The CISSP Certification Experience
by, 01-20-2009 at 04:37 PM (19610 Views)
This is an recounting of my experience in acquiring the (ISC)˛ CISSP (Certified Information System Security Professional) certification. Originally, I intended not to write a review of my CISSP exam experience. I had already passed the SSCP exam in April 2008 and written about that experience in my blog article, “ The SSCP Certification Experience.” Because I intended to take the CISSP exam in the same location and from the same training vendor as the SSCP, I assumed my CISSP experience would be 99% identical; how wrong that assumption turned out to be.
From SSCP to CISSP
I initially intended to take the CISSP exam only a few months after passing the SSCP exam in April 2008. I feel that studying for and passing the SSCP exam is an excellent preparation for the CISSP exam, but only if the CISSP exam is taken within two to three months following the SSCP. If you wait too long the knowledge and motivation you found while studying for the SSCP beings to fade. Unfortunately, due to the demands of work and life, I just couldn't find the time to begin immediately studying for the CISSP.
In June 2008, I received notification from the (ISC)˛ of my full SSCP certification. Inspired, I picked up my CISSP books once again. I decided to schedule my CISSP exam for sometime in the Winter of 2008 in Orange County, CA. October seemed too close and December seemed too far, so November 16, 2008 it was. This would allow me extra time in case things got busy at work and temporarily interrupted my studies.
You can't schedule change
Twenty-one days before the scheduled exam date, I received the standard email from the (ISC)˛ indicating that I was indeed registered for the CISSP exam, and that I was conformed to take it at the same location where I took my SSCP exam. This location is only about a 15 minute drive from my house, and having already been through the SSCP experience, I thought that for my CISSP everything would occur exactly the same.
A few days later, I unexpectedly received another email from the (ISC)˛ informing me that my scheduled CISSP exam had been canceled at that location. The reason given was because of a lack of enrollment for the exam. I was quite upset by this and momentarily livid. Considering how it is common it is for people to complain that CISSP exams are given only a few times a year and in too few locations, I could not see how any (ISC)˛ exams scheduled in the high-tech area of Orange County, California could possibly suffer from a lack of enrollment .
It turns out that some of the (ISC)˛ exams are hosted by training companies that give a CISSP training seminar a few days prior to administering the exam. It is not unusual for attendees to spend four or five long days in a hotel meeting room studying the CISSP CBK material and taking the exam on the last day. Any candidate can take an (ISC)˛ exam without also taking the training seminar, but if the training seminar is canceled (say, for the lack of enrollment ), the (ISC)˛ exams being given by that training company at that location will be canceled too.
To be fair, the (ISC)˛ is quite generous in giving any exam candidate in this situation up to one year to reschedule their exam. Given this allowance, any candidate who feels very unprepared for the exam as their exam date approaches may actually pray to have their exam is canceled and they will have more time to study. This wasn't my case, however.
Like an athlete training for a specific competition, I was mentally locked-in on November 16th as the date I would need to be at my intellectual best for the CISSP exam. Now I felt stunned as I considered how my preparations—and my desire to get the exam over with—would need to change.
Sucking it up and moving on
My only option was to reschedule for the next exam session in Southern California. In December 2008, there were just two—one of which with the same training company that canceled their November exam date. My only other choice was on December 20th in downtown Los Angeles. It was a much farther drive than the Orange County location, but as this exam was being sponsored by the (ISC)˛ itself, I had confidence that it would not be canceled.
Given an extra 35 days to study for my CISSP exam you might think that I made the most of it—well, I didn't. The rescheduling threw me for such a loop that I actually took some time off from my daily studies. I needed to reevaluate the domain topics that should be studying more, which meant hitting the books again and writing more notes. I had been looking forward to getting on with other projects starting on November 17th , not digging even deeper into the CISSP CBK.
If this wasn't enough, about three weeks later the company that I worked for as a software and security research engineer unexpectedly went out of business. It's quite a shock to go from planning your work schedule months ahead to being unemployed the week of Thanksgiving. Suddenly, studying for an exam seemed very insignificant when compared to the need of finding another way to pay my mortgage.
My New CISSP Exam Venue
I ended up taking my CISSP exam at the Millennium Biltmore Hotel in downtown Los Angeles. For those future (ISC)˛ exam candidates that may also be journeying to the same location, I'll go into some details about this venue.
The Millennium Biltmore Hotel is located at the corner of 5th and Grand in a very downtown part of Los Angeles. This means blocks and blocks of many very tall buildings laced with one way, no left turn, and no U-turn streets. Miss your turn and, depending on the time of day, it could take you five or ten minutes to get back to the same place for another try. Drivers and pedestrians are often very unforgiving and discourteous, and there are occasionally people wandering the streets who certainly seem to be detached from humanity—if not reality. If you have never driven in downtown Los Angeles, don't let the morning of your CISSP exam be the first time.
Also, don't plan on parking at the Biltmore. It's valet parking only at $40/day, not including the customary tip. I didn't try parking there, as the valet lot was full anyway. Instead, behind the hotel on Olive Street is Pershing Square, where so located is a very large, secure, and inexpensive parking garage. Park on the second level and take the escalator up to Olive Street. If you are early for the exam and need to kill some time (or study your notes), there is a small Starbucks on the other end of the block at 6th and Grand that's an easy walk from the garage and to the hotel.
When you arrive at the hotel, walk in through the valet parking area and to the front doors. Ask the concierge where the security exams are being given (mine was in the the Heisenbergen Room). You should find the tables and chairs all set up and the proctors in attendance. Have a seat and wait for the sign-in to begin. Don't get too comfortable, as seating is assigned as people are signed-in for the exam. In the mean time, make sure you have the print-out of your email admission letter and your photo ID handy. One or two more trips to the bathroom prior to starting your six-hour exam are advisable as well.
Taking the CISSP Exam
The exam begins with the reading of the exam rules and the distribution of the exam materials (exam book, Scantron answer sheet, two #2 pencils), and writing some information on the books and sheet. The rules include details like: writing in the exam book is allowed, food is not allowed at the tables (liquids were OK), any dictionaries to be used must be translation only without definitions and be approved by the proctors, and people must sign in and out to use the bathroom with only one person leaving at a time. Pretty much the same as with my previous (ISC)˛ exam.
We started a little before 9AM. I decided to begin the exam by looking at one or two items from each page of the exam book, reading just the questions and not the answers. This skimming gave me a good feel for the content of the exam items and the styles in which they were written. I obviously can't go into any details about the CISSP exam items themselves, but I will say they are well-crafted, often complex, and certainly more of a challenge than those on my SSCP exam.
Rather than work from the beginning to the end of the exam book, I started somewhere in the middle, working on 10 to 20 questions, and then skipping elsewhere. I decided to do the more difficult items early in the exam while my brain was still fresh. This worked out well, and not having the restriction of answering the items in a specific order made it seem as if I had more command of the exam than it had of me.
Being able to mark in the exam book was an absolute necessity to me. Circling important words and phrases, crossing-out distracters and unacceptable answers, and indicating my answer choices made my exam book look like a hand-written musical score (OK, nowhere near that pretty). I occasionally needed to draw a chart or do a little arithmetic, and seeing as how no scratch paper is given, the book is the place to do it.
However, my skipping about did make things a little more difficult when it came to marking my answer sheet. I had to skim through the entire book several times to find all my unanswered questions, and to be careful to stay synchronized when marking my answer sheet. I don't recommend by random-access method unless you are very through and meticulous.
I finished answering all of the exam items in 4.5 hours and spent another 30 minutes in total marking my answer sheet.
After the Exam
After finishing the CISSP exam, it is quite common for people to leave the exam room feeling mentally drained, frustrated, and in despair. So many questions, so many decisions, and so many items containing unfamiliar topics and with multiple answers that all seem correct. And never feeling as though you have successfully crossed that pass/fail line. It's no wonder that so many people finish the CISSP exam with the feeling that they have failed.
Rather unexpectedly, after completing my CISSP exam and leaving the testing room, I felt really good. I had an enjoyable time taking the exam and, instead of feeling mentally exhausted, I felt energized and just relieved it was over. There wasn't any topic on my exam that I was not at least somewhat familiar, and I didn't encounter anything unexpected. Although I was not sure that I passed, I did have that same cautiously optimistic feeling that I had after finishing my SSCP exam.
I exited the hotel at 2PM and felt the cool, December, Los Angeles air. My car was waiting for me in the garage; parking cost me $6.60. I blasted Aerosmith on my car's CD player as I drove the Southern California freeways home on a beautiful Saturday afternoon. Yeah, at that moment I felt pretty darn good.
Waiting for the Exam Results
Many CISSP candidates are in mental pain immediately after taking the exam. But that's nothing compared to the emotional suffering many experience while waiting for their CISSP exam results. You've got this bad feeling about your performance on the exam, and you now have only to wait for the confirmation of your worst fear–you've failed the exam and you must to do it all over again.
Obsessing on receiving the “passed or failed” email from the (ISC)˛ is a common after-exam malady. Notification can come anywhere from one to four weeks after the exam date. People sometimes feel great anxiety from the possibility of not passing the exam, having to resume their CISSP CBK studies, and to spend another chunk of their hard-earned money to take the exam again (employers usually don't pay for failed cert exams). Obsessively checking your email every few minutes for many days or weeks is a common symptom of this behavior (be sure to check your junk mail and spam folders too).
For me, I honestly didn't care if I passed. I was so sick of spending most of 2008 studying the SSCP and CISSP CBK material that I desperately wanted a break from it and to do something else. The common advice is to immediately re-study the domains of the CISSP CBK on which you scored your worst (as indicated on the exam results email from the (ISC)˛), and retake the exam as soon as possible while the information is still fresh in your mind.
I had put off too many projects in favor of studying to the CISSP exam, and I couldn't make immediately retaking the exam a priority. In fact, because of my (un)employment situation, I knew that I would not be able to retake the CISSP exam until later in 2009. So pass or fail, I would not be picking up my CISSP books again for quite a while, just simply to get on with my other projects.
On the morning of Friday, January 9, 2009, I received an email with my exam results. Because my exam date was so close to the Winter holidays, I assumed that my results would probably not arrive for a month or more. But in just under three weeks the (ISC)˛ notified me that I HAD PASSED THE CISSP EXAM! .
But wait, I wasn't yet finished!
Getting an Endorsement
Yes, endorsement. Unlike most other IT certifications, passing the exam does not automatically award you the full certification. Endorsement from a member of the (ISC)˛ is required to become fully CISSP-certified (the same is true for the SSCP, CSSLP, and CAP certifications too). The endorsing member must have an (ISC)˛ certification and be in good standing. Your endorser should also be familiar with your work history, as s/he will be vouching for your experience that qualifies you for the full CISSP certification.
The endorser for my SSCP was the CSO of the company that I formerly worked for and now no longer existed. He is a very busy guy and it was difficult enough to get a hold of him when we worked in the same building. To make matters worse, he lives hundreds of miles from me and it was unlikely I'd ever just bump into him on the street. Fortunately, with the miracles of email, scanners, and PDF and TIFF files, I made contact and he came though with both his endorsement and congratulations.
I immediately faxed my signed and completed endorsement form and resume to the (ISC)˛, just a few days after the notification of my pass. The wait for official conformation would be somewhat difficult for me, as I was anxious to get that special acronym on to my resume and out to prospective employers.
I received email notification from the (ISC)˛ on January 20, 2009 that I was now fully CISSP-certified, just 31 days after taking the exam. (It might have been one day sooner had it not been for MLK Day.) With a quick revision to my resume, both President Obama and I each had something to celebrate on that day.
In my second installment, The CISSP Certification Experience: My Study Plan, I'll give details of my study plan, my recommendations of study materials and resources, and some tips for taking the CISSP exam itself. I know that's what you were hoping to find in this article.
Total Trackbacks 0