Tuesday, January 7, 2014

Passing the Certified Information Systems Security Professional (CISSP) exam.

Wishing all my readers, friends and acquaintances,  A VERY HAPPY & PROSPEROUS 2014!

During my middle and high school years, I used to bicycle everyday to class, passing in front of a military base. One bold sign over there, always caught my attention. It said,

THE MORE YOU SWEAT IN PEACE, THE LESS YOU BLEED IN WAR.

This caption is very appropriate for preparing and passing the Certified Information Systems Security Professional (CISSP) exam. The outcome of the exam is directly proportional to the effort & strategy you put into it.

Every aspirant has their own baseline knowledge, preparation methodology, "Me time" and/or "We time" to prepare for the exam. Of the ten domains that constitute the CISSP curriculum, I was well-versed in four, had intermediate knowledge in another three and basic knowledge in the remaining. Unfortunately for me, the ones in which I had the least knowledge were the toughest ones in the CISSP curriculum. They were Cryptography and Application Security. So getting out of my comfort zone and attacking head-on with with information gap, was my first task.

My sincere advice to all CISSP aspirants - 

  1. Don't underestimate the difficulty of the exam. But equally important, don't underestimate your own capability to prepare for the exam and pass it. Don't let the preparation and the test itself overwhelm you.
  2. Read, understand and explain to yourself in words not mentioned in books (like you were teaching someone else or the mirror!) will help you get a good grasp on what you had learned & what is not clear.
  3. This is a long drawn race, ranging from 2 to 6 months, depending on your background, available time and capability. There are no quick fixes, instant gratifications and short-cuts.
To make this reading informative and interesting, I have listed the remaining tasks as bullet points in their sequential order. They are as follows:
  1. Reviewed the contents of the curriculum listed on (ISC)2 site, clearly defining what I had to do to pass this exam. I did this 4 months in advance.
  2. Joined the Houston chapter of Information Systems Security Association (ISSA), who was getting ready to conduct a group study for aspirants of the CISSP certification.
  3. ISSA conducted 13 classes aimed at preparing us CISSP aspirants in Fall, 2013. Each class was focused on one domain and was taught by experts in those domains. The balance 3 classes were for exam preparation strategies and the likes.
  4. My main sources of study material were as follows. Reviewing them over and over again helped me solidify my knowledge base on what I already knew and thoroughly understand what I didn't:
    • Shon Harris' CISSP All-in-One 6th edition.
    • Shon Harris' CISSP Exam Simulator - The audio podcasts were highly beneficial during my daily 3 hour commute to and from work.
    • Wikipedia.
    • TechTarget.
    • Google - I always searched for material on terms I came across, to get another person's perspective.
  5. To set the goal to study and pass the CISSP exam, I scheduled it nearly 3 months in advance paying the exam fee of $ 599.00. The threat of losing that money if I didn't pass, was incentive enough for me to prepare and take the exam seriously. I also scheduled my exam date one month after the last group-study class to assimilate all that I learnt in the classes and on my own.
  6. To thoroughly experience the test, I practiced using the following test simulators:
    • Total Tester - This was in the CD that came with the Shon Harris book. This has 1,000+ sample questions in all the domains.
    • CCCure Quizzer - I paid $ 49.95 to get access to 1,000+ questions in all the domains.
    • CISSP Exam Practice - I paid $ 59.00 to get access to 1,000+ questions in all the domains.
  7. What initially seemed like "I got it" by simply reading, seemed to prove otherwise when I took the mock tests.
  8. My calculation was - Between what I know from professional experience, what I learn from Shon Harris' materials, group study and these 3,000+ sample questions, I should be able to pass the CISSP exam in the first attempt. So I began preparing in real earnest from the first group study class, with the exam date firmly set in my mind.
  9. Every group study class was scheduled for Tuesday night. Each week, one domain was covered. My groundwork for each Tuesday's class was three-fold:
    • From Sunday morning to Tuesday evening before the class, I performed a short-study using the Shon Harris material relating to the domain that was going to be taught in the upcoming Tuesday night class.
    • From Wednesday morning through Saturday afternoon, I continued to study in detail on the same domain taught the previous Tuesday.
    • On Saturday night, I took 3 mock exams of 50 questions each on the domain just learnt and from the 3 sample question sources listed above.
    • From Sunday morning, I repeated the above 3 steps.
  10. As I read the material, heard the podcasts and attempted mock questions, I made notes in Microsoft Word on information from each domain that I didn't grasp. These notes helped me focus on my weak points and work to convert them to matter I became fully conversant with.
  11. After the last group study class, I increased the number of mock questions I took, from 150 per week to 300 and ultimately 750 questions per day in the last week. CCCure has the option to choose only questions that I incorrectly answered previously, as the basis for the next mock exam. All the exam tools provided clear descriptions on the answers and I studied them with rapt attention. I initially answered my mock questions at the rate of 90 seconds per quiz and ended up answering in 20 seconds. This strenuous preparation helped me develop high levels of concentration, fast responses and the ability to answer tough quizzes for 10 hours per day.
  12. On the evening before the exam, I stopped studying by 6:00 PM and went to bed by 8:00 PM for a lengthy 9 hour sleep. That sleep helped me go to the exam the next day, fully rested, fresh and relaxed.
The following bullet points highlight my observations and experiences on the day of the exam, which I intentionally chose to split from the above:
  1. A quiet (no radio, podcast or music) drive to the exam venue brought me there 30 minutes prior to the scheduled time.
  2. While there was an anxiety factor, my hard work over the past 3-4 months and results of mock exams had instilled a good degree of self-confidence that I was ready for any type of questions. The anxiety factor helped me stay alert and focused throughout the exam.
  3. What surprised me about the exam was the sheer number of situation questions, where at least 2 answers seemed like they were correct. I initially felt that I wasn't mentally prepared to deal with that many; but my good foundation solidified since the start of the first class, carried me through.
  4. When doing the previously mentioned tests from CCCure, Total Tester and CISSP Exam Practice; I could easily & quickly tell from which domain almost every question was. Not so quickly & confidentially in the exam.
  5. There were many questions that didn't seem to be from the CISSP curriculum and I was not sure if I guessed them correct. I didn't let that hurt my confidence, believing that they were the 25 beta questions, which are put in there on purpose by the examination board.
  6. I read every question and every possible answer, word to word. When 2 of 4 answers seemed to be correct, I leveraged what I had learned and proper reasoning to select the most accurate answer.
  7. Time is a very important factor in this exam. I kept an eye on the time, to cruise along at a stead pace. I didn't do that initially and took 1 hour to complete the first 30 questions. Then I started using the "Flag" to mark questions to be revisited later. That brought me on track.
  8. Short breaks are very essential in this 6 hour exam. I took short breaks of no more then 5 minutes to get away, enough to relax my mind. I took 2 breaks, each time after completing 100 questions.
  9. As much as I teach my kids to "double-check" after every test, I just didn't have the time or the mental energy to go through all 250 questions. So I only double-checked those questions which I had flagged before, since those were the ones whose answers I wasn't 100% confident of.
  10. My very frequent and high number of 50 to 100 to 250-question practice exams, didn't fry my brain by the end of the actual exam.
After finally electronically submitting my exam, there was 3 minutes of uncertainty and anxiety since I would know if I passed or failed only at the triage and not on the computer screen where I took my exam. My heart beat like crazy when I saw I passed. I read it over & over again just to be sure. I even read it out to my wife just to be double-sure. I then sat in the car for 5 minutes just to calm down before starting the drive back home.

My hard work, smart preparation strategy, razor-sharp focus on the end goal, re-prioritizing my life for these 3-4 months, all helped me achieve my objective of passing the CISSP exam before Christmas 2013.

I wish All the very best to those determined to pass this exam in the Spring, Summer or Fall of 2014 or beyond. You, I and everyone hell bent on passing, most certainly will.

BEST OF LUCK!

- Mukund Hukeri.