Monday, February 12, 2007

My CISSP Ordeal


Over the past few months I have been studying for the CISSP exam. CISSP stands for Certified Information Systems Security Professional and is considered one of the standard measure of information security knowledge. I considered waiting until I found out if I passed or not before writing about this, but I felt that if I didn't pass that this would come off as sour grapes, and that would not be my intention. The CISSP is a 250 multiple choice question (as a kicker 50 don't count they are experiments, but they don't tell you which ones they are) test that you have 6 hours to take. When I first learned of this I figured that if you prepare enough that 6 hours would be more than enough time, and it is but not like I thought. I also heard of the tests legendary difficulty and stories of eighty percent first time failure rate on the first try. One friend of mine figure that it should rank up there with with Bar exams and Medical Board exams in stature. I believed that it was difficult, I don't know about comparing it to the Bar or medical boards I have not been close to either process. The test also is described as being a mile wide and an inch deep, you are tested on ten areas of knowledge, that are loosely related (Access control, Telecomunications Security, Security Management, Physical Security, Law and Ethics, Operations Security, Application Security, Cryptography, Security Architecture, Disaster Recovery Planning). I have to say it is every bit as difficult as promised.

I spent 4 months preparing for this exam. The first three month were light is spent time reading preparation texts in between getting married, honeymoon, thanksgiving, Christmas. In the last month I spent time taking practice quizzes (cccure.org) to assess where what areas I needed to re-enforce. That final week I took the week off from work to study, I also called in sub-goalies for my hockey team. One of my colleagues who took the test a couple of years ago told me that if you score 80% or better consistently on the cccure quizzes that you are in good shape and in the last week I was scoring in the 75-85% range on all the quizzes I was taking. I was nervous, but I felt that I did a fair amount of preparation.

Test day February 3rd in Reston VA came, and I was actually taking this test that I have put off for 3 years or so. The test is one of those choose the most correct answer type of thing, and I knew I was in trouble in the first 12 questions, as I put questions marks next to 8 of the first twelve questions, (that is my way of saying I answered as best I can but come back if there is time, because I am not as sure as I would like to be.) Most of the questions I could get down to two possible choices but I was hard pressed to to get into IC2's (testing organization) head and discerned from the question or the answers what was the most correct answer, in my head I could make a case for either. Over the span of the entire test I marked 68 questions to revisit, and that number could have been greater. It took me an hour to go through the first 50 questions (it took 2.5 hours to take 250 question quiz), and 3.5 hours to go through the first pass of 250 questions. Then it took me almost an hour to fill in the dots on the answer sheet, and to double check the accuracy. Then it took me till the 5 hour and 25 minute mark to revisit the 68 questions I had flagged, I didn't come up with a reason to change more than 5-8 of them but I still felt that I was doing myself a dis-service in my second guessing so I stopped at that moment and handed in my test. One of the proctors asked me how it was and I told him it was probably one of the work experiences in my life.

It has been 9 days since and I am waiting for notification as to whether I passed or not. The CISSP lives up to it reputation as a difficult test, and I hope I pass if no other reason as to not have to take it again.

1 comment:

Anonymous said...

so did you pass? how long between taking the test & getting notified? I'm on day 13 and waiting - I heard that if I passed I would have heard by now...