In a related thread on CPE questions, Ben @Ben_Malisow and Steve @Steve-Wilme asked about supporting evidence for having watched podcasts and webinars. I have been successfully logging both for many years, and do not recall any being audited for cause, only by random selection.
For evidence, I routinely include the URL for the event in my description, and a sentence about something in the 'cast that was not described on the web page. If I can download slides, I send the title slide and one or two others in PDF as my uploaded evidence. If no slide download was possible, I try to get a screen grab of the title slide and use that for upload. If the event required pre-registration, I print the acceptance e-mail as PDF and send that as evidence, too.
Documentation as evidence is pretty easy when you look for available tools.
Good advice. I just know myself-- trying to recall a specific nugget of wisdom I gleaned from a podcast I listened to eight months ago, after listening to episodes weekly, is gonna be tough.
Okay, I'll be honest: at my age, remember something from a show I listened to eight minutes ago will be rough.
Take a couple of obvious screenshots at the beginning, middle and perhaps on at the end. At least one screen shot should have the webinar title. Questions asked by the audience are also helpful in proving you didn't just log in, snap a screenshot and ignore the rest.
Like any other argument that requires proof you need to build your evidence to be credible. You want to be taken as a credible security person? Provide good proof without going over the top about proving so.
I'm not positive, but I suspect it would be difficult to take screencaps of my iPod, and downright dangerous to do so while driving, riding my motorcycle, or working out (my preferred locations/situations for listening to podcasts).
I sure would like to be a credible security person, though. Someday, perhaps.
I'm still going to put it off until the last couple weeks of the year. Because it's just not practical to do it any other way...especially when what you're describing is a multi-step, unpaid level of effort for something I'm paying for each year. That's untenable and goofy for professionals who might have a half-dozen certs from various industry bodies, and have to enter credits for each one-- of course we're going to pick one day at the end of the year to do this job all at once.
I am not a certifying entity, and an idea just occurred to me: why can't certifiers make a portal that launches and tracks podcasts from other feeds? Or create plugins for browsers/players that track media plays based on user choice? If FB and LinkedIn and Twitter can have that little button for their platform on every media content site, why can't certifying bodies?
Somebody make this app and reap the financial rewards from lazy, certified people like me. I think it already exists for doctors and lawyers, who also must maintain professional currency, but don't want extra work. As a matter of fact, I know it exists, and it existed more than 10 years ago, even before smartphones were ubiquitous. Why am I still manually entering this stuff?
why can't certifiers make a portal that launches and tracks podcasts from other feeds?
(ISC)² has such a portal, located here. May not be as comprehensive as one may like, but hey, it does get them a 2 on the CMM scale. The only time one needs to manually enter anything (barring system hiccups) is when not shopping from the company store.
(ISC)² is willing to accept auto-submissions from third-party CPE sources. If you have a favorite podcast source, we would all appreciate your reaching out to them to see you could get them to play ball.
...pick one day at the end of the year to do this job all at once.
It is fortunate that the CPE evidentiary standard is quite low. James Comey taught us that the primary benefit of time-stamped contemporaneous notes is to dispute the claim that "you made that all up at the last moment", which is the biggest risk of (intentional) procrastination. Odds are you will not need that defense.
Okay, cool: my current favorite INFOSEC-related podcast is my own. I'd be glad to play ball, if it will work with my hosting service; drop me some code or whatnot, and I'll install a button or whatever so that ISC2 members can click on the site and get their CPEs for listening. I think that would delight everyone.
As far as the ease-of-use preference for the ISC2 feeds, getting all CPEs from a sole source, especially when that source is the certifying body itself, kind of smacks of kissing your sister.
What some might call procrastination, I call "effective time management"-- stopping whatever I'm doing in order to log in to the ISC2 CPE portal (which I can only do from certain browsers/OSs/devices) to annotate I just did something to earn a CPE credit is not only intrusive, it ruins the flow of the day, and effectively takes more time than batch uploading/entry, which is much more efficient. And this bears repeating: documenting I've consumed a CPE is still probably dangerous while driving/exercising and multitasking.
Again, were it a one-click solution, that'd be grand. And as I mentioned, I'm pretty sure other professions have this licked (as a paid model; and I'd gladly shell out an annual fee for sake of convenience, from a third-party provider that collects, collates, and categorizes content from heterogeneous sources and makes them instantly-reported upon digestion). I'm kind of surprised one of our partners (like maybe Acclaim or somebody) doesn't already have this ala carte.
I'm also not sure anyone should look to Comey as a model of anything desirable.
Sorry to come across as such a complainer/malcontent. But let's boil this down to its essence: having a centralized, tabulated collection of activity entries probably doesn't serve the purpose, if the purpose is "make sure members are staying current in the profession, so that our industry/cert is considered trustworthy/admirable." We could, potentially, just give every member the instructions, have them track their own CPEs in whatever format is easiest for them (spreadsheets, word processing docs, databases, whatever), then force them to deliver in standard format when audited...and increase the frequency and number of audits. I'd be down for that, for sure. Treat them as trusted adults, able to follow instructions and manage their own data, but verify for sake of public/professional perception.
I'm going to guess that's not allowed by ANSI or the other standards bodies.
In lieu of that: someone go make the app! We'll all buy it! Are you hearing this conversation, Young Coders With Extra Time During Quarantine?
Submitting CPEs on somebody else's behalf has come up twice recently in this community. It appears that @KaityEagle is your person for getting this started. Heck, if you reported CPEs, you might even be able to convince (ISC)² to add a link to your blog on their CPE Opportunities page. Might just turn into a win for everyone.
Nobody has suggested that filing the CPE is the only way to create evidence. Creating a contemporaneous record can be as simple as saying "Siri, email myself. For the record, I just listened to Ben's one-hour podcast which counts for a risk-management CPE". Boom, you have a timestamp in your email box and evidence as to when the CPE was earned. And, it probably would help out when you get around to entering the data at year-end. If you consider Siri distracted driving, I postulate that paying attention to a podcast in the first place also would be distracting.
It is the legal analysis that provides the lesson in Comey's case, not the offense/allegation itself.
Score! I will reach out to Kaity posthaste, and see if we can't all benefit from the arrangement.
And you make a very good point about using note-taking tech to annotate in the moment. I'd have to agree that self-mailing would be useful for year-end assembly.
All well said-- I'm going to pass this advice along to students when we get to the portion of classes about "maintaining your credentials." Thanks, and have a great weekend!