r/isc2

I wanted to do a follow-up on my review of the self-paced ISC2 ISSMP training. Part one was here. https://www.reddit.com/r/isc2/comments/1sykc2k/

First I want to revisit a couple of "Test Your Knowledge" questions I mentioned at the end of Part one.

I found the reference in the text to the "Order of Documents". ISC2 defines this different from ISACA. (Again, using under Fair Use Doctrine for reviews), ISACA's documentation provides a document hierarchy where guidelines appears at the bottom, while in the ISSMP training material the "pyramid" is reversed.

https://imgur.com/a/VzMtBZU

The textbox indicates "guidelines... can be used to shape and inform policies and procedures, and have to accomplish compliance with standards."

Well, using to that logic, guidelines should appear below policies on the arrow, shouldn't they? I mean, if they're below procedures because they can "shape and inform" procedures, shouldn't they likewise be below policies, since they can "shape and inform" them as well? Instead, they are nestled between procedures and standards.

The ISC2 logic is simply illogical. Granted, guidelines, being optional (compared to policies/standards/procedures, which are mandatory), are in a sense the "odd man out" in the hierarchy. However, that's where the answer comes from, and why I got it wrong.

On the second question I got wrong, in response to the FIPS question, I found the reference while reading the eTextBook:

"Often in the performance of a risk assessment, impact categories are used to identify the potential results of the occurrence of a threat event. These were derived from the original Federal Information Processing Standard (FIPS) related to risk management. Destruction [...] Modification [...] Disclosure [...]Denial of Service [...]"

The closest to this in modern FIPS documents I found was in FIPS200, which, under the definition of a threat: "THREAT: Any circumstance or event with the potential to adversely impact organizational operations [...] via unauthorized access, destruction, disclosure, modification of information, and/or denial of service."

Doing further research, it seems FIPS 31, published in June 1974, is the original FIPS document dealing with risk assessment. In that document, it states (page 5): "Estimate potential losses to the ADP facility and its users from (1) physical destruction or theft of physical assets; (2) loss or destruction of data and program files; (3) theft of information; (4) theft of indirect assets; and (5) delay or prevention of computer processing.

So, the "test your knowledge" question is just shit. There is no such thing as a "FIPS impact category" based on current day FIPS documents, but instead the question is something "derived" from a long-obsoleted FIPS artifact related to risk management half a century old.

It is esoteric shit like this that really pisses me off about ISC2. I wasn't even in double-digits age-wise when FIPS 31 was published and I'm effin old.

So, that's that...

</rant>

On to the eTextBook. I'm not going to rehash my complaints about the Vitalsource application ISC2 has opted to use, I think people know where I stand with that software. But, it's what we have to work with, so we live with it, even if we don't like it.

The eTextBook is pretty decent, but again, no where near enough to pass the exam IMO. It is more like a high-level executive summary of salient concepts with some in-depth discussion from a executive decision-making perspective. Much of the discussion around the concepts is pretty common sense when you read it.

I think I mentioned before how the eTextbook is laid out is pretty simple. For each domain, you have a variable number of pages: Domain overview/intro page, domain objectives page, one page for each of the subdomains (e.g. 1.1, 1.2, etc.) which appear on the exam outline, followed by review, quiz, terms/definitions, key takeaways and footnotes pages. Repeat this for each domain. Then at the end of the eTextBook are pre-assessment questions for each of the 6 domains.

Each page is of variable length, like a web page can be. If you're on an exam outline item which has a lot of sub-elements (e.g. 1.1.1, 1.1.2... 1.1.9, that "page" can be really, really, reaaaaaaaaaaly loooooooooong. A few of the pages were never ending it seemed. The material can, and IS very dry in places. There are almost no diagrams or pictures/etc to break things up or to support the presentation of the material in a visual sense. Most of the pages are simply paragraphs and paragraphs of text, with an occasional 'test your knowledge' item thrown in. Unlike some of my other eTextbooks, there were virtually no case studies (only 1.3 and 1.5 had a couple each) and there were no "In the News" side-bars to draw comparisons on the topical material to 'current' events at all.

I wouldn't say there was much in the eTextbook that emparted anything new knowledge wise. Conceptually I would say all the material was covered in my other certifications, CISSP, CGRC and CSSLP being the most relevant (for overall knowledge about certain processes like incident response/threat modeling/etc, risk assessment, and SDLC/supply chain risk management, respectively.) I can definitely see how this exam was originally a "CISSP concentration" for someone to take as opposed to taking, say, the CGRC and CSSLP.

To answer another question I raised in Part 1, about the percentage of eTextBook coverage in the "adaptive training"... The answer is No, the adaptive training does not cover all the material in the eTextBook. There is a tremendous amount in the eTextBook compared to the interactive training. And yes, what you read on the training slides is pretty much verbatim from the eTextBook, although clearly formatted differently.

As an example, there were about 45 content "slides" for Domain 1 I had to work through (not counting the "test your knowledge" question slides) as part of the interactive training. Since the VitalSource program allows you to copy text, to get a basis of comparison I decided to copy all the text from the subdomains 1.1 through 1.10 from the VitalSource program into Microsoft Word. Now, this feature in VitalSource will just all you to copy the text -- not the images. What I ended up with after copying the text was a 167-page Word document with standard 1" margins. And those 167 pages didn't include any of the graphics/charts/etc. Had those been in there too, I have no doubt the document would have exceeded 200 pages in length. There's no way there was 200 pages of material on those 45 slides I worked through. (and no, I didn't save the Word document and violate the copyright, it was purely an academic exercise only to provide a comparative statistic.)

All in all, I would say if the eTextBook were a normal PDF, it would probably be somewhere in the order of 600 pages in length. That would put it up there with other various self-study material in terms of overall content length (for example, without getting off my ass to walk over to the bookshelf to look, I seem to recall the CCSP CBK is ~350 pages, the CSSLP CBK ~750 pages and I think the Destination CISSP book is ~500 pages.)

I'm not sure what else I can say about the eTextBook. I guess that about covers it.

In retrospect, the interactive training portion of the self-paced training solution is an outright joke. Anyone who thinks they are going to buy the interactive training and go through the slides to achieve "proficiency" and then go to take and expect to pass the exam is in for a rude awakening.

So far to prep for this exam, I've read the eTextBook, done the interactive training, read NIST SP 800 -34, -40, -55v1, -55v2, -61r3, -84, -115, -128, -150 (keep in mind I read -18, -30, -37, -39, -53, -53A, -53B, -60 and FIPS 199 and 200 for my CGRC), and the ISACA CISM study guide. I've watched Kelly Handerhan's Cybrary CISM course and a Pearson NIST CSF 2.0 course on LinkedIn Learning, and I still don't feel ready for the exam this week.

Next two days I'm going back through the CBK again and will re-review the CISM study guide then call it a wrap. I'm saving the "Q&A" eBook included with the training for my re-take should I (probably based on how I feel at the moment) need it. As most of you know most question pools out there for these certs are total crap. I get 1 pass out of a question pool due to my recognition/retrieval cue memory processing so I do not want to waste it unnecessarily as I wouldn't have anything the next time around.

[Final update, 5/12 21:00]

So after the significant investment of time reading all the various texts, I "provisionally" passed this afternoon in 80 minutes.

My exam was scheduled for 5pm. This morning after the kids got off to school I did a final skim (2.5 hrs) through the decade-old CBK, had lunch during a zoom meeting and took a nap until 2. Since I didn't want to deal with driving to the test center during rush hour, I drove down to Warwick when I got up and sat at a nearby Starbucks with my tablet, laptop and notebook to do final review. Mainly I went through my notes of things I had to go back and review to get clarification on. Things like PMPOK concepts, Pert charts that I haven't seen since college decades ago, etc. I also took time to read through the eTextBook contingency planning.

In the end it was probably unnecessary, but I didn't really have anything else to do today.

Got to the test center at 4:30, was seated for the test about 4:45. There was a glitch with the system when I went into the exam room where my name wasn't on the list of exams. The proctor had to leave the room and go do something to fix it. I was out of the building by 6:15. Of course the proctor always puts the paper face down on the table but the paper is so transparent you can see through it, I didn't see a domain list, so I knew I had passed.

Taking the exam didn't feel horrible. The questions were not difficult, even though I started the exam with a SOC question I had to use the READ strategy to get down to 2 answers and then flip a coin. Many of them were longer than your typical ISC2 CISSP scenario questions. I got the usual mix of simple definition-style questions (e.g. doing X is an example of which risk treatment) and the longer scenario questions. Not every question was a managerial question. Many had 4 technical answers. A lot of questions were process questions, what to do FIRST, what comes NEXT, etc. A lot of the questions I could answer from my other certs (CISSP, CSSLP and CGRC).

From a "managerial" perspective, I'd say it was about the same as the CISSP. I didn't feel like I was in the C-Suite getting grilled by the Board of Directors. My MBA and MSA didn't come into play at all on the exam (in terms of thinking from that perspective). I didn't get a single question that involved math. I did get a measurable number of questions that were "managerial" from the perspective of, say, why would you do X? and the answers were from an organizational/business unit perspective rather than from an IT department perspective.

Many of the questions were really vague. For example I got a couple of questions on EULAs where none of the answers felt right because I said to myself "well it depends on how the EULA is worded" so I had to make an educated guess. Who TF can understand a EULA anyway? Ever try reading one? You have to be a Supreme Court justice to understand them.

Ending the exam, I felt the result could have gone either way. Didn't feel like I bombed it because the running total of confident/not confident answers I had in my head was ahead on the confident side. But enough to get me over 700? Wouldn't have been surprised if I got a domain list of NEAR PROFICIENCY indicators. Figured it was close, but not as close as my CGRC though. That one was really vague in places and I was surprised by the result.

Did the self-paced training help? Probably. The CBK is severely out of date with the exam outline. The NIST documents are very pertinent but not enough by themselves (they do not cover all the domains, but for the domains they do cover, they're all you really need.) The ISACA CISM manual probably didn't hurt either but it also has a different focus than the ISSMP exam objectives, but I would definitely recommend it to people studying for the exam to supplement other items. The eTextBook certainly doesn't stand by itself, but as part of a larger whole probably wrapped it all together. I think the actual interactive portion of the self-paced training was overall useless when it came to my studying.

If someone wanted a study plan that didn't involved the eTextBook, I would say use the CISM manual for Domains 1 and part of 4 and 6. NIST documents for 2, 3, and 5. That would likely cover most of the material and you'd have to supplement from a couple of other sources to fill in the gaps in the exam objectives. Doing the CSSLP and CGRC wouldn't hurt you either.

Too bad ISC2 doesn't sell the eTextBook as a stand-alone product. That I would have purchased.

Other than the "sample questions" in the eTextBook and on the interactive learning portal, I didn't do a single sample question.