CRISC Certification – Is it worth obtaining?

Posted on May 20, 2011 by

I recently received information from ISACA about their new CRISC certification (Certified in Risk and Information Systems Control). Based on the CRISC grandfathering provisions I am eligible for consideration so I am evaluating whether it would be useful to sign up at this time. Information security professionals have a mixed view of grandfathering since it is used by certification vendors to quickly get an established (and paying) community but is viewed by many as a cheap way of obtaining a certification without completing the study materials and exam.  Before I get to my decision, I want to review some of the key questions around the CRISC and my decision process.

Who is the CRISC meant for?

The newly created CRISC certification is targeting business and information security professionals who specialize in the end to end risk management process (risk identification, assessment, evaluation, and remediation). In addition, there is a focus on the design, implementation, and monitoring of internal controls to manage these business & system.

Who can be grandfathered into the CRISC?

Information Security and risk management professionals with at least 8 years of IT or business risk mitigation experience that includes a minimum of 6 years of cumulative work experience across all 5 of the CRISC domains. And a minimum of 3 years of cumulative work experience in CRISC risk domains 1-3

What are the CRISC risk domains?

Here are the breakdowns of the CRISC domains by weighted percentage.

  • Domain 1 – Risk Identification, Assessment & Evaluation – 31%
  • Domain 2 – Risk Response – 17%
  • Domain 3 – Risk Monitoring – 17%
  • Domain 4 – Information Systems Control Design & Implementation (17%)
  • Domain 5 – IS Control Monitoring & Maintenance (18%)

* Per ISACA website details

When does the CRISC grandfathering deadline end?

You must make your decision to pursue the CRISC via the grandfathering program within a month. The currently announced deadline is mentioned as June 30th, 2011.

What is the cost of the CRISC?

The ISACA member rate for CRISC is $595 and the non-member rate is $725.  The annual recertification fee is 40$ for ISACA members and $85 for non-members.

What are the CRISC CPE requirements?

The requirements are identical to that of the CISA which is 120 CPE hrs every three year cycle with an annual minimum of 20.

Should I accept grandfathering status for the CRISC certification?

Since I am not philosophically opposed to the concept of grandfathering for qualified professionals I gave adequate consideration as to whether I should apply for the CRISC designation. After doing some careful career consideration I decided it was not a needed activity for me do complete at this point even though I would qualify. It is uncertain how much traction the CRISC will gain in the industry since more established credentials like the CISSP and CISA are already considered the dominant certifications. There is potentially room for another one but I would likely consider a SANS offering before pursuing the CRISC.

 

Posted in CRISC | Tagged , , | Leave a comment

Pass the CISSP Exam – Successful CISSPs explain their approach

Posted on May 5, 2011 by

The CISSP exam is one of the most difficult information security exams to pass due to the broad base of subject domains tested. Maggie Harper is our second information security professional to be interviewed to lend a hand in this series designed to help you pass the CISSP exam. After all what better way is there to supplement your formal study plan then to hear from those that have been in the trenches and passed the exam themselves?

Maggie, what were your reasons for pursuing the CISSP certification?

I pursued the certification because I feel that the information  security field is an ever growing and expanding field and the CISSP would help me with the transition from technical/engineering PM into a network security type role.

Did your employer at the time encourage you to take the CISSP exam ?

No, I decided to pursue it on my own.

What study method/materials did you use to prepare for the CISSP exam?

A co-worker named Curtis Levinson helped me tremendously in understanding not just the fundamentals contained within the 10 domains, but the origin and evolution of those fundamentals as applicable in both today’s environment and emerging technologies. I also used the Wiley study guide and took the time to quiz other CISSP’s. A million practice tests, scenarios and questions helped too.

It is nice to see that your co-worker played such and important mentoring role. What CISSP subject domains did you need to spend the most studying in detail?

Crypto, still gets me to this day even after passing the exam ; )

How did your CISSP exam approach compare to my published CISSP Exam Strategy?

Great strategy you outline! I’m a one time through and then come back and hit what I felt would take too much time to noodle through. Only had two of those though.

How confident were you that you passed post exam?

Not at all. The exam was hard, no doubt about it. Of those I spoke with that walked out confident they passed, they didn’t.

I guess humility was the order of the day there. I wonder if there is some kind correlation to overconfidence and lack of success rate. Have you found the CISSP CPE requirements tough to meet?

Not really, there are alot of different avenues for CPEs.

Any final tips you have for CISSP candidates that we have not previously discussed?

Talk to as many certified people as you can. But don’t take their experience as your own. There are different versions of the test and you can easily make the mistake of focusing on the wrong areas. Ask a lot of questions! Even if people look at you like you’ve suddenly sprouted another head, ask!

Maggie made effective use of her network and inquisitive nature to conquer the CISSP exam. Thanks again for lending your time to help the CISSPs of tomorrow to pass the exam.

Be sure to check out the first CISSP Exam Interview if you missed it.

Posted in CISSP | Tagged , | 1 Comment

Pass the CISSP Exam – CISSP exam tips that work

Posted on May 4, 2011 by

The CISSP exam is one of the most difficult information security exams to pass due to the broad base of subject domains tested. Just the thought of the CISSP exam can make even ace test takers nervous of how the allotted six hours will unfold. Information Security professional Andrew McNicol has graciously agreed to be the first interview for what will be a repeating series designed to help you pass the CISSP exam. After all what better way is there to supplement your formal study plan then to hear from those that have been in the trenches and passed the exam themselves?

Andrew, what were your reasons for deciding to pursue the CISSP certification?

My primary reason for seeking the CISSP was to gain certification to advance my career in the information security field.

Did your employer at the time encourage you to take the CISSP exam ?

It wasn’t required, but yes they really liked that I achieved it. Achieving the CISSP along with my work performance lead to promotion quickly after I got CISSP.

It is good to hear that your employer recognized the value of the CISSP and rewarded your efforts. What study method/materials did you use to prepare for the CISSP exam?

I used the following materials to prepare over a 2 month period:
PrepLogic Course/ (Practice Test was good, but video course left a lot of holes).
Carnegie Mellon CERT video course / (Practice Exam – Very useful )
All-in-one Exam Guide 5th edition by Shon Harris
11th hour study guide by Eric Conrad (very good)
40% of Shon Harris’s video course
CCCure.org practice exams (took a handful of the free questions)

What CISSP subject domains did you need to spend the most time studying in detail?

My focus areas were Cryptography, and Application Security because my experience was weakest in these areas.

How did your CISSP exam approach compare to my published CISSP Exam Strategy?

My strategy was very similar. The exam took me 5 hours and 30mins to complete. I took the exam 3 times in the booklet before transferring the answers to the scan-tron and reviewing one final time. I paced myself and took small breaks every 50questions, or as needed. I was clear to underline words in the question that I thought were important to allow them to stand out. I certainly marked my book up and only answered questions I knew and marked ones I had to think about for another run through the exam.

How confident were you that you passed post exam?

I was confident at first….very confident, but as the days passed (21 total to get results) I became less and less confident and nearly signed up again to take it.

Not to break the suspense but obviously you passed since I am interviewing you about your success with the exam. I am curious what is your plan for acquiring the needed CPEs to stay certified?

I do a lot of SANS training so it should not be a problem to meet the CPE requirement for the CISSP.

One final question for you Andrew. Any special tips you have for CISSP candidates that we have not previously discussed?

The key to achieving CISSP success is to set goals for daily study time. I suggest reading a brief summary of the CISSP domains to get an idea of the CISSP scope (Eric Conrads 11th hour study guide is a great source). Once you have a better idea of the test’s scope you should identify the 2, 3, 5, X domains you feel you will need to put forth more study time. Then I suggest spending 1-2 weeks for each domain making very good notes/note cards throughout that week for you to look back on.

The one issue with CISSP is because the test is so large you wont truly feel prepared…once you push 1 domain in your head you tend to forget some small details about another domain. This is where I suggest you use mnemonics to help you remember some very small details that will help you in the stressful situation of the test (again Eric Conrads book and Shon Harris chapter summary’s in her book are a good source).

Once it comes time for the actual exam prepare for the worst — be sure you actually practice taking 300-500 questions at once! I say up to 500 because on the actual exam the questions tend to be paragraph style and practice questions for CISSP tend to be shorter quick 1 line questions in my experience. When you sit for the exam you should accept that you gave it your best shot and will have no problem taking the exam again if needed (helps with nerves).

While you take the exam if you read a question that doesn’t make sense feel free to mark  it and move on….don’t get to worried if you feel you are marking a lot of questions because I know I did. I would mark the question and maybe place a mark near the 2 potential “right” answers. Then continue to go through the test once you have finished take a break, get a snack, and go through again starting to tackle some of your marked questions. With the marked questions you should have a conversation with yourself asking “What is this question trying to ask? What is the scope of this question?” and then look at the answers because you will find that often times 2 answers are correct, but 1 answer is more correct based on the wording of the question (tricky!)

I think confidence will go a long with this exam and confidence can be achieved by understanding its okay to fail it your first time around. Hopefully with the tips I have provided your readers will help them reach their goal of passing the CISSP on their first go.

Thanks again to Andrew for the high quality interview and great tips to enable CISSP exam success.

Posted in CISSP | Tagged , | 1 Comment

Information Security Training Introduction

Posted on April 20, 2011 by

Information Security is one of the hottest fields in the IT industry offering opportunities for career advancement and interesting work that encourages life long learning. The Information Security field is also less prone to being outsourced vs. many other IT functions due to the sensitivity of the role and governmental regulations such as ITAR making it a more stable career choice.

Information Security jobs cover the spectrum from entirely technical roles to managerial roles that interact with executives at the highest level of the company. This variability in job requirements allows you to participate in the information security industry whether you continue down a technical track if you prefer to be hands on with the technology or a managerial track if you prefer to set strategic direction.

Information Security Training is a key component in your growth as either a technical or managerial professional in the industry. Information Security is a fast changing field that must keep up with industry changes and regular training is an important way to stay on top of it all. Information Security training is also instrumental in supporting goals to gain industry certifications to increase your knowledge and maximize your earning potential.

Posted in General Information Security | Leave a comment