IT Security Blog

The Certified Information Systems Security Professional (CISSP) certification continues to be THE widely recognized credential for broad information security expertise. The certification requires that the student obtain a wide range of security knowledge, making passing scores on the exam challenging, regardless of the level of security experience the individual has. The fact that the exam has recently gone on-line does not make it any less challenging.

If you are the type of individual that prefers instructor-led training over alternate methods of learning, then you need to consider the following items when searching for a good training partner. We have heard many stories of students that have paid for training programs that just have not worked for them. This isn’t necessarily due to a poor training program, but rather the training style or option was not suitable for the way they learn.

There are however, a few items we believe you should look for when exploring instructor-led training options:

1. Ensure the learning meets your learning needs.
The course needs to provide a solid foundation of security knowledge mapped to the domains of the Common Body of Knowledge (referred to as the CBK). Make sure that the course has relevant, updated materials. Find out what book is being used and whether or not the instructor includes custom content. Find out what the custom content consists of and whether or not it meets your needs. Some providers offer a pre-training program as well that will definitely help to prepare you for the upcoming classes. Be sure to take advantage of any additional materials being offered but ensure they are updated frequently.

2. Validate instructor credentials.
Instructors need to be able to adequately instruct on all of the security domains. Make sure he/she is an expert in all the security domains, check certification credentials obviously, but also find out how long they have been teaching and/or where they have worked in the past and gained their knowledge.

3. Evaluate the supplementary study materials.
With the amount of information you will need to cover for the CISSP, you will need to review materials learned. Make sure that the training provides you with supplementary review materials and strategies on how to study in order to be able to more effectively answer the exam questions. The exam content can be tricky and understanding the types of questions asked and how to study in order to prepare is key. They exam can be quite subjective in nature and you will need to understand how to determine the best answer out of four equally as good answers.

4. Make sure mentoring and practice exams are part of the course.
Make sure that the course includes plenty of practice opportunities. Instructor’s should be able to provide you with additional practice test questions and/or mentor you through some of the questions and provide tips and tricks, so you get a feel for the type of questions and how to be able to effectively answer them.

5. Choose a company that stands behind their guarantee.
Figure out what kind of guarantee it is and for how long the guarantee is actually valid. A guarantee is not necessarily going to provide you with the money back depending upon the training provider, but if the training provider stands behind their guarantee, they will provide you with the ability to take the class again and will go beyond that to provide you with mentor-ship and additional materials to ensure your success.

A lot of attention has been given to the new computer-based testing (CBT) exam format for CISSP^® certification. This may be merited. There is an ongoing debate about the integrity of the exam itself when delivered in such an environment and the possible repercussions to the quality of the credential itself.

The concern over whether or not this delivery method could make it difficult to control fraud is of primarily importance. Is it possible that someone other than the actual candidate take the exam? What methods are being used to prevent this?

Also, can the questions be compromised so the students can prepare for the exam without mastering all of the core subject matter?

Questions such as these abound when moving to an electronic exam format, but the suppliers of online testing systems indicate that they have thought of ways to bring safeguards to the table. In fact, PearsonVUE pioneered using biometric identification for test taker authentication over ten years ago, and in recent years deployed Fujitsu’s PalmSecure biometric identification technology to over 500 PearsonVUE test facilities worldwide. More recently they introduced one-to-many (1:N) matching to provide an enhanced layer of fraud prevention, utilizing the SensoBrain distributed biometric acceleration technology which compares each test taker’s biometrics to those of everyone else in a client’s testing program, ensuring that any potential fraudulent testing based on impersonation can be proactively eliminated before it occurs.

While the move to a CBT format will obviously be a huge cost saving measure for most test-takers, who historically have had to travel some distance to take these exams, there are increasing concerns about brain dumping, causing potential brand erosion of the “elite” certification. While some argue that (ISC)² has done an excellent job against brain dumps to-date, by retiring their questions quickly, others believe that taking the exam from a paper to an online format will degrade its value and relegate it to the level of other lower level security certs.

What are your thoughts on the pros/cons of the change in delivery for the CISSP exam?

Download our most recent IT Security Briefing  (An IP3 White Paper):  A Face-Lift for CISSP Exams - June 2012 - [Download PDF]