(ISC)² Community

The 10th annual  (ISC)² Security Congress  will take place as a virtual conference in recognition of the health concerns and many corporate travel restrictions this year associated with the COVID-19 pandemic. The renowned three-day conference, focused on industry discussion and continuing education for security professionals of all levels, will be held online from November 16-18. Read more  for information on early bird pricing.   We hope to "see" you there!        

Attention (ISC) 2 Members,   Some new and recertifying members, who recently received their membership kit, will be receiving a reprint of their certificate in the near future. We encountered a technical issue during a recent fulfillment order which led to a printing error. Please be assured that all other information contained on the paper certificate and digital version of the membership certificate is correct.   If, for any reason, the corrected certificate needs to be updated, please contact (ISC) 2 Member Support at membersupport@isc2.org.   We apologize for any inconvenience and thank you for your membership.  

Hello everyone,   I have my CISSP exam scheduled for the end of the month using the new CAT format (fully aware of that so not too concerned - fatal last words I know!).  However I was wondering, based on the experiences of those who have passed, what the best and most accurate practice exams are?   I have used: 1) Questions that came with the Official CISSP Study guide Book 2) Questions that came with an online course I bought (uCertify based on the above book with more questions added) 3) Pocket prep CISSP iPhone App 4) CISSP Practice Questions iPhone App   I have searched the forum here but could not find a definitive list.   Thanks in advance   David 

Looking for feedback on the advantages and disadvantages of VPN split tunneling. What are the security risks in using a split tunnel and how do they weigh against resource usage on the concentrator especially in high bandwidth consumption applications like video and streaming. Found the comments regarding IPV6 in the post below very interesting, thanks.   https://community.isc2.org/t5/Industry-News/Remote-Access-VPN/m-p/4527#M478  

Before asking a question in the forum on what counts as a CPE, whether a specific activity can count as CPE, or how many you need, PLEASE read the February April 2020 edition of the CPE Handbook to start your effort. We all need to know the information in the handbook to maintain our certifications.   If you still need help for your question, start a new thread in Member Support (not a reply to this one), use an informative Subject that will let staff and members know your problem, and cite the section or paragraph in the handbook that is confusing you. [Edited 4/6/2020 to add this paragraph]   If you are unsure what documents you need support a CPE submission, either initially or in audit, check the handbook first. If you do not see clear guidance there, then ask yourself what you would accept if you were performing a due process audit of someone else's claim for that activity or event.  [Edited 4/18/2020 to add this paragraph]   (Obviously, problems with the CPE reporting site do not fall under the handbook.)   Thanks to William @denbesten and Diana @dcontesti for spotting the announcement from Kaity @KaityEagle in the middle of another thread, and thanks to Kaity for pointing out the new edition there.   Kaity, please pin this new thread to the top of the Member Support.   <Rant> If a certified security professional is unable or unwilling to read the handbook to manage a career in the field, I question that individual's ability to understand and use the many technical and regulatory documents we all must use to do our jobs. Translation: Asking here before reading the rules makes me question whether I would recommend or hire that person.<Rant OFF>   Craig

Content previously posted to (ISC)² Blog.  SSCP VS. CISSP EXAMS: HOW ARE THEY DIFFERENT? You’re considering a cybersecurity certification and the   SSCP   and   CISSP   are both on your list. After comparing the material, you’re thinking there’s a good bit of overlap between the two. But is there, really? And if you sit for one exam would you be able to sit for the other without   additional study   or preparation? These are excellent questions.   In fact, we hear them a lot. And the reality is, there ARE commonalities, which is true for most things in the field. However, these two certifications are wholly different and were developed from two distinct perspectives. In many ways, the CISSP certification holder would find the SSCP exam more difficult, as it’s focused on technical application. Although considered “entry level,” the SSCP is designed for the technical practitioner. It covers how to incorporate, build, design and apply security to technology. Alternatively, the CISSP was designed with leaders in mind. It emphasizes how to build a program and apply concepts of security to the business. Also, the frame of reference for each certification is poles apart. SSCP tends to focus on technical application, and CISSP on the business alignment of that application. Another important point to consider is depth and breadth: SSCP has more depth; CISSP has more breadth. (ISC) 2   members who hold both credentials say   each opens doors and benefits them professionally. Many pursue the SSCP first as they work toward getting managerial experience needed to obtain the CISSP. To qualify for the SSCP, candidates must have at least a year of cumulative, paid, full-time work experience in one of the seven domains. For the CISSP, candidates must have at least five years of cumulative, paid, full-time work experience in two of the certification’s eight domains. Domains SSCP Domains    CISSP Domains Access Controls         Security Risk Management Security Operations and Administration Asset Security Risk Identification, Monitoring and Analysis Security Architecture and Engineering Incident Response and Recovery Communication and Network Security Cryptography Identity and Access Management Network and Communications Security Security Assessment and Testing Systems and Application Security Security Operations   Software Development Security Exam Comparison Certification   SSCP CISSP Number of Items 125 100-150 Maximum Time Allowed 3 hours 3 hours Passing Score (out of 100) 700 700 Available Formats English, Japanese, Brazilian Portuguese English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, Korean* *Format also available to accommodate visual impairment. For a deeper dive into each certification, download the latest (ISC)²   Ultimate Guides to the SSCP   or   CISSP. For a quick knowledge check, take the (ISC)²   Practice Quizzes on CISSP   or   SSCP.

Content previously posted to (ISC)² Blog.  SO YOU HAVE DECIDED TO BECOME CYBER SECURITY CERTIFIED, NOW WHAT? By Tony Vizza, CISSP, CCSP, Director for Cyber Security Advocacy - APAC at (ISC)²   If you are reading this article, it is likely that you have made a conscious decision to do so. Congratulations on taking this step in furthering your career, skills and knowledge. You have made the decision to demonstrate to the wider world your hard-gained experience, knowledge and skills in cybersecurity and to prove to yourself that you have what it takes to become certified. The most recognised and most valuable cyber security certifications in the world today are (ISC)² certifications. However, becoming (ISC)² certified is not easy, nor is it meant to be. The certifications are prized and valued by employers across the globe precisely because they take hard work, dedication and perseverance to achieve. Becoming certified means that obstacles need to be overcome. Experience needs to be gained; knowledge needs to be acquired, processed and stored; commitments need to be made and endorsement needs to be sought. The famous American pioneer aviation pilot Amelia Earhart once said that “the most difficult thing is the decision to act, the rest is merely tenacity”. Starting the Journey: Work Experience. Before starting your study preparations, you should begin by considering the experience requirements for the certification that you are seeking to achieve. As (ISC)² certifications are ANSI/ISO/IEC 17024 accredited, it is necessary to demonstrate an appropriate level of paid and relevant work experience depending on what certification you are seeking to achieve. The work experience requirements for each certification are as follows: If you do not have the pre-requisite experience levels yet, never fear. Upon passing the exam, you are able to gain the Associate of (ISC)2 designation, awarded to candidates who pass the certification exam but are unable to demonstrate the work experience. This also allows the candidate to become a fully certified once they demonstrate the necessary work experience. Studying for the Exam: Using the Technique that Works for You While gaining experience is the most time-consuming aspect of becoming certified, the most challenging aspect of certification will be the study requirements needed to ensure you have achieved a level of knowledge that is appropriate in order to attempt the exam. There are numerous ways to train for the exam and different methods will suit different personality types. The most popular types of training techniques are: Classroom-based Training:This is live training performed in a physical classroom by an (ISC)² authorised instructor. Students are supplied with a physical handbook and courseware and obtain access to flashcards and instructor support. Classroom-based training is open to anyone. Private On-Site Training:Similar to classroom-based training, this is live training performed in a physical classroom by an (ISC)² authorised instructor. Students are supplied with a physical handbook and courseware and obtain access to flashcards and instructor support. Typically, Private training is organised for multiple (usually ten or more) team members of one organisation.  Online Instructor-Led:Once again, similar to classroom-based training, this is online training performed in an online classroom by an (ISC)² authorised instructor. Students are supplied with an electronic handbook and courseware and obtain access to flashcards and instructor support. The benefit to this form of training is that it can be performed from anywhere with an internet connection. Online Self-Paced: this innovative way of studying offers you access to instructional videos that are created by (ISC)² to help you understand course concepts. Students are also supplied with an electronic handbook and courseware and obtain access to flashcards. This form of training allows you ultimate flexibility – study when and where it suits you! Important Training and Study Considerations When deciding on which approach is best for you, you should be mindful of a number of considerations when deciding the appropriate method of study. Always use (ISC)² accredited and official training providers. All (ISC)² certifications are regularly updated. The Common Body of Knowledge (CBK) for each certification is continually updated with new and relevant content. In order to ensure that what you are learning is current, up to date and relevant to the certification that you are choosing to achieve, always ensure that you are using official (ISC)² accredited training providers. Official (ISC)² training is always delivered by an (ISC)² Authorised Instructor who is certified to teach the certification. Authorised instructors use proven training techniques that help you understand the course content, focusing on real-world learning activities to help you apply the content to practical situations. There are three accredited and official training provider classifications: (ISC)2 Official Training Providers   uses official (ISC)² courseware developed directly by (ISC)² and delivered by an official training provider that has achieved an intense training and authorisation process with (ISC)2 to teach the content. Instructors are verified security experts. (ISC)2 Direct   uses official courseware that is developed directly by (ISC)² and is delivered directly by (ISC)². (ISC)2 Approved Training Providers   use their own courseware, reviewed and approved by (ISC)² to ensure that you receive relevant and up-to-date content. Instructors are verified security experts. A full list of official and authorised training providers can be found at www.isc2.org. Unauthorised Training Providers: Use Them at Your Own Peril (ISC)2 certifications are regarded as the gold standard of cyber security certifications and are popular around the world. Because of their ensuring popularity, a number of unauthorised training organisations have sprung up offering CISSP “preparation” courses to candidates. Candidates can be induced by the cheaper cost of these unauthorised courses and by so-called “exam pass guarantees” that are claimed by the unauthorised providers. Candidates can often be duped into thinking that these unauthorised providers are legitimate, through clever use of (ISC)² trademarks when mentioning specific certifications to avoid legal ramifications. Some unauthorised training providers, in fact, will even request Pearson Vue login details from candidates in order to issue an “exam voucher”. Every day, (ISC)² receives complaints from candidates who have paid for training provided by an unauthorised training provider. The vast majority of complaints relate to: out-of-date course content the lack of training experience by the unauthorised instructor failing the exam because the content taught did not reflect the actual exam concerns relating to not receiving what the candidate paid for. An additional issue for the candidate is that many governments around the world do not offer consumer protections on education and training courses. In most cases, the candidate is left without any legal recourse should they have been “duped”.  The time-honoured axiom that “you get what you pay for” is particularly true for training. If you are in any doubt, please contact (ISC)² directly for clarification. Out of Date, Poorly Delivered Content Using unauthorised training providers places your ability to attain an (ISC)² certification at some degree of risk. As trends in cybersecurity evolve, the official (ISC)² certification CBK and courseware will change to reflect this. These changes are then reflected in the official training materials that are provided by (ISC)² and its authorised training providers. Unauthorised training providers do not have access to the official certification CBK. As such, they lack the ability to train you using the most accurate, current and relevant content. In addition, unauthorised training providers are not answerable to (ISC)² for content they teach, and very often, (ISC)² receive complaints from students who use an unauthorised training provider to claim that the content they were taught was “old” and irrelevant. The Quality of the Instructor Many unauthorised training providers employ instructors who are not adequately trained to teach the course content. (ISC)² authorised training providers employ certified (ISC)² members who hold the certification that they teach. These instructors must complete a rigorous instructor onboarding process and need to demonstrate at least five years of training and teaching experience. In fact, the average instructor holds between 15-20 years of real-world security experience. So-called “Pass Rate Guarantees” (ISC)2 do not publish or disclose exam pass rates. (ISC)², nor its authorised training providers, will ever claim an examination pass rate guarantee on their training courses. It is misleading and disingenuous for any organisation to publish an exam pass rate for students taking their courses. Examination Vouchers and Pearson Vue Only (ISC)² authorised training providers are able to issue you with a certification exam voucher. Authorised training providers will   never   ask you for your Pearson Vue testing site login details. In fact, providing your Pearson Vue login details to any entity places you at risk of violating the (ISC)² Non-Disclosure Agreement, potentially placing your ability to take the certification exam at risk and possibly even jeopardising your certification.  (ISC)2 Audits and Supervises Authorised Training Providers Authorised Training Providers must undergo a rigorous initial onboarding program, including instructor accreditation, as well as regular audits by (ISC)² to ensure that the training delivered by them meets the high standards expected by (ISC)² and offers candidates the best possible learning outcomes and experience. Feedback is always sought from candidates at the conclusion of each training session. In the unlikely event that a candidate has an adverse experience with an Authorised Training Provider, (ISC)² can advise and assist the candidate rectify the situation. These safeguards simply do not exist with unauthorised training providers. Using Official (ISC)2 Study Materials Training seminars are an invaluable way of learning the core concepts associated with the certification that you are seeking to attain. In addition to formal training, it is imperative that to maximise your chances of successfully passing the certification exam, you undergo a period of study and revision to prepare for the exams. Study aids are a crucial component of successful study and revision. In doing so, it is highly recommended that you use official and up-to-date (ISC)² study materials to revise for your certification. There are a number of official study materials available depending on the certification that you are aiming to achieve: Official (ISC)² Study Guides drill down into each Certification Domain area in detail and ensure that you have in-depth knowledge of the subject matter. Official Study Guides include tips, scenarios, notes and exam essentials that you need to know to help you pass the exam. Each chapter will typically include written lab questions as well as review questions. Official (ISC)² Guide to the CBK provides a comprehensive study of the domains of your chosen certification. The CBK is the most complete and comprehensive reference guide available and features illustrates examples and practice exercises to demonstrate concepts and real-life scenarios. Official (ISC)² Practice Tests   provide you with hundreds of unique practice questions covering all domains of the certification you have chosen and provides answers will full explanations to help you understand the reasoning and approach for each. Testing your level of understanding before undertaking the Certification exam is essential and the Official (ISC)² Practice Tests guide ensures that you are ready for the big day. (ISC)² Approved Dummies Guides offer you a friendly and accessible handbook to help you study. All certification domains are covered. The guide offers expert advice and key information to help you pass the exam and you will get tips on setting up study plans, exam day times and gain access to an online test bank of questions. Official (ISC)² Flash Cards   allow you to study for your chosen certification anytime, anywhere. Flash cards are a unique and interactive way of testing your knowledge of industry terms while providing you with immediate feedback on how you have performed. Why using unofficial study materials can be an unwise choice There is a plethora of unofficial study material available. While there is no doubt that much of it is of reasonable quality, only by using current and official (ISC)² study material will you ensure that you have access to the appropriate and up-to-date information, explained in a manner that helps you maximise your chances of passing the certification exam. Official (ISC)² study materials are updated regularly to ensure that they most accurately reflect the certification domain areas, and as such, the corresponding examination. It is always recommended that you use official (ISC)² study materials.  Support and Mentorship: Where to Turn to For Help Deciding to undertake a certification and subsequently completing training and study can be a daunting and time-consuming prospect. It is always important to remember that the certification road has been walked my many before you. In fact, (ISC)² has over 138,000 members across the world. Always remember that there is support available to you during these challenging times to help you achieve your certification. (ISC)² Chapters and Affiliated Partner Bodies There are (ISC)² Chapters located in cities all across the globe. These chapters are made up of (ISC)² certified members. A significant part of the Chapters core duties is to assist non-credential holders to become certified through mentorship, support, assistance and knowledge. A list of (ISC)²s chapters can be found on the (ISC)² website. In addition, a number of affiliated bodies and associations work closely with (ISC)² to promote cyber security as a vocation. These include   PISA in Hong Kong and AISA in Australia. (ISC)² Online Community There is a vibrant and active community of both (ISC)2 members and cyber security enthusiasts that regularly contribute to the (ISC)² Online Community, available at   https://community.isc2.org. The Community is an invaluable resource for those looking for assistance trying to understand difficult certification concepts, have questions related to certification or have questions they would like assistance with. How Much Study Do You Need? This is a good question and there are varying opinions on how much study is the right amount of study. The only certainty is that it is absolutely essential that you revise and study prior to attempting the exam. The level of detail covered in each certification is extensive and regular revision and study will place you in an advantageous position when attempting the exam. Some candidates feel that once they have undertaken the certification training, they should be ready to sit the exam. This perception is an unwise one. The certification training courses are held over a number of successive days. As such, it is practically impossible for the human brain to absorb all of this information instantaneously. A period of revision is essential in order to maximise the potential to pass the certification exam. As noted earlier, the certification and exams assume that you have attained practical, hands-on experience spanning a significant period of time. As such, study and revision will be far more successful if you have the prerequisite experience than if you have limited or no experience in the certification you are seeking to attain. You should revise and study insofar as you feel confident that you understand the subject matter well enough to attain a passing score. If you don’t feel confident that you will succeed in the exam, it is advised that you keep studying, revising and attempting practice questions until you are confident that you understand the subject matter intricately. Booking the Examination Once you are ready to book the exam, this must be booked through the (ISC)² portal at Pearson Vue (www.pearsonvue.com/isc2). You will need your Pearson Vue login details. If you do not have these details, you will be able to register on the Pearson Vue website. Once you have logged in, you will be required to select the certification that you would like to sit the examination for. You will then choose a testing centre convenient to attend, then book a time at the testing centre to present for the exam. Following this, you will need to pay for the exam, or, if you have been supplied with an Examination Voucher provided to you by the Authorised Training Provider, enter the details. Once a time and location has been confirmed, you will receive a confirmation email with the examination details included. The Examination Experience It is recommended that you arrive at the testing centre ten minutes early so you can familiarise yourself with the location and be at ease. You will need to sign in at reception and a photograph will be taken of you. Following this, all of your belongings must be placed in a locker that will be provided to you. You will need to lock all items including telephones, watches, backpacks, hats, food and bottles of drink. You will be unable to access the locker for the duration of the examination. You are unable to bring food and water into the examination room.  It is advised that as part of your preparations before the exam that you have a meal prior to the examination so that you are not hungry or thirsty during the exam. This will also assist you in your mental preparations for the examination, after all, who wants to sit a lengthy exam on an empty stomach! All (ISC)² examinations are fully proctored. You will be monitored during the exam by Pearson Vue staff and you will be recorded via video. A note on cheating Cheating in the examination is not tolerated. (ISC)² does not tolerate any form of cheating and instances of cheating are severely punished. Persons found cheating can and have been banned from becoming an (ISC)² member for life. The Examination Result Upon completion of the examination, you will be advised by a Pearson Vue staff member whether you have provisionally passed the examination of if you have failed the examination. If you have been notified that you have provisionally passed the examination, congratulations! This indicates that you have achieved a passing grade in your certification examination. Scores are not issued to those who provisionally pass. Scores are then sent to (ISC)² and the next stage of the certification process, submitting a statement of experience, endorsement by an (ISC)²member and agreeing to adhere to the (ISC)² Code of Ethics, begins. If you have been notified that you have failed the examination, keep your head up high. (ISC)² examinations are difficult. This is why the certification is so prized and valued. It can seem disappointing to you at this time, but you will bounce back. You will revise again, take more practice questions and in time, your tenacity   will see you succeed. In Conclusion Undertaking an (ISC)²certification will open countless doors for you and your career. It is one of the most rewarding professional accomplishments that you can experience, and it will prove to you and the wider world that you truly are an experienced, valuable and certified cyber security professional. It is hard work, but it will be worth all of it in the end.