There are many activities you can do to earn CPEs, but they basically boil down to 2 categories, passive and active.  Passive, attend some sort of event where you listen and learn.  Active, take a class or attend some sort of training, prepare for a presentation, read an approved security periodical, publish a security article or book, write a book review, or volunteer.

Here’s detailed info from the (ISC)2® CONTINUING PROFESSIONAL EDUCATION (CPE) POLICIES AND GUIDELINES (you may have to login), pages 8-12

Calculating CPE Credits

CPE credits are weighted by activity. Shown below are common categories of activities and the amount of credits you can earn for each. Typically, you will earn one CPE credit for each hour spent engaged in an educational activity. However, some activities are worth more credits due to the depth of study or amount of ongoing commitment involved. In general, CPE credits are not earned for on-the-job activities.

• Attending Educational/Training Courses and Seminars

Educational training course and seminars related to the domains of your credential will qualify for one Group A CPE credit for each hour of attendance. Training courses and seminars that are not domain-related to your credential, qualify as one Group B CPE credit for each hour of  attendance.

• Attending Conferences

One CPE credit for each hour of attendance (or one session). Security conferences qualify as Group A credits. Other educational conferences qualify as Group B credits

• Attending Professional Association Chapter Meeting

One Group A CPE credit for each hour of attendance at a professional association chapter meeting. The qualifying professional association must be related to the domains of your credential.

• Attending Vendor Presentations

One Group A CPE credit for each hour of attendance at a vendor presentation. The presentation must have an educational aspect with regard to the domains of your specific credential. Note: If you are attending a conference which includes vendor presentations, do not enter your CPE credits in the “vendor presentations” category. Instead, you should enter your CPE credits in the “conference” category – and, accordingly, determine your CPE credits by using the method described under “conferences”.

•  Completing a Higher Academic Course

One Continuing Professional Education credit (CPE) is permitted for each hour spent in class, or for online classes. Credit will only be given on passing/completing the course. The course must be related to the domains of your certification to qualify as a Group A credit. Otherwise it may be considered a Group B credit.

• Providing Security Training

Four Group A credits per hour of presentation for the initial preparation training materials. CPE’s may be earned for updating an existing presentation. CPE credits are not earned for time spent presenting the course, lecture, or training. This CPE activity is most relevant for short presentations of a few hours. Examples would include Webinars or Pod Casts.

Credits are not earned for teaching or training courses that are multiple days, weeks, or months in length.

•  Publication of a Security Article or Book

Group A CPE credits for the first publication of an article placed in a journal or magazine. The article must be related to the domains of your credential. The article may be printed or in  lectronic form. The below chart identifies the number of CPE’s that will be earned based on the length of the article.

You are entitled to 40 Group A CPE credits for the initial publication of a book. Reprints or republications do not apply. The book must be related to the domains of your credential. You cannot earn Group B CPE credits within this category.

•  Board Service for a Professional Security Organization

A maximum of 40 CPE credits per year of service on the boards of professional security organizations. Credits will be based on the level of contribution, as determined by the board of the relevant organization. Please maintain a record of your hours of participation for audit purposes. We recommend that you document your service hours by having an officer of your organization sign a statement specifying the hours. You may post your own CPE credits if the organization will not do this for you.

CPE credits will be given for those performing volunteer work on behalf of (ISC)²®, either serving as a board member, committee member, item writing contributor, or other type of approved volunteer activity. (ISC)² will determine the amount of credits earned for such activity and will submit credits on your behalf.

•  Self-Study, Computer-Based Training [CBT], Web Casts, Pod Casts

Members can earn one CPE credit per hour for completing a self-study program, computer-based training, or viewing a Web Cast or Pod Cast. (ISC)2 will allow you to submit no more than the maximum number of CPEs/hours recommended by the self study provider. Please keep your documentation in the event that you are audited. This category may also be used to record credits when there is no other category available to record such credits. This would most often cover any type of research that is done in conjunction with preparation of other activities that are not listed in any of the other categories.

If you have done preparation work to obtain another professional certification, which is not a certification from (ISC)2® and if this other certification is one in which you have increased your knowledge-base, then you are entitled to CPE credits for the preparation or self-study work you did to achieve this other certification. Your preparation or self-study work for the non-(ISC)2 credential must have been completed during the three years of your current (ISC)2 certification cycle. If the non-(ISC)2 credential is related to the domains of your (ISC)2 credential, then you would earn Group A credits. If the other credential is not related to the domains of your (ISC)2 credential, you would earn Group B credits. Your CPE credits associated with another  certification are not for achieving this non-(ISC)2 certification, but, rather, CPE credits are for the time you spent in preparation to obtain the non-(ISC)2 certification.

•  Read Information Security Book / Magazine

Members can earn five (5) CPE credits, limited to one book per year and one authorized magazine subscription per year, for a total of ten (10) CPE credits per year. Please note that beginning June 1, 2011, members will no longer be awarded five (5) CPE credits by simply subscribing to (ISC)2 approved magazines.

• Beginning June 1, 2011, (ISC)2 will ask its members to validate their learning experience for reading a security book or for subscribing to an authorized magazine.

• Reading Security Books – Members upload a brief summary (approx. 150 words) of their learning experience from a security book they read in order to earn CPE credit.

• Subscribing to Security Magazines – Members may receive five (5) CPE credits for subscription to an authorized magazine in one of the following ways:

1. Members upload a brief (approx. 150 words) summary of the learning experience gained from reading any issue of the magazine subscription at (ISC)2 website to claim the CPE credits.

2. Members complete a quiz provided by the magazine publisher, and the publisher will automatically submit five (5) CPE credits to (ISC)2.

If members subscribe to one of the following magazines, the magazine, as an approved CPE credit submitter, will submit the five (5) CPE credits to (ISC)2 if a quiz is madeavailable and successfully completed.

• The (ISC)2 Journal (qualifies as a magazine subscription)

• Information Security Magazine

• InfoSecurityToday Magazine

CPE credits for the above magazine subscriptions, if a quiz is provided by the magazine publisher, will be posted for new subscriptions or renewals. These credits for the successfully passed quiz will be submitted by the magazine publisher and may not be added by the member.

 If members read other information security magazines, they must submit their CPE credits through the (ISC)² website. Members must retain information that could support their CPE claim if they are audited.

•  Read InfoSecurity Professional magazine

Members will not earn five (5) CPE credits for subscribing to the InfoSecurity Professional magazine because it is the (ISC)²’s digital, members only-magazine, which will allow members to earn two (2) CPE credits per issue if they complete and pass the online quiz associated with each issue. Members must submit their credits on the (ISC)² website. Please be sure to retain all certificates for the successful completion of the quiz, as CPE’s will be subject to random audit.

•  Information Security Book Review

One book review per year which is accepted and published on the (ISC)2® Website. Earn five Group A CPE credits. The book must be related to your (ISC)2 credential domain. The review must be at least 500 words and should include a brief description of the book’s contents and an overall evaluation of the entire book and its value to the professional. Please keep in mind that other members will be reading your book review. They may use your book review to determine whether a book is worth purchasing or reading.

Submitter and members should allow up to 3 weeks for (ISC)² to post CPE credits to member records.

•  Government, Public Sector, and other Charitable Organizations Volunteering

You are entitled to one CPE credit for each hour of volunteer work. As documentation of your volunteer efforts, you must retain a signed confirmation on the organization’s letterhead, indicating the number of hours of volunteer work you have performed. This volunteer work must be a domain-related activity and would earn only Group A CPE credits.

Many of the CISSP folks I know attend a week-long security conference and they’re good to go on their A credits from one event.  Most of the time their job pays for traveling, attendance and accommodations.  This takes time and money, but it is an easy and fun way to earn lots of credits at one time.

However, I like cheap and easy (there’s a joke there somewhere).  I will go into more detail in the next posts, but I’ve chosen mostly to attend a few podcasts and seminars.

More Info from (ISC)2:

Group A & B Credits https://www.isc2.org/group-credits.aspx

Calculating CPE Credits https://www.isc2.org/calculating-cpes/default.aspx

CPE Opportunities https://www.isc2.org/cpe-opportunities/default.aspx

My initial take is that gaining the CPEs is pretty easy.  I have 37 under my belt, 24-A & 13-B.  But others say it is a hassle and difficult.  I started out very strong, got busy with work and then gathered a few more towards the end of the year.

What are YOU doing to earn CISSP CPEs?  I look forward to your replies.

provided by

With concern about hackers, tools for remembering so many codes; no more pet names or 123456.

For all its benefits, the Internet can be a hassle when it comes to remembering passwords for email, banking, social networking and shopping.

Many people use just a single password across the Web. That’s a bad idea, say online-security experts.

“Having the same password for everything is like having the same key for your house, your car, your gym locker, your office,” says Michael Barrett, chief information-security officer for online-payments service PayPal, a unit of eBay Inc.

Mr. Barrett has different passwords for his email and Facebook accounts — and that’s just for starters. He has a third password for financial websites he uses, such as for banks and credit cards, and a fourth for major shopping sites such as Amazon.com (Nasdaq: AMZN – News). He created a fifth password for websites he visits infrequently or doesn’t trust, such as blogs and an online store that sells gardening tools.

A spate of recent attacks underscores how hackers are spending more time trying to crack into big databases to obtain passwords, security officials say. In April, for instance, hackers obtained passwords and other information of 77 million users in Sony Corp.’s (NYSE: SNE – News) PlayStation Network, while Google Inc. (Nasdaq: GOOG – News) said this month that hackers broke into its email system and gained passwords of U.S. government officials.

So-called brute force attacks, by which hackers try to guess individual passwords, also appear to be on the rise, Mr. Barrett says.

PayPal says two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts. A 2009 survey in the U.K. by security-software company PC Tools found men to be particularly bad offenders, with 47% using just one password, compared with 26% of women.

Another PC Tools survey last year showed that 28% of young Australians from 18 to 38 years old had passwords that were easily guessed, such as a name of a loved one or pet, which criminals can easily find on Facebook or other public sites. Other passwords can be easily guessed, too. Hackers last year posted a list of the most popular passwords of Gawker Media users, including “password,” “123456,” “qwerty,” “letmein” and “baseball.”

“If your password is on that list, please change it,” says Brandon Sterne, security manager at Mozilla Corp., which makes the Firefox browser and other software. Hackers “will take the first 100 passwords on the list and go through the entire user base” of a website to crack a few accounts, he says.

People typically start changing online passwords after they’ve been hacked, says Dave Cole, general manager of PC Tools. However, “after a relatively short time, all but the most paranoid users regress to previous behaviors prior to the security breach,” he says. He and other security experts recommend people change or rotate passwords a few times a year.

To come up with a strong password, some security officials recommend taking a memorable phrase and using the first letter of each word. For example, “to be or not to be, that is the question,” becomes “tbontbtitq.” Others mash an unlikely pair of words together. The longer the password — at least eight characters, experts say — the safer it is.

Once people figure out a phrase for their password, they can make it more complex by replacing letters with special characters or numbers. They can also capitalize, say, the second character of every password for added security. Hence “tbontbtitq” becomes “tB0ntbtitq.”

No matter how good a password is, it is unsafe to use just one. Mr. Barrett recommends following his lead and having strong ones for four different kinds of sites — email, social networks, financial institutions and e-commerce sites — and a fifth for infrequently visited or untrustworthy sites.

Even the strongest passwords, however, are useless if criminals install so-called malware on computers that allow them to track a person’s keystrokes. Security experts say people can avoid this by keeping their antivirus and antispyware software updated and by avoiding downloading files from unknown websites and email senders.

Some security experts recommend slightly modifying passwords within each category of site. Companies such as Microsoft Corp. (Nasdaq: MSFT – News) offer free password-strength checkers, but users shouldn’t rely on them wholly because such strength tests don’t gauge whether a password contains easily found personal information, such as a birthday or a pet’s name.

It’s especially important to have a separate password for an email account, says Mozilla’s Mr. Sterne. Many sites have “Forgot my password” buttons that, when clicked, initiate a password-recovery process by email. Hackers who break into an email account can then intercept those emails and take control of each account registered using that address.

Some websites, such as Google and Facebook, now let people register a phone number along with their account. If a person forgets his passwords, the sites reset the passwords by calling or sending a text message to that person.

Mr. Barrett says people should be able to remember four or five good passwords. If not, they can write them down on a piece of paper and stick it in their wallet, and then throw the cheat sheet away once all the passwords are memorized.

People who still struggle to remember them all can use a password manager. Several, such as LastPass, are free. LastPass prompts users to create a master password and then generates and stores random passwords for different sites. Some security experts warn against using managers that store passwords remotely, but LastPass Chief Executive Joe Siegrist says hackers can’t access the passwords because all data is encrypted.

The worst thing that people can do after creating their different passwords: Put it on a sticky note by their monitor. “That defeats the entire purpose,” says Mr. Sterne.

Heather O’Neill, a 27-year-old tech-company employee in San Francisco, had her Google email account broken into earlier this year. She says she used the same password for several sites, and that it was a weak one.

“I can’t have one password for everything,” she says. “Everything is going to be different.”

Write to Stu Woo at Stu.Woo@wsj.com

Why didn't I take the blue pill?

I took this personality test in high school, the teacher was finishing up his masters or PHD or something and he passed out these self-examination tests to the class.  It focused on how one learns.  I remember answering a question regarding how I learned with one answer then basically getting the same question later on and answering it differently!  I remember thinking, “I have no clue how I learn”.  “Are there different styles or methods?”  I just didn’t know!

Fast forward 20 years, one failed CISSP exam behind me and a year of studying ahead; I had to figure out how I learned, how to study and how to pass a freaking test as I prepared for the CISSP exam 2.0!   The process that I went through to prepare and pass the (second) CISSP exam taught me a lot about how to study, learn and take the hardest exam I have ever taken!

OK, here’s the point:  Identifying how YOU learn and identifying the best study and test methods that work for YOU are vitally important to passing the CISSP exam.

I’m convinced of this:  Understanding how one learns, how to study and how to take a test could be the difference between passing or failing.  Especially those that have failed multiple times and feel like they have studied their asses off and can’t possibly memorize or cram any more security info into their brain, lest it will explode!  Take pause, take an introspective inventory, do some research on learning, studying and test taking and then switch gears.  Think of this as the secret eleventh domain.

I am not going to spend a lot of time talking about how one learns in general, it is just too vast of a topic.  If you read through the rest of this post and simply can’t identify with any of it, then please keep searching and take the time to understand what it is that makes you tick.  Take a few personality tests to see what type of social person you are.  Are you an introvert or extrovert.  This answers the question of if you should study alone or in a group.  If you have some sort of learning disability then you really need to spend some time understanding yourself and how to overcome and be successful.  Talk with experts.  This will help you in all areas of your life.  Do yourself a favor and seek professional educational counseling.  Are you ADD?  Then you have to structure your studying accordingly by eliminating distractions and stick to a more formal plan.

Open Brain, Insert Content

Remember the scene from the sci-fi movie The Matrix when Neo (Keanu Reeves) is learning how to fight?  They plug this cable into his head, they download all these different styles of martial arts, Neo’s eyes are fluttering and all of a sudden his eyes pop open and he says “I know Kung Fu”?  [In my best Chris Farley Impersonation]:  “Yeah that was really awesome”.  Bad news:  That  ONLY happens in the movies!

Book Worms

How do you get the info from the 10 CISSP CBKs into your head, process them into an organized and memorable fashion so that you can regurgitate all that info when it counts on the exam?  I know some folks who can take a book, read it from cover to cover and then KNOW the concepts and understand the subject.  They can turn around and put all of that knowledge into practice.  People who can do this are pretty smart people.  And I can’t begin to relate to these type of people!  If you are one of these people you are probably in pretty good shape.  Use Shon Harris‘ CISSP All-in-One Exam Guide and the Official (ISC)2 Guide to the CISSP CBK.  I started out by myself with Shon Harris’ book.  I read and read, I highlighted, I underlined, I wrote in the book, I tabulated the book with sticky tabs and sticky bookmarks.  Although I could find just about any topic fairly easily I wasn’t getting very deep and although I was learning, I was not memorizing and wasn’t able to regurgitate on any kind of detailed level.  It was a lot of dry reading, I saw the words, but, what did they mean?  And most of all how can I apply the knowledge to different situations?  So I was reading and re-reading which was a waste of time for me.  Reading books are great for some people.  But I needed more.
–(CISSP book resources & practice test info:  http://inchdeepmilewide.wordpress.com/cissp-resources/)

Experience

Some people like to just dig in, start taking stuff apart, or building something and they just learn as they go.  They start by taking the engine all apart for no real good reason but to learn how to put it all back together again.

Most of the time there is only a part or two left over!

They have to touch, they have to feel, they crack the manual now and again when they get stuck but at the end of the day they have a re-built engine in their car and most of the time there is only a part or two left over!  The other HUGE caveat-it took them 5 years to put it all back together.  Gaining experience takes time.  Most people who have extensive technical experience fall into this category.  There’s simply no substitute for time and experience gained, and if you have enough of it, most likely the CISSP exam will be cake for you.  If your background is deep and wide most likely the practice tests will be fairly easy.  If they are not, dig deeper and wider.  Can you turn around and teach it?  That’s the level of knowledge required to pass the CISSP.  If yes you are set, if you fumble a bit, keep going.  Although I have 5 plus years in a network security group, my background is not in building networks or building server systems or managing firewalls and routers.  Even if you can teach the telecom domain in your sleep you may struggle with the more in-depth security concepts.

My co-worker falls into these first two categories.  He can read a book or manual from cover to cover and he can turn around and explain it in technical and deep articulation.  He has been in the technology and telecom industry for 30 plus years and he paid very close attention.  He can program in several languages, not only build a PC but explain how it works in detail, he can re-build a car engine while he explains the history and physics behind every detail.  He is by far the smartest person I know.  He finished the exam in just over 3 hours and he passed his first time out.  The other 99,9% of the population just do not function this way!  There’s hope…keep reading.
–(Practice test info:  http://inchdeepmilewide.wordpress.com/cissp-resources/)

Back to School

Many people are traditional student learners, they can listen to or watch lectures, take quality notes, make study cards, study in groups, create cheat sheets and take practice tests.   Most classrooms fall into this category.  If college was the best learning experience of your life then this is for you!  If this is definitely you skip reading a book from cover to cover and please, don’t bother with an expensive boot camp. Purchase a couple of video (Shon Harris CISSP Video Seminar) and/or audio lectures (Management 414 SANS +S Training Program for the CISSP Certification Exam presented  by Eric Cole or enroll in college classes or a semester worth of classes that focus on CISSP.  If you thrive in a classroom spend the time and money and take a few quality instructor-led courses either in a real classroom or find something outside of your home (like a conference room or library) and create your own personal classroom.  For the most part I used this method.  I took a book with me to a conference room that I would turn into a classroom.  I found a study buddy and we watched a couple of different Shon Harris’ lectures, listened to an audio lecture and paid for online video lectures.  For the most part this worked for me.  If you are a social learner like me, take classes or create a classroom environment with others.
–(CISSP resources & practice test info:  http://inchdeepmilewide.wordpress.com/cissp-resources/)

Note To Self:  Take Better Notes!

Remember taking notes in school?  Of course you do!   Taking notes and studying them solidifies and reinforces what you’ve been hearing and seeing.  There are many different methods of taking notes.  There are outline techniques, term/definition techniques, shorthand, flash cards and the list goes on and on.  If you struggle in this area find a book or a webinar or lecture or a college orientation class or materials that focus on taking notes!  Heck, find a person who can take excellent notes and learn from them.  I have excellent index-style study cards, but I don’t want to merely give them to you because as you make them yourself you are organizing and learning!  And of course the last word on notes is to actually review them, study them.  I took way too many notes that I never looked at after I penned or typed them.  That was just stupid.

How to take a test

Unless you have a photographic memory, very few people have some magical edge when taking tests.  Stick to the basics:

• Spend the night at or near where the exam will be given
• Don’t cram
• Go to bed early-take a Tylenol PM (Benadryl) if you are restless
• Awake at least 2 hours before the exam doors open
• Eat a healthy and hefty breakfast
• Arrive before the doors open, check in find a good seat
• Turn off all noisy electronics, don’t just mute or vibrate, pack the distractions away, forget about them
• Bring Your Registration Letter and ID
• Bring food and drink
• Bring your own #2 pencils and a huge eraser
• Bring meds in case of a headache
• Take notes on the test-mark the questions you don’t know or aren’t sure of (use different markings)
• Circle the answer on the test THEN transfer the answer to your answer sheet
• Read the question carefully and completely
• Read all answers before choosing an answer
• Answer all questions
• First answers are usually right-but mark and review those that were a complete guess
• Take breaks-at least one per 60 to 90 minutes
• Break the test up into sections and when you reach the end reward yourself with a break, go potty, walk around or stretch for a minute or two, relax, consume food and drink, get back to it.
• Pay attention to the time
• Use all 6 hours, if you finish early take a break, review, then review again
• Be one of the last to leave

I think I am pretty good at taking tests in general-mostly because I commit to an answer and move on.  Most of the time if you know it, you know it, and if you don’t you don’t.  Failing the exam the first time simply told me I wasn’t quite prepared enough.

However, some people are worse at taking tests in general than others.  Some people suffer from test anxiety.  Some people psych themselves up for failure or get overly nervous or anxious or just freak out once they get the test in front of them.  From eHow.com, “Relax on the day of the test. Once you’re in the testing room, you can do nothing more to prepare. Worrying when you can do nothing more to improve your chances of scoring high on the test will affect your performance.”  People do weird things like read things into the questions that’s not there or second guess everything.  Although most of these folks know the content and understand the concepts they’ve studied, they are a completely different person as they take the real exam.  They go slower or faster, their minds go blank, they sweat, they have negative conversations with themselves, etc.  If you are one of these people then you HAVE to figure out a way to compensate.  Train your mind to take the exam.  Take lots of practice tests.  Take many long 250 question practice test.  Print out a practice test with the questions and use a Scantron to record the answers-just like the real exam.  Time yourself.  Pace yourself.  Find new questions so you’re not memorizing the question and answer rather than learning the concepts. Take practice tests at a crowded McDonald’s.

Knowledge is Power

Finally, learn from others’ experiences and mistakes and successes.  Walking into the exam my first time and sitting down to take the exam was like ice cold water or a bitchslap to the face-it was incredibly painful, frustrating and shocking.  Read my personal experiences.  Join CISSP forums.  Read security blogs.

The Thrifty CISSP http://thriftycissp.blogspot.com/ is all about getting and keeping the CISSP on a budget.

Thanks for the link back to here, the least I can do is return the favor.

He  also has a fantastic study plan:  http://cisspstudyplan.blogspot.com/ I especially like the 8 steps approach for the exam questions, very nice!  The review of the boot camp is excellent.  The (rated) review of resources is very helpful.  Why couldn’t you have done this a year ago!  YOU [fist raised]!  Nice job!

One thing to note, being in the military or working for the government has its advantages when it comes to CISSP preparation!

Congratulations on passing the exam, thanks for the sites and detailed descriptions.  Much appreciated!

Congratulations! It gives me great pleasure to be the first to address you with the Certified Information Systems Security Professional (CISSP®) designation!

Based upon your examination results, a review of your application and acceptance of your endorsement, the (ISC)2 Board of Directors awarded you with the CISSP designation. By virtue of becoming certified by (ISC)2, you are a member of the (ISC)2 Electorate and have certain voting privileges that are specified in the (ISC)2 Bylaws.

Your ID card and certificate will be shipped to the address above. Please allow four to six weeks for delivery in the United States or six to eight weeks for delivery outside of the United States.

You may use the CISSP from this day forward, subject to the (ISC)2 Logo Guidelines (www.isc2.org/logo-usage) – as long as your certification remains in good standing. Please review the following information carefully to ensure you make the most of your new credential.

Certification cycle
Your CISSP is valid through the end of the three year certification cycle. The three year certification cycle begins on the first day of next month.

You may not claim CPE credits for activities that occurred prior to your certification cycle start-date.

Maintaining Your Credential in “Good Standing”
Each year that you hold the CISSP, you are required to earn 20 Continuing Professional Education (CPE) credits. In order to qualify, the CPE credits must be related to one or more of the CISSP knowledge domains. For more information about CPEs, please refer to the CPE guidelines at www.isc2.org/cpe-policies.

You may not claim CPE credits for activities that occurred prior to the beginning of your certification cycle as noted above.

You are required to pay an Annual Maintenance Fee (AMF) of US$85 at the end of each year that you are certified. (ISC)2 will send you an invoice, via email, approximately 30 days before the due date each year.

Renewing Your Certification
To renew your certification beyond the current certification cycle, you must earn at least 120 CPE credits before the end of the certification cycle. At least 80 of the required credits must be related to one or more of the CISSP knowledge domains. For more information about CPEs, please refer to the CPE guidelines at www.isc2.org/cpe-policies.

At the end of each three-year certification cycle, if you have submitted the required number of CPE credits and paid all AMFs in full, your CISSP will be renewed for another three year certification cycle.

When your requirements are met, our system will automatically renew your certification near the end of the month in which it expires and you will receive a new ID card and certificate bearing the expiration date of your next certification cycle.

Member Benefits
We appreciate the hard work and effort that you put forth to earn your CISSP certification. The CISSP is an important step in your information security career and we are pleased to offer you a wide range of services, including:

• InterSeC – Your professional networking site! Designed for (ISC)2 members, InterSeC is a great tool for finding other information security professionals around the world who share your interests, while facilitating discussion and interaction. To join InterSeC, please visit the member home page (http://members.isc2.org) and click on the InterSeC logo.

• Career Tools – Search for jobs which are posted daily on our Website by individuals, organizations and companies from all over the world. Post multiple, target resumes and track how many times employers have reviewed them. You may also save jobs and set up job alerts. Sign in to the Member Website and click “Career Tools” to access these resources.

• Local Information Security Education Events, hosted worldwide by (ISC)², are live, one-day events and free to members, with a reduced fee for multiple-day events. The knowledge and exposure you’ll gain is well worth the price of admission. For more details, please visit www.isc2.org/events.

• (ISC)2 e-Symposia are free, monthly half-day programs on hot industry topics, from the convenience of your computer at work or home. e-Symposia are an easy way to earn CPEs and stay on top of the latest industry developments. For more details, please log in and visit www.isc2.org/e-symposium.

• Online CISSP Forum – Fostering the exchange of ideas, this forum provides networking amongst other CISSPs worldwide. Sign in to the Member Website and look under “Member Networking” to subscribe.

The (ISC)2 Journal – The Information Security Journal: A Global Perspective is the official bi-monthly journal of (ISC)2. Members pay only US$45 for one year for essential information on managing the security of a modern, evolving enterprise. To subscribe, please go to www.isc2.org/isc2-journal.aspx. To submit articles, please contact journaleditor@isc2.org.

• (ISC)2 Magazine – (ISC)2 provides a free, members-only online publication called InfoSecurity Professional, distributed quarterly. For news on the latest industry topics, current happenings within organizations and CPE opportunities, this is the magazine you’ve been waiting for. To view the latest issue, sign in to the Member Website and look under “Member Resources”.

• Networking Receptions – Held in conjunction with conferences around the world, receptions are complimentary and offer you a great chance to network and exchange ideas with (ISC)2 certified members and (ISC)2 staff.

• SecurityTALK – From one convenient location, you’ll have access to presentations, Podcasts and research reports that come to you, courtesy of information security associations and the vendor community and (ISC)2.

(ISC)2 Member Website Access
All (ISC)2 members have secure access to the (ISC)2 Member Website. The Member Website will allow you to access all of the member benefits described above. This is also where you maintain your personal contact information, pay your AMFs, and view and submit your CPE credits.

In order to access the (ISC)2 Member Website, you should log on to http://members.isc2.org with the primary email address you provided during registration.

Ensure You Receive Important (ISC)2 Emails Regarding Your Certification
(ISC)2 sends invoices and important certification renewal news, in addition to other Official communications, exclusively VIA EMAIL.

It is your responsibility to maintain a valid, working email address on file with (ISC)2 for these purposes. To ensure you receive critical information regarding your credential, please make any necessary changes to your spam filters, ask your ISP to accept emails from the isc2.org domain, or provide (ISC)2 with an email account that has no such restrictions.

Please review your Account Profile to confirm that (ISC)2 has your current contact information. It is your responsibility to keep your Account Profile information up-to-date.

Member Support
If you have any questions about your new credential or need help accessing your account, our member support center is available to assist you by email or telephone.

The member support center is available Monday through Friday 8am – 5pm (Eastern time) at 866-331-ISC2 (4722), option 5 in the USA or 727-785-0189, option 5 outside of the USA. You can also submit your inquiry to membersupport@isc2.org for assistance. Please allow up to three business days for a response to your email.

Again, congratulations on becoming a CISSP! You are now part of an elite network of professionals recognized around the world, an achievement you can be proud of. We’re pleased to have you as a member and look forward to supporting you throughout your certification and career.
Best regards,

On behalf of the (ISC)2 Board of Directors,

Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, SSCP, Chairperson
P.S. Don’t forget to join InterSeC! Please visit the member home page (http://members.isc2.org) and click on the InterSeC logo to join.

My Precious...

Passing the CISSP examination is just the FIRST step in becoming CISSP certified.  From (ISC)2:

The second step in the certification process requires submission of two additional items:

1. A COMPLETED ENDORSEMENT FORM. The endorsement form and instructions are available for download at www.isc2.org/endorsement.aspx. Please make sure you sign and date the APPLICANT AGREEMENT section on page 2.

2. YOUR RESUME/CV. Please provide a copy of your resume/CV along with your Endorsement in one email (Note: your resume/CV should be the same as the copy you give to your endorser).

Please include the following information:

Company name and address for each employer.

Contact name/supervisor and phone number for each position held. If the position was located outside of the United States, please include an email address.

Position held – title with dates (including month and year).

Detailed description of your duties, as they pertain to the domains of the CISSP CBK.For detailed information about the experience requirements, please visit www.isc2.org/cissp-professional-experience.aspx. PLEASE BE AWARE THAT YOUR CERTIFICATION APPLICATION CANNOT PROCEED WITHOUT THESE TWO DOCUMENTS.Please mail, fax or email these items to:(ISC)2 Programs

A few things to note:  I could not find the resume guidelines (the bullet points above) ANYWHERE on the (ISC)2 website.  Let me sum up the above:  Someone who is already CISSP certified is required to review your resume and vow (in writing) that what is on your resume is accurate (most likely putting his CISSP cert on the line if anything is deceptive).  You have to have relevant experience from the 10 CBKs that meets the required amount of time by (ISC)2.  Oh, and yeah, company address and supervisor phone numbers, guess who forgot to do that the first time.

So the real first step is finding someone to endorse you.  I had no problems doing this because I had 4 others on my team that are CISSP certified, including my manager-who endorsed me.

The second step is polishing up your resume and making it look good for the (ISC)2 folks.  I have always had a fascination with resumes and trying different styles and layouts.  I am also adopting a co-worker’s idea to have 4 different resumes:

1. A Biographical Resume
2. A Technical Resume
3. A Project Manager Resume
4. Management Resume

I cleaned up my biographical resume, highlighted the CISSP parts and faxed it along with the endorsement forms (filled out by my endorser and myself).

The third step is for your endorser and yourself to fill out the (ISC)2 paperwork that ethically binds an agreement that all info is true to the best of you knowledge.

As always the last step is to wait a very long time.  I faxed the info to (ISC)2 Jan 13th, they did send me an email that they received the documentation on the 14th-one day later, and that they would review and get back to me.  “…Please allow four weeks for your submission to be reviewed and processed.”  Its been almost 5 weeks and I am still waiting.

Dear Candidate

Congratulations! We are pleased to inform you that you have passed the Certified Information Systems Security Professional (CISSP®) examination – the first step in becoming certified as a CISSP.

The second step in the certification process requires submission of two additional items:

1. A COMPLETED ENDORSEMENT FORM. The endorsement form and instructions are available for download at www.isc2.org/endorsement.aspx. Please make sure you sign and date the APPLICANT AGREEMENT section on page 2.

2. YOUR RESUME/CV. Please provide a copy of your resume/CV along with your Endorsement in one email (Note: your resume/CV should be the same as the copy you give to your endorser).

Please include the following information:

• Company name and address for each employer.
• Contact name/supervisor and phone number for each position held. If the position was located outside of the United States, please include an email address.
• Position held – title with dates (including month and year).
• Detailed description of your duties, as they pertain to the domains of the CISSP CBK.For detailed information about the experience requirements, please visit www.isc2.org/cissp-professional-experience.aspx. PLEASE BE AWARE THAT YOUR CERTIFICATION APPLICATION CANNOT PROCEED WITHOUT THESE TWO DOCUMENTS.Please mail, fax or email these items to:(ISC)2 Programs
  Attn: Endorsements
  33920 US Hwy. 19 N., Suite 205
  Palm Harbor, FL 34684
  USAFax: +1.727.683.0795 or +1.727.786.2989
  Email: programs@isc2.org

  Please allow 2-3 weeks for processing. It is not necessary to call or email us to determine if your documents have arrived prior to that time, as it will slow down the process. Please do not send multiple faxes or emails of your documents unless requested by (ISC)2.

  All examination applications are subject to random audit of experience assertions prior to (ISC)2 issuing a certificate. If we do not select your application for audit, your certification shall be issued upon receipt of both your properly executed Endorsement Form and Resume/CV. If we select your application for audit, we will send you a separate email communication describing fully the process and requirements.

  Shortly after we complete the audit of your Endorsement Form and Resume/CV, if applicable, your certificate will be printed and your membership package will be shipped to the ADDRESS LISTED ABOVE. This package will contain your certificate, ID card, welcome letter, and CISSP lapel pin gift certificate, which you can redeem at the online (ISC)2 Company Store.

  Congratulations again on your successful performance on the CISSP examination! We look forward to receiving your completed Endorsement Form and Resume/CV in order to move forward with the certification process.

  In the meantime, please visit our Website (www.isc2.org) for detailed information about the endorsement and certification process. Should you have any questions regarding the process, feel free to contact us at programs@isc2.org.

  Sincerely,

  (ISC)2

I found out today and I am still in shock.  I was not sure at all that I would pass!  The test was pretty darn hard!  The wait was excruciating.  The results took an abnormally long time.  I guess there were a huge amount of people that took the exam on the same test date as I ( November 6, 2010) and it took a long while to grade.  Six full weeks!  I guess a lot of military personnel and contractors were trying to get certified before the end of the year, so the date became the last one before the end of the year (where one would get the results before the end of the year-although those that took it a week after me received their results before me) and thus was a very popular test date.  I feel that was unacceptable and very unprofessional on the part of (ISC)².

Merry Christmas everyone!  Happy Holidays, Happy (late) Khanukkah, Happy Kwanza.  And a Happy New Year.

Blessings to you all,

I passed!  WOO HOO!

The Garage Door Domain has its ups and downs

It has been about 2 weeks [six weeks now and waiting] since I took the CISSP exam and still I am dreaming all things security.   Literally dreaming, at night while I am trying to get restful sleep. This time I dreamed up an analogy to the whole CISSP preparation and exam that I think can be appreciated and found humorous.

The CISSP exam is like studying for a certification exam on all things related to doors.

Not everyone needs to be certified. If you just merely use doors, most likely you don’t need to be certified. But if you install doors-especially unusual doors, or if you wish to design doors-especially with specific purposes in mind, you may want to prepare and pass the door exam and get door certified.

Certification has advantages. Being door certified will tell the world that you are qualified on all things related to doors-hinges, knobs, the door-y part. Just by having the certification good things can happen to you, you may have more opportunities. The certification could open many new and exciting doors.

Experience is essential. Let’s say you’ve been studying one of the bodies of concentration, the garage door domain. Well, if you have installed a garage door before then you will be able to relate and bring something experiential to the exam. If you install garage doors for a living then you probably will have no problems with this domain. If you design garage doors, their installation and write documentation and are in charge of sales, well then you can consider yourself an expert on the garage door domain and you will have very little problems with this subject on the exam. Your experience will help you with questions regarding spring sizes and radio frequencies. You should memorize sizes and frequencies, but there won’t be any questions related to that on the final exam. The question on the final exam will be something like what is the worst type of garage doors opener to use around bombs. You won’t know the answer 100%, but your experience should help you narrow it down to an educated guess.

Some questions are designed to trick you. You have to immerse yourself into the (ISC)2 world. Let’s say you get a question from the farm door domain.

You have to know what color the barn door is supposed to be on the (ISC)2 farm.

The question is what color should a barn door be? You’ve narrowed the answers to “Red” and “Red & White”. Well, in reality a barn door can be whatever color the farmer wishes it to be, but you have to know what color the barn door is supposed to be on the (ISC)2 farm, er, I mean world. The question also may be negatively worded, like:

The color of barn doors is essential to the function of the entire farm, not just the barn. Which of the following colors is the worst color to use on a barn door:

A.  Red
B.  White
C.  Black
D.  Brown

Of course the answer is brown. However, none of the practice tests will explain why the correct answer is most correct and the others are righter, just that D is the best answer. Shon Harris will have had a 3-minute segment on the color of barn doors which starts out,

“Now, what is a barn door? We’ve talked about that before. The color of barn doors are essential to the function of the entire farm, not just the barn…”

And some smart dude from India submitted the question. If he can get the color right then you should too. Duh. Moron.

Study deep. You may have a clear understanding between the different types of opaque doors used in residential, commercial, industrial and high-security settings both internal and external. You may understand the different types of glass used in internal sliding patio doors, external restaurant drive-thru doors, 1980 computer monitors, the 12-inch by 12 inch glass used in oatmeal factory doors, and the bullet-proof plastic used in jails. You may understand the purpose and the placement of the sticker that states: “THIS DOOR TO REMAIN UNLOCKED DURING BUSINESS HOURS’ and understand the history of why there was no business before the creation of the sticker. But the question on the final exam will be what is the best type of opaque material to use in airplane cockpit sliding doors while flying in areas that are highly populated with penguins. The answer will have to do with cold temperatures, the number of drinks served on a transatlantic flight and how many passengers breath through their nose. However, the answers will reflect this.

I am still waiting for the results of the exam. I feel pretty calm about it. Hopefully I got enough right to pass!

The one thing that preparing for the CISSP exam teaches you is how to second guess EVERYTHING.  Second guess resources, answers, study methods and plans, etc., etc.  I felt like I was much more than 5% more prepared than last time, but the truth is  I still needed to get 65% correct plus at least another 5%!

This time was full of Déjà vu moments…We stayed in a hotel where the CISSP exam was held-even though we live 45 minutes away (just like last time).  It was nice to get away, focus and ensure that we wouldn’t have to worry about traffic, flat tires or hurrying to beat a clock (just like last time).  I had a relaxing dinner, casual studying and I went to bed early (Just like, yeah, last time).  Unlike last time I slept horribly!  Once again the exam conference room was packed-about 40 people-most were there to take the CISSP, but some were there for other (ISC)² exams. I entered with my bag full of chocolate granola bars and a 6-pack of Pepsi and a couple water bottles.  Just like last time!

This time around I knew I had one huge advantage:  I knew what to expect.  Last time I was so shocked at how different and difficult the CISSP exam was verses what I had expected and what I had prepared for.  I felt so shocked and angry last time.  This time around no matter how hard it may be it wouldn’t be shocking and jarring.

Although there has been talk of computerizing the exam,  the test was all paper and a #2 pencil-6 pencils for me actually, all provided.  I was extremely calm throughout the exam.  I was relaxed and focused up until the period of time where the guy next to me had a “clearing his throat” spell for half an hour.  He finally got over it and I was able to re-focus.  I took 4-6 intentional potty breaks, to get away, refocus and stretch.

The questions were, again, just a bit deeper than what I actually had studied.  There were many questions that I knew the answer to before seeing the answers, and a few that I totally guessed on-I knew what they were asking, but  I wasn’t familiar enough with the content and just didn’t know the correct answer.  Most were familiar, I understood what was being asked, but I just didn’t know the correct answer.  It was pretty easy to rule out 2 of the 4 answers and to make an educated guess.  The exam took me 5 full hours.  I spent the last 20 minutes or so reviewing the few questions I was unsure about.  I only changed a couple of answers.

I honestly don’t remember any questions this time around that were negative, none that asked which answer was not right.  I remember many more questions from the exam this time around.  Which is a good transition into expressing that this exam was completely different than last time.  I don’t know how much I should say about the exam itself-confidentiality and cheating and all.  My first post about my exam experience went into much detail.  I hope not too much.

I just hope I picked the right answers and that I got enough correct to pass.  I should know the results within a few weeks.  Let the waiting game begin!  I will let you know.