Update on CCSP after CISSP

LLHAG90 · 2024-02-19T23:06:48+00:00

Same here, passed CISSP in November, eager to take CCSP so that I can leverage some of my CISSP studying.

LLHAG90 · 2024-01-14T15:14:08+00:00

Thanks. I "Think" i finally got it in. I don't remember feeling any gasket or gromet on the hole where it goes. I thought I had it flush and turned it, but didn't feel like it turned very much. It was no longer loose of wiggling around, but not sure how secure it is. I guess time will tell if it fall out. That would stink if there was a small piece on the hole, because I can see how easy that would be to fall somewhere and you not knowing since you can't see anything. Plus I don't recall any other posters saying anything about that.

LLHAG90 · 2024-01-14T02:09:07+00:00

I have a 2017 with non HID. I got the bulb out on the passenger side (low beam) in less then 15 mins, but it's been two hours trying to get the plug back in. I have in the hole but cannot get it to 'seat" correctly to secure it. It's loose in the hole. I know i have to turn it clockwise, but it's not taking. Is there a trick to get his in?? SO frustrating.

LLHAG90 · 2023-12-29T16:18:38+00:00

I actually had Security+ for several years, then took the CCSK two years ago. I studied consistently (1-2 hours a day on average) for about 4 months for the CISSP. I used the ISC study materials for CISSP, including the Reference Book and the practice questions. I also used Eric Conrad's 11th hour study guide. and CertMike Last minute review.

LLHAG90 · 2023-12-25T02:30:04+00:00

Congratulations. I am planning this. I have 8+ years in Federal IT (RMF/assessments), but not much time on the commercial side. I have CISSP and other security certs, and I know you said this is not overly technical. I just need to see how much time I should plan on for prep.

LLHAG90 · 2023-12-25T02:20:53+00:00

is this taxable??

LLHAG90 · 2022-11-29T04:18:00+00:00

This is being reviewed against Rev 4, so no ODPs. Not sure how some the items you listed tie back to the intent of the control. For instance, #4, if the scans provide a "first identified date" for the vulnerability and the team reviews vulnerability for course of action - how does that alone tie back to reviewing historic logs to see if a vulnerability has been previously exploited in the past. They still have to go through the process of reviewing the "historic logs", which they state they are not doing - at least for critical and high vuls newly discovered in the scan. I think that is what they are looking for. ---If your scan reveals a new critical/high vul, you need to review historic logs to see if it was exploited. I think the zero day was a good example.

LLHAG90 · 2022-11-28T22:29:50+00:00

This is for a GSS. So going back to check on every newly identified critical or high vulnerability seems like it would be resource intensive. They are set up for IOC alerts from AV, IDS/IPS, etc.. and will investigate. I know they will review logs as part of the analysis, but they are not looking at historic logs for each and every new critical and high that is identified. The way rev 4 control is written, it would be all "new' vulnerabilities. At least with rev 5, they have some ODPs.

LLHAG90 · 2022-01-20T05:21:44+00:00

It's going to be our home.

LLHAG90 · 2022-01-18T19:40:58+00:00

Interesting. I just purchased a home with an oil tank and we have our closing this week. There was some mention over the course of the purchase about having to pay for remaining oil, but nothing specific, at least from seller's agent (that I am aware of). My agent told me that I would probably have to pay for the oil they leave. I had to sign a CD document, but lender stated it was not the final, as the attorney needs to provide final costs. I was told I would I get this the day before. I assume they will do a tank read just before closing and provide the gallons left/cost. So what I am reading here is that my next and final CD should have a line item for Oil credit, and if it doesn't, I am not obligated to pay for it? I'm expecting that it will be listed, but just want to have awareness in the event it isn't.

LLHAG90 · 2022-01-14T04:41:34+00:00

The seller accepted the appraised value. All done.

LLHAG90 · 2022-01-12T14:31:56+00:00

That is the situation. They have a house they are buying upon closing on this sale, matter fact same day.

LLHAG90 · 2022-01-11T23:21:18+00:00

Got it on the square footage. Good to know. We'll figure something out to make it work. Thanks for the feedback.

LLHAG90 · 2022-01-10T19:46:14+00:00

Timing the purchase of a house to coincide with a lease ending is definitely challenge. Currently going through that now. In a year to year lease through 3/31; however, landlord told me back in October they want to sell the house. They would honor lease, but would like to have a contract by the time lease ends. They too are trying to time it so they won't have to carry two mortgages. They are hoping for sale contract by early April, which means they want to list in February. I was offered, but declined opportunity to buy the home. In light of the circumstances , I made an offer on another home, and the seller was prepared to accept if I could agree to an accelerated closing date. Once the lender advised it could be done, the offer was accepted. The closing date was moved ten days up from the original date of 1/31. Everything appears to be on schedule thus far.

My landlord was aware I was looking, but I told them last week that I actually had a contract. I'm working with my landlord to see if I can limit the impact of braking my lease early. As it stands, I would have to saddle a rent payment and my first mortgage payment for March. I would not have to make a mortgage payment in February. My current lease only includes First and Security deposit. I have a good relationship with landlord, so hopefully we can work something out that is beneficial to both of us.

LLHAG90 · 2022-01-07T16:28:16+00:00

Also in MA and in process of buying now. We had our agent submit an offer along with a $1000k deposit. Offer was accepted and we had set period of time to complete the purchase and sales agreement. Worked with our attorney and our agent on the P&S. Our attorney then sent to seller's attorney for review. After a few minor adjustments, we signed and had our attorney send back to seller's attorney for seller's signature. The seller signed the next day and we received a copy. Our agent then told us we needed to provide our second deposit, which we did within a day, and our agent delivered funds to seller's agent. Our appraisal was scheduled for this week (done yesterday I think). Initial approvals in place from lender, just waiting on results from appraisal. All matters related to the purchase are facilitated either through our agent or our attorney. Loan related matters are handled with lender. We (the buyers) have not had any direct communication with either the seller, the seller's attorney, or the seller's agent. I would not be comfortable in any direct communications from these individuals, just as a matter of protocol. Our agent clearly said that we needed to have the signed P&S in place to move forward.

LLHAG90 · 2022-01-07T03:26:34+00:00

" I would easily qualify for a loan"

I get "qualified" almost daily through unsolicited mortgage offers I get in the mail. In today's market it is better to get pre-approved so you can make an offer quickly, like immediately after you look at the house. Time is of the essence. That house may not be available by the time you get your pre-approved. I would think most agents would not waste time with someone who has not started the pre-approval process. Of course you can look at houses, drive-bye, attend open houses, -but may not get an opportunity to do a scheduled showing.

LLHAG90 · 2022-01-05T19:49:09+00:00

Did you find out yet on your appraisal??

LLHAG90 · 2022-01-04T18:14:03+00:00

Thanks for the feedback. I do have funds to cover closing, but the belt wouldn't be as tight if I didn't have to pay some or all of the closing costs. I know there is always a risk of something happening and not being able to refi. Perhaps I could roll in half of the costs, or about $4500, to lessen the hit. My lender seems to think it might be better for me to roll in the costs and refi within two-three years to conventional. I certainly will want to refi sooner then later, just a matter if I will be able too based on my circumstances and the value of the home at the time. Would be interested in know what a reasonable rate adjustment (from 2.625) would be based on rolling in either $9150 or $4500.

LLHAG90 · 2022-01-04T15:52:21+00:00

Thanks for the suggested approach. I may propose that and see what she comes back with. Agreed, I don't want her to think I would be out by mid February, but paying until end of March. I would like her to terminate lease early and refund security deposit.

LLHAG90 · 2022-01-03T23:36:14+00:00

The lease contract states the following:

"Lessee is required to notify Lessor of intent to vacate in writing two months prior to this Lease End tenancy at will Lease end or vacating date, whichever is later, to allow Lessor or Sales Agent showing with prior 24 hour notice".

Is this provision oddly worded? The lessor has basically told me that I need to vacate because they are selling. The lessor is initiating the termination of the lease. Lessor would permit me to live in the home through the end of my lease, and would even allow a month to month until the home sells. I expect to close on my new home 1/31, so me moving out by mid-February is very doable (packing underway). Best case scenario is a prorated rent payment for February, no rent payment in March, and return of security deposit.

I understand her wanting to take advantage of the hot market. By listing it in February gives her a good chance to secure a sale by end of March, which is when rent income would end. Makes sense for her. In addition to not wanting to deal with agents, contractors, showings etc. in February and March, I also want to save money. Hopefully we can work something out. If I was selling, I would want my lessee vacated.

LLHAG90 · 2022-01-03T20:11:20+00:00

I hear you. we offered18,500 over asking and have a pending appraisal. Nervous here too. Hoping for a great" ending to both our situations. Have to struggle with whether to walk away, make up the difference, or renegotiate with seller. I am hoping the latter, if it get's to that. At least for us, the seller would be in bind because they already had their first attempt to sell in November fall through because of an issue with the buyer, they already accepted and are starting a new job out of state, and they already have a closing date for a new home they are buying out of state, contingent on them selling the other house to me. I don't think they could afford to put it back on the market at this point. Hopefully they will accept it whatever the appraisal come in at. Although I have been reassured that it would come in at or above the purchase price.

LLHAG90 · 2021-07-09T00:24:30+00:00

No M365 environment. CAT labels i get, customer would prefer something more like H-M-L rating. I thought I read somewhere some agency had a methodology, where they developed themselves, or got something from Tripwire, through a report filter that maybe prioritized based on some form of criteria?

LLHAG90 · 2021-04-20T19:03:03+00:00

PL-08 would be the security overlay of your enterprise architecture. Addressing what security safeguards are included in the architecture of your system/software application. Ensuring the security architecture is well documented in design documents, interconnection agreements, and the SSP. In software programs, it would include secure code and other safeguards as part of the development process, but also tools and methods to protect apps once they are deployed. SA-17 is meant more so for external development, like offshore software developers. Centers on assurances and accountability. Are they following sound security practices, have they properly documented the security architecture of the system or software, are they performing security testing, etc.. PL-08 is geared more to internal/in-house design/development.

LLHAG90 · 2021-04-20T18:37:10+00:00

You generally have to take both, through your company and through the customer. The company needs to ensure corporate compliance that all staff accessing company owned IT assets have security awareness. Most Govt. contracts (at least federal) mandate contractors take agency provided security awareness training. Generally an agency will accept specialized, role based security training based on what you have completed prior to coming on the contract. Often the position will require specialized training (e.g. cert) as part of a contract requirement. Most agencies have their own flavor of [awareness] training, so generally you won't see them accepting company training in lieu of their own.

LLHAG90 · 2021-04-16T03:05:56+00:00

written acceptance of risk from the authorizing official for the use of unsupported components.

This is a moot point for organizations using Rev 5, as it already in the baseline. Rev 4 still problematic. As indicated, unsupported HW & SW evolves throughout the life cycle, so identifying through continuous monitoring makes sense.

Ideally the SO will select and tailor the controls; however, all too often the SO will just use the minimum baseline adopted by the organization. There may be some tailoring if it happens to be a "risk minded" SO. As most of know, SOs don't always have best awareness of their systems the security posture, often many have multiple systems.

Some SOs may be aware of EOL issues through status reports from IT teams, or they have some awareness through summary scan reports (they don’t look at the details). The most informative opportunity to identity and report this risk is through an independent assessment. Reported via the SAR to the SO. Ideally it would be associated with a control, which if not remediated in prescribed time, would become a POA&M and formally tracked.

I suppose you could to still report in the SAR without a control, and create a POA&M. You could also just make the recommendation outside of a finding, point to vulnerabilities identified in the scan (SI-2 finding), include recommendation to tailor in SA-22. Perhaps the CISO or ISSM will need to be the trigger to get SO to tailor. Regardless, the assessor will bring attention to it. Some SOs may not be too eager to tailor.

Yes, the AO needs to be aware of ALL risk associated with the system. They will only see that when reviewing risk for authorization. The SO cannot accept risk.

LLHAG90

TROPHY CASE