What are five things that ISC2 needs to do in order to improve the credibility of the CISSP credential?
CISSP is viewed as an introductory credential that covers the surface of the ten domains. What do you think ISC2 should do to make CISSP even better?
Fees? Transparency? Depth? Others?
I felt compelled to provide an answer to the question. Unfortunately the LinkedIn comment system does not allow for more than 4000 character which was not enough for my reply. So see my full comment below:
Good day James,
This is really a great question that should have been asked by ISC2 from their members and other people who are not members a VERY LONG time ago. However, I am not dreaming.
ISC2 has and still is unable to communicate efficiently. One day they are a member organization and the next day they are not. This communication problem is not something new, it has been reported at many occasions and by many people in the past. However, things does not seems to improve much over the years. We will see what 2009 reserves for us.
Here are a few things that ISC2 can do to make themselves more transparent and to improve the image of the CISSP certification:
1. START ACTING LIKE A CERTIFICATION BODY
The relation between ISC2 (the non profit side) and their training arm is dubious at best and as close as you can get to a conflict of interest without getting into one. When any certification body becomes a training entity often time that entity will loose their focus on what is the most important which is the certification itself.
Instead of having their sales people talk thrash about other people training offer they should start publishing a clear and transparent process on how a training institution can become a recognized training institution under ISC2 approbation process, the recognition should not be based on the fact they are using the ISC2 courseware and sharing profit with ISC2 but on a fair evaluation of the training material and an evaluation to see how it matches with the exam objectives and how well it is presented and delivered.
Unfortunately this does not exist and this is why it makes me sad that their sales people are talking thrash about other companies training material when they know nothing about their courseware and the delivery of the material. I am talking from a very recent experience that happened to me here. I can challenge any of the salesman at ISC2 to get out of their cubicle and they can sit in my class, then they can judge me and my training. Until then it does not reflect very well on them, if the only way you can sell seats in your classes is by talking trash about others, your courseware must be in dire need of updates.
EXAM AVAILABILITY
More transparency has to exists on that side as well. It is often time VERY HARD if not IMPOSSIBLE to get an exam schedule for the students that a training institution has in their classrooms. Even if the adequate number of students is there to justify running such an exam. Even if there are plenty of proctors that can supervise it for free. It does not make sense to face such rebuttal.
Denying or making access to the exam hard this way, only affect the students and the certification as a whole. It is time to stop playing games. Why is it possible for ISC2 to deliver exams when it is combined with their own training classes but not when it is a third party training class. It does not make sense and I cannot see the fair reason as to why some people are getting denied access to the exam.
Lately I receive dozens of messages from people in places such as India where exams are not regularly conducted and they were telling me that the exams coming up are sold out and they must wait until next year to attempt the exam. This is not what I call customer service.
If the number of registration and the demand justify having a second exam room for the exam then be it. Any other business that would act this way would loose their customers and this is what will happen if ISC2 does not start looking after their customers better. They are the sole choice today but that could change very quickly in the near future. THE FAMOUS COMMON BODY OF KNOWLEDGE
I have grown sick and tired over the years of hearing about the unseen CBK. Everyone refer to it but nobody has ever seen the official version of it published as a document by ISC2.
The current candidate information bulletin is totally useless as a tool to prepare for this exam. Why can't I get a good guide from ISC2 that will tell the student how to prepare for this exam and what are the exam objectives they will be tested against and to what depth they will be tested. The student need to know the details of each domains, not a few high level bullets as it is presented in the candidate bulletin.
It is time that ISC2 start offering copies of the CBK to anyone who wishes to get a copy for free as a PDF file. DHS has just released their EBK and they are doing the right thing. A secret CBK has no value as far as I am concerned.
The DHS CBK will be updated every two years. How much changes have you seen on the CISSP CBK in the past six years ????
NOBODY should have to register and then be harassed by the sales people in order to get a copy of the CBK. The CBK has to be publicly available to all in its entirety. WHY do you need to force people to register for a document that should be PUBLIC anyway. Collecting only the email address would be more than enough if you wish to let them know about updates.
I agree with keeping the master copy on the ISC2 site but it should not require registration. The only reason that registration is used at this moment is to pass the info to their sales people which allow them to talk thrash about other being UNOFFICIAL training. Considering there is no way to get somone courseware authorize then why are they using such tactics. CompTIA will certified courseware from other training entities and they have a well document process to do so. Why is ISC2 not doing the same thing. Thinking only them can produce quality courseware for the CBK is futile at best.
In summary the CBK is in dire needs of an update. It is time to get the OLD and OUTDATED topics that NOBODY uses today out and make room for some relevant and up to date content. There is so much happening in security every one year that doing updates only every 3 to 4 years is not enough.
CPE
The acronym CPE has become synonymous with Continuous Payment Econosystem
CPE should not mean $$$$
CPE activities should be offered to the members as a benefit and not as money making activities. Why can't we get online and live seminars for FREE? Whey can't I get a conference of great quality for FREE? If the Defcon, OWASP, and many other organizations that are MEMBER ORIENTED can do it, WHY can't ISC2 do the same?
If our organization had no money in the bank I would understand but with many millions in the bank it is time that some of this money be spent for the benefit of the members as it was gathered in the most part from the members. A couple of years ago there was over 15 millions in the bank. Today that number might even be higher. What for...
I need 20 CPE per year! WOW, what a challenge! Half of those can be obtained by subscribing to Security Magazines. Does this really prove my continuous education, most likely not.
The WHOLE CPE system has to be revised to add value to it, to show that the CPE submitted are in fact related to being a CISSP. Such a system would be very complex, would require human intervention, a random audit once in a while is not enough to keep the CPE as a valid gauge of one professional development.
WHAT METRIC DO THEY USE TO GAUGE SUCCESS
Over and over again I hear officials brag about having reach 50K members, 60K members, and even more today. What does this number prove if we as a group don't impact the security community and influence it.
Gauging success by the total number of people who have received their certification over the past 12 months is certainly NOT a valid matric. If I remember correctly this is how many of the well respected and valued certifications out there have lost their value.
You need to show more than number. You need to be look at as leaders and a community who is playing a very active role in all facets of security.
I am still waiting for an official at ISC2 to come out with some other metrics and the ability to demonstrate the impact that ISC2 has on the security community overall. What is the support that ISC2 has provided to their membership over the past 12 months. How they have helped "JOE the security guy" in his daily job after he became certified.
Start giving me significant metrics.
MAINTENANCE FEES
When I first got certified over ten years ago the maintenance fees were 85$ USD back then. I could understand that with 12 CISSP's in Canada it was necessary to charge that much money to keep the site up and running, to give me acces to the web submission form for my CPE's, etc... etc...
However, today we have over 60,000 members and I do not understand why I still have to pay the same price.
Normally offer and demand will drive prices down. Does ISC2 need to collect more than 5 Millions dollars in maintenance fees every year to give me that service today.
The certification world is the ONLY place where I have seen price that never get affected by the offer and demand. It is the only place where I have seen prices go up as there was more demand. Exams that used to be $250 are now over $500. WHY?
Considering the exams are being run by volonteers, considering the production cost per person for the exam greatly decreases as the number of exam offered increases, I fail to understand WHY it cost so much.
If really an organization was concerned about the good of the common wealth and improving security overall, they would also make all effort to ensure the certification path is accessible and affordable.
There is no need to pay that much for a certification. If at least people were still getting a nice wood mounted plaque with their certificate on it that would justify some of the cost. However the opposite happened, we are being charged more for less as the volume increases.
I must be in the wrong line of business....
CLEMENT WHY ARE YOU MAD?
First let me tell you that I am not mad at all, I am writing this with an ironic smile on my face, I am simply very disappointed to see how much energy is wasted on futility versus being used for us the members and us as a priority.
Will the points above change in the near future, I doubt it.
I think a new organization will see the light before we can turn the current organization around.
I know I am an idealistic with my sharing for free ideas but there are still people out there who REALLY believe in helping others and they also believe in doing it openly without money being their main objective.
Best regards to all
Thanks for reading my rant
Take care
Clement
P.S. PLEASE CLICK HEREOR ON THE comments LINK BELOW TO LET US KNOW YOUR OPINION AS WELL
The Academy Video Update Posted by boss on Monday, 10 November 2008 @ 14:11:06 EST (146 reads) TopicTraining News
Anonymous writes "
Seven new videos for you this week. We start off with the conclusion to the popular video series 'Writing effective Snort rules,' and continue with the demonstration of backup and restore tools for Check Point. Disk mirroring for Nokia and the installation of McAfee HIPS in a stand-alone environment wrap things up for this video update.
Don't forget about our Hackers for Charity campaign. The Academy will donate $1 to Hackers for Charity for every user that registers for a free account on www.theacademy.ca. Please forward this message to anybody interested in The Academy so that a substantial donation can be made this month. Thanks!
I would like to welcome Jay Zorzi to the list contributors. Jay has assisted with video creation over the last few months and his contribution is much appreciated. We look forward to working with him.
New videos: Enabling disk mirroring on a Nokia IP Security device Backing up Check Point with upgrade_export Restoring Check Point with upgrade_import Stand-alone McAfee HIPS Installation Writing effective Snort rules IV Writing effective Snort rules V Writing effective Snort rules VI
Thank you all for your on-going support and recommendations.
Beware of Testking, Actualtests, and the like Posted by boss on Friday, 07 November 2008 @ 15:54:14 EST (326 reads) TopicTraining News
Anonymous writes "
Good day to all,
Over the past year I have been receiving many emails from people who unfortunately were attracted by very catchy publicity and promises of pass guaranteed and they decided to buy some of the online study guides such as preparation tests and other items that garantees you will pass for sure.
I have spent a bit of money with a few friends and we bought copies of those tools ourselves.
I was completely amazed to see the practice test from actualtests.com and testking.com had the EXACT SAME questions and choices presented as the real exams. Word for word except one thing, they attempted to answer the questions themselves and they are recommending the wrong answers to the people who buys their products. Some of the recommended answers are plain hilarious at best. If you follow their recommendations you will fail for sure.
If you have done your homework and you have prepared yourself properly for your upcoming exam you will see that the value of these so called real exam test questions is extremely limited, you should be able to pick those mistakes from a mile away.
Once again I strongly recommend that you do the ethical and correct thing: Prepare properly and pass the exam on your own. Avoid those unethical website and save yourself some money and ambarrassment later on when you get to your first job interview and they realize you are only a paper person with no skills or practical knowledge.
Register for Charity Posted by boss on Friday, 31 October 2008 @ 14:19:40 EDT (246 reads) TopicTraining News
Anonymous writes "
What is Hackers for Charity? Hackers for Charity helps non-malicious hackers gain valuable job experience by putting them to work on projects for charity. They also build computer classrooms to help children and adults break the cycle of poverty through empowerment training, and feed children with funds raised by sales of Johnny Long's books.
This month, I thought that it would be fun to partner up with Hackers for Charity in order to raise money for the people of Uganda. The Academy has offered to donate $1 to Hackers for Charity for every user that registers for a free account at www.theacademy.ca for the entire month of November. If you’re a registered user already please forward this email or post it on a blog. Anything you can do to spread the word would be greatly appreciated. Let’s try to make a substantial donation to charity this month. Thanks everybody!
FISMA compliance made easier with OpenFISMA Posted by boss on Tuesday, 28 October 2008 @ 20:30:12 EDT (325 reads) TopicLaw & Legalities
FISMA compliance made easier with OpenFISMA Scott Sidel, Contributor 10.27.2008
Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.
From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.
OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.
To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.
OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.
When using OpenFISMA, information about security weaknesses can be entered manually or ingested from automated sources by using popular vulnerability assessment scanners that output their results in XML, CSV or XLS formats. A known vulnerability then follows one of three typical paths: a) the finding is remediated, b) the finding is demonstrated to be a false positive, or c) the risk is accepted. A risk level can be assigned to help prioritize the level of threat to the organization and the mitigation strategy can be reviewed and approved by independent third parties. After the work to remediate the weakness is done, evidence for the remediation can be analyzed by third-party verifiers. Finally, assuming the remediation is accepted, the verifiers would close out the weakness.
Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.
About the author: Scott Sidel is an ISSO with Lockheed Martin. For more recommendations from the author, check out Scott Sidel's Downloads
This story deals with lying, theft, social networking, law, mystery, and an uncertain outcome. My longtime friend and colleague, the distinguished security-awareness expert K Rudolph of Native Intelligence tells a tale of horror and mayhem suitable for Hallowe'en reading.
* * *
It was a dark and stormy night, or it should have been. Tuesday night, Sept. 23, 2008, around 7 p.m., I visited the (ISC)2 Cyber Exchange Web site established to celebrate the upcoming National Cyber Security Awareness Month. I wanted to help make the world cyber safer by entering awareness materials in the (ISC)2 annual contest. In addition to use in the contest, (ISC)2 makes the submitted materials available for download as useful awareness tools and as the contest voting mechanism. The contest submission downloaded the most for each category (posters, brochures, presentations, and videos) wins the submitter fame and fortune - well, $1,000, anyway.
I chose a poster to enter and wanted to see how it compared with what had already been entered.
The loud “ka-clunk” that you might have heard about 7:15 that Tuesday was my jaw hitting the floor when I discovered that someone had already entered the poster that I was planning to enter - a poster I developed and for which I hold the copyright. He entered it with my copyright notice removed and he claimed ownership of the work. He entered it under his own name, which I will refer to as “Mud.”
Mud had chosen well, but not wisely. He entered the Dumpster Diver poster. Created in 2001, the Dumpster Diver was one of the first posters my company developed. This poster didn’t originate in a computer; it was drawn by hand, inked, scanned into electronic versions, colored, and finalized. Our professional cartoonist, Charles Filius, created that poster. I have copies of the original pencil sketches and ink drawings. Charles has the originals.
I googled for Mud and found that he had studied law for several years. Mud had worked for a famous high technology firm for nearly a decade as an information security manager. Mud listed ethical hacking as one of his skills. His profile showed that he claims three certifications: CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), and surprisingly, the CISSP (Certified Information System Security Professional). [I have deliberately obscured the details to prevent anyone from homing in on Mud’s real name through data aggregation.]
CISSPs agree to abide by a code of ethics with four canons, and the second canon says that members must “Act honorably, honestly, justly, responsibly, and legally.” To enter the contest, Mud had to agree that: “By submitting your work… you agree that you own all copyright in the work posted, unless otherwise indicated and properly attributed in the work.” Apparently Mud hadn’t read either the CISSP code of ethics or the contest requirements - or he felt that they didn’t apply to him.
The rot thickens.
I went back to the (ISC)2 Web site for a closer look. Mud hadn’t just stolen one image; he’d stolen 11 of my images. He’d entered my images 12 times (he entered one of the images twice). Mud had even taken one poster with a photograph that I took while in Las Vegas when I was speaking at the CSI SX Conference this past April. Taking one poster might be a mistake but 12 was enemy action.
* * *
In part 2 of this series, K Rudolph tells us about her response to the blatant theft of her intellectual property.
Webcast Series - Endpoint Security Posted by boss on Tuesday, 28 October 2008 @ 16:00:12 EDT (263 reads) TopicTraining News
Anonymous writes "
Compliance at the Endpoint - Is 'Out of Sight, Out of Mind' a Risky Security Strategy Endpoint Compliance is a tricky process. While gateways are a cost effective solution, they don't see all the traffic, especially from mobile users. For increasingly diverse users and their devices, endpoint security struggles to address state, federal, international, and industry regulations, internal policies (acceptable use and intellectual property protection), malicious code protection, data leakage, and unauthorized applications execution. Endpoint security solutions need sensitivity relative to client resource consumption, administrative overhead, new client technologies, and changing compliance regulations. Click here to register.
Who Should Attend: CSO, Security VP/Director within desktop admin groups CIO, VP/Director/Manager of IT, IS, MIS, Desktop, and Network groups
What You Will Learn: The importance of an endpoint compliance strategy Internal acceptable use policies Possible solutions for Endpoint Security compliance
Protecting Sensitive and Confidential Information with Endpoint Security The risk of information exposure is well known today, but have we really understood the lessons taught? We all too often approach Information Security from the bowels of technology, forgetting the first word was information. To understand what were trying to protect is paramount in this game of ever changing threats. Just a short time ago, the process of protecting classified documents was easily managed by locking them in the safe before leaving the office. The challenge was knowing if you had all the documents back before the safe was locked. Today’s challenge isn’t much different. We are faced with increasing amounts of data, overwhelming storage methods, and new changing methods of corporate data access. Whether we are focused on protecting classified government document, corporate secrets, or sensitive personal information about employees, partners, or customers, we face new hurdles and every day. Click here to register.
Who will benefit? CSO, Security VP/Director within desktop admin groups CIO, VP/Director/Manager of IT, IS, MIS, Desktop, and Network groups
What will you learn? How to overcome Endpoint Security challenges Hear about "real-life" implementation from industry expert Learn how to protect your data where it’s most vulnerable
Welcome to the exclusive pre-release version of Issue 19 of The ISO 27001 and ISO 27002 Newsletter, designed to provide news and background with respect to these security standards. The information provided is absolutely free to our subscribers and offers guidance and commentary on recent developments.
Click on Read More... below to see the full newsletter loaded with great information
The Academy Posted by boss on Saturday, 25 October 2008 @ 14:32:25 EDT (236 reads) TopicTraining News
Anonymous writes "
Once again, we're ending the week with additional resources for you to soak up. This week we have posted papers that cover SQL injection, load balancing, application firewalls and application delivery security. All relevant topics considering the threats we face on the Internet today. I hope you enjoy them!
The Academy Video Update Posted by boss on Friday, 24 October 2008 @ 09:42:58 EDT (241 reads) TopicTraining News
Anonymous writes "
I hope everybody is doing well this week. It has certainly been busy for us. We are currently working on some new initiatives for the website and will announce them as soon as we can. This week we have created some additional Nessus videos which present some really cool features of the product. Don't forget to check out the Hping tutorial as well.
New videos: Demonstration of the Nessus VM Appliance Demonstration of Nessus Credential-based Port Scanning Demonstration of calling Nikto from Nessus Hping Tutorial
Thank you all for your on-going support and recommendations.
Microsoft pen testers AKA ethical hackers, Billy Rios and John Walton, headline an impressive list of presentations by security researchers, practitioners and executives on Oct 31 & Nov 1, 2008 for the fall edition of ChicagoCon. For only $100 including food and swag, it's a steal. And without an exhibit hall full of sales pitches, you're free to learn from the pros, network with peers and advance your career.
Ethical Hacking Conference Friday Oct 31 - Saturday Nov 2
In a plush auditorium, ChicagoCon features hourly presentations similar to what you would find at Black Hat starting on Friday afternoon at 2:00 PM and continue throughout the entire day on Saturday. We will also have breakout sessions in adjoining classrooms on Saturday for more extensive treatment of certain topics. For only $100, you get an entire day and a half of cutting-edge security talks, book giveaways, free magazines, Pizza Party on Friday, lunch on Saturday, attendee bag with t-shirts and much more.
The Ethical Hacking Conference will have as it's opening keynote presentation, Billy Rios and John Walton, members of Microsoft's own pen testing team AKA Blue Hats:
Mischievous Eyes and Malicious Mindsets
The browser is our window to your secrets... and we've got mischievous eyes. As organizations push to increase the "richness" of online user experiences, they are also unwittingly increasing attack surface for organizations and their users. Join two of the best looking security researchers in the world as we dissect the current state of client side and web application security. We'll dive into the gory details and demonstrate the impact of client side vulnerabilities, blended threats, and targeted attacks. We'll cover everything from benign application vulnerabilities that gave college hopefuls a sneak peak on their admissions status, all the way to vulnerabilities used to steal your data and compromise your machine.
Other speakers during this conference dedicated to the legitimate profession of hacking include:
Karsten Abata (Halock Security Labs) on "Nailing the Insider"
Michael A. Davis (CEO of Savid Technologies) sheds light on the new focus of organized crime in "Modernization of Malware Factories"
Donald C. Donzal (Founder of ChicagoCon) brings you "DIY Career in Ethical Hacking"
Michael Gregg (Author, Superior Solutions, Inc.) on "Malware - The Continuing Evolving Threat"
Daniel V. Hoffman (SMobile Systems) enlightens with "Smartphones Aren't Currently Being Exploited - And the Titantic is Unsinkable"
Ryan Linn (SAS) helps you get the most from your security investment with "Pen Testing ROI"
Brian Wilson (Cisco) offer up his mastery of network security in "Layer 2 Tai Sigung"
Upcoming changes to the CISSP exam and the drama associated with it Posted by boss on Monday, 20 October 2008 @ 20:28:49 EDT (399 reads) TopicISC2 Org
NOTE FROM CLEMENT: Below you have a message I am posting on behalf of Shon Harris from Logical Security. She expressed herself on the way the ISC2 talks about changes without ever giving details on what they are or asking the membership for participation. I do not understand WHY it has to remain a secret this way. It really makes you wonder if this is all marketing without substance or is there really any changes if they cannot even communicate them.
A good example of this piece of text I have seen in many emails from ISC2 that states:
"Official (ISC)2 Guide to the CISSP CBK - (ISC)2 book, written and compiled by world-class CISSPs, offers thorough analysis of all 10 CISSP CBK domains. It's the only book available with the CBK changes updated recently."
What are those changes, when did they take place, where has this been documented and communicated to the membership and new exam candidates??? I taught one of the requirements of their ISO certification was to make the CBK publicly available.
I know that Shon's message below might seem surprising to some of you, however lately I have experience some very strange behavior on ISC2's part as well. I have just delivered a CISSP class in Dubai, UAE and many of my students were told by ISC2 that they should avoid taking my class because it is NOT an official ISC2 class and that only the official ISC2 class would give them the coverage needed to pass the exam. Such claims are totally retarded and even more retarded considering it comes from a sales person who has never sat other vendors CISSP classes.
I have developed, delivered, reviewed, and improved courseware for five of the leading Training Company in the states and let me tell you that the ISC2 courseware is not what they claim it is and it will NOT give you any special advantages. If they would use their Certification Body position as an advantage on the training side they would be breaking the requirement of their ISO certification, even making such claim is against their ISO certification requirements.
When a certification body has to revert to such tactics to sell seats into their classes it talks for itself. Quality of content and quality of delivery is what people are looking for. They are NOT looking for FUD (Fear, Uncertainty, and Doubt). Such tactics are really sad and disappointing to say the least.
HERE IS THE MESSAGE FROM SHON:
I have received several e-mails pertaining to (ISC)2 hinting that there will be new material on the CISSP exam in 2009. Below you have the response I recently sent to someone asking me about this. I just thought I would "put it out there" for everyone:
Here is the skinny on how (ISC)2 works on these things.
Every once in a while they broadcast that there is new material on the exam so that they can then say that their competitors do not have the most up to date material in their training material – thus you HAVE to go to their training if you want to make sure you have the most updated stuff. This is a sales gimmick. They have done this many times over the last several years with the goal of making more money - not helping to ensure that you have what you need to be successful. It is part of their sales training I am sure.
About 1 1/2 years ago they did actually add some new material to the CBK and then changed a couple of the methodologies they test on or got more granular with the methodologies they currently focus on (incident response, BCP, etc.) All of this is fully covered in my 4th edition. These changes to the CBK and exam material is why I did the 4th edition of my book.
In this instance they are writing yet another CISSP study guide book. They have written 2 CISSP study guide books and had them published in the past. Because of their poor quality and acceptance by the public, they just let the books go out of print and carried out internal finger pointing as to why the book failed. So now they are releasing yet another CISSP study guide book.
To start and pump up the potential sales for this new book they are saying that “there is new material on the exam”, but that is all they are basically saying. They are giving no specifics and if you call (ISC)2 directly most people who answer the phone there will not even know what you are talking about. Even the ‘internal’ people don’t know anything about this mystery exam update.
Sadly I know how (ISC)2 works intimately. I could tell you things that would curl your toes.
While I am positive that the 4th edition of my book will be more than anyone will need for the CISSP exam for the next 2-3 years (it covers everything under the sun already), I will probably come out with a new edition in 2009 that will have a bit more info added (this NEW material that (ISC)2 will claim that is extensive and why you absolutely have to buy their book and go to their training), but more importantly I am looking at adding a full suite of digital study aids as part of the purchase of the book.
So, I do feel that you need my 4th edition instead of my 3rd. I did extensive rewrites and added a lot of new material to my 4th edition, but to be honest the CISSP exam changes so slowly I am pretty sure you could study the 3rd edition and pass just fine. The 4th edition will give you the updated info that has been added to the exam over the last 2 years, but also I rewrote about 40% of the book just because I knew I could do a better job after teaching CISSP for 6 years.
You should be good with the 3rd edition, you will be better with the 4th edition. The CISSP is not going to change drastically (if at all) in 2009. (ISC)2 just wants to start the buzz so that people will feel that they absolutely have to have the new (ISC)2 book. It is just capitalism.
The Academy Video Update Posted by boss on Thursday, 16 October 2008 @ 19:56:00 EDT (255 reads) TopicTraining News
Anonymous writes "
If you're wondering why there's another video update a couple of days after the last one, it's simple, Tenable Network Security offered up some great videos on how to effectively use Nessus and we didn't want to wait any longer before posting them. The videos are presented by Mr. Ron Gula, CEO of Tenable Network Security, and I'm sure you'll enjoy them.
New videos: Using Nessus 3 to perform a Federal desktop Core Configuration Audit Introduction to Nessus 3 with Ron Gula Using Nessus 3 to perform a SANS Top 20 Vulnerability Audit
Thank you all for your on-going support and recommendations.
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.
Main Library Area 
COBIT© Standard 
Integrated test facility & Embedded audit module
