’s RHCE exams several years ago.

Personally, the process of studying and passing the exam allowed me to pursue and attain a non-trivial goal.  I am enrolled and taking classes toward my master’s degree, but completing that work will require several more years of part time attendance.  Setting and achieving intermediate goals helps to keep me focused and learning.

If you are wondering what the CISSP is all about, please read on.

The (ISC)²‘s CISSP Common Body of Knowledge (CBK) covers 10 security-centric domains. It is this CBK that forms the basis of the CISSP exam.  The domains cover a broad array of subject areas including physical security, operations security, cryptography, business continuity, network security and so forth.

The bulk of my experience falls solidly into three of the domains: Application Security; Cryptography; and Telecommunications and Network Security.  I have had operational experience in several other domains and there are a few which represent areas well outside any of my professional responsibilities.

I began studying in 2009 by reading the CISSP for Dummies book^b.  I wanted something that would give me a quick overview of the domains and exam process.  The book was helpful, though insufficient as my sole source for understanding the breadth and depth of the CBK.  One suggestion the book made, which later turned out to be quite wise, was to sign up for the exam in order to force oneself to buckle down and study.

I next read the (ISC)²‘s official guide to the CISSP CBK^c.  Although somewhat dry, the book gave me a solid understanding of the knowledge expectations that the (ISC)² has for someone to pass the exam and represent the profession.  I took a long time to finish this book, putting it aside at times to read books on other subjects.

In February of 2010 I finally took the advice from the “For Dummies” book and registered for the exam that was scheduled to take place nearby in April. Now the clock was truly ticking and I wanted to assess where I stood.  I knew that I was solid in some domains but likely weak in others.

In order to have access to a broad set of practice exam questions, I purchased Shon Harris’ CISSP exam guide^d.  This book is well written and very approachable.  There are lighthearted comments sprinkled throughout the book which help to make the material more engaging.  The book also supplies a testing tool with a nice set of practice questions.

After completing the Harris book I took a practice exam and identified my weakest domains (Security Architecture and Design, Physical Security).  I applied some focused study around these 2 areas and took another practice exam, passing with better than 95% across all domains.  At that point I felt I was ready, which was good since it was getting close to exam day.

A couple of weeks before the exam I received an email containing my exam admission document.  It spelled out the location and process for taking the exam.  This information agreed with the background provided in the books I had read.  Essentially you don’t need anything beyond the admission document and an acceptable photo id (such as a driver’s license).

You can usually bring something to drink and eat, since you may be there for up to 6 hours.  Where I took the exam, all the test takers were required to put their drinks and snacks at the back of the room and go there to partake.

While taking the test, time flew by for me.  I had no idea what time it was when I left since I didn’t have my cell phone with me (electronic devices were not allowed in the exam room).  It turned out that I had taken about 3 hours to finish.

Over the next few months I intend to blog about each domain including highlights around material that was new to me as well as information that I already knew and was clearly germane to the CBK.

I am interested in hearing about experiences from others that have taken the exam or are contemplating taking it.  Since I have a background in education I’m looking for an opportunity to assist with a study group for prospective CISSP test takers.  Perhaps we can get a group started in the Albany/Schenectady area.

^a Website: ISC^2
b Book: CISSP for Dummies
^c Book: Official (ISC)² Guide to the CISSP CBK
^d Book: CISSP All-in-One Exam Guide

Tags: (ISC)2, application security, CISSP, data security, education, linkedin, Security

This entry was posted on Friday, July 2nd, 2010 at 23:14 and is filed under Information Systems, Quality, Security, Software Development, Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.