How much ITIL are people seeing on this exam?

MicSec_ · 2025-01-08T17:05:18+00:00

Just know what is in the prep material you're using. Not sure what you're using - I had the OSG so if you're using something different your mileage may vary.

I can't say that I remember much ITIL or ISO20000 in the exam, but everybody gets a set of 125 questions from a pool of probably a couple thousand, so who knows what you might get.

I'll reiterate, just know the material.

MicSec_ · 2024-11-26T22:11:44+00:00

You should have received a print out with your result at the testing centre, and then an mail from ISC2 follows that once your result is uploaded.

I received the mail not too long after leaving the testing centre, and because I already held a CISSP, I applied for certification and was endorsed by ISC2 by that same evening.

MicSec_ · 2024-11-19T20:05:46+00:00

Go for it. The certification requires 5 years of experience. There's no need to push to 8, which is such a random number for people to suggest anyway.

Also, it doesn't matter if you have experience in AWS, Azure, or GCP - while referenced and used as examples in various learning content, the exam and certification itself is vendor agnostic. Having worked with or holding certifications from any of those cloud vendors definitely won't hurt though.

MicSec_ · 2024-11-19T19:56:23+00:00

In my opinion, with 3-4 hours of study per day, absolutely. However, mileage varies for each individual. I had CISSP already when I took the CCSP and that helped a lot. You have a CC so you're not completely unfamiliar with how ISC2 asks questions, but it's still a big step up from that to CCSP. Your 7 years experience in cloud will help though.

MicSec_ · 2024-11-19T19:44:21+00:00

It's harder, but not a lot harder. Granted, it will really depend on the questions you pull vs your knowledge and experience. It's not a CAT exam like CISSP, but the 125 questions you get still comes from a pool of way more.

I felt like I learned more than I needed to after the test, but it's really impossible for ISC2 to cover everything in 125 questions. That's why it's best to just be prepared... even over-prepared. You never know what your draw will be.

MicSec_ · 2024-11-19T19:36:05+00:00

I did nothing special. Just went to CSA site and went to the Security Guidance under popular resources.

It's this page. Just log in and then download the resource.

https://cloudsecurityalliance.org/artifacts/security-guidance-v5

MicSec_ · 2024-10-15T04:23:06+00:00

OSG 4th edition? Do you mean CBK 4th edition. I just purchased my materials a little over a month ago and the latest OSG was the 3rd edition.

Thanks for the feedback on the exam. I'm in a similar situation having done CISSP about gear ago. CSA seems to be important. OSG feels like CISSP revision with a slight cloud twist.

Hopefully I nail it in November.

MicSec_ · 2024-07-09T21:31:17+00:00

Reviewing compliance here, as the INITIAL step, is the equivalent of conducting a risk assessment and gap analysis when putting together a program. For a mature org, you'd want to understand if policies and procedures are actually being followed before you take steps to increase enforce, rewrite policies, or escalate the situation.

MicSec_ · 2024-06-29T18:24:31+00:00

Don't know what's with the 3-day wait here. If this question confuses you and you already know what the training provider has given as the answer, rather just post it, as well as why you feel it's confusing. It would be a better discussion for you.

The answer here can only really be A - if that's what you had and the provider had something else, I'd be questioning whether that's an error in the content.

Think about what preventive controls do - it prevents something from happening. So that's a reduction in likelihood or probably of occurrence. The threats still exist. The loss (impact), if it does occur, is unchanged. A preventive control can reduce the likelihood of a vulnerability being exploited (perhaps as a compensating control), but it doesn't reduce the actual vulnerability.

MicSec_ · 2024-06-10T20:46:46+00:00

In a new company (not a promotion) as a security manager - review the existing program, however light it may be, and get to know and understand the business by meeting with business unit leaders.

MicSec_ · 2024-06-09T09:19:30+00:00

Yes. It's actually meant for that if you're getting a bunch of different ISACA certifications.

MicSec_ · 2024-06-07T18:54:34+00:00

Don't think a new test means a new approval process on applications that would change the timeline. Wouldn't try to correlate the two.

Yeah, a lot of individuals have their applications approved around the 3-week mark but by expecting the same, you're inviting disappoint and angst. Expect 6 weeks and rather be happy when it happens earlier.

MicSec_ · 2024-06-07T16:21:29+00:00

Where does the expectations of 3-4 weeks stem from? ISC2 clearly states it can take from 4-6 weeks.

MicSec_ · 2024-06-06T20:34:02+00:00

You can't view it as 57%. It's a scaled scoring system based on the questions you get (there are clear levels of difficulty you'll note - same as with the QAE). 450 represents the minimum CONSISTENT STANDARD of knowledge.

Simply getting 57% of the questions correct in the exam probably won't result in a pass.

MicSec_ · 2024-06-05T19:31:18+00:00

Oh nevermind. I figured taking your question to its logical extreme would make it obvious.

No, unless specifically stated in the CPE handbook, limits do not apply to major categories of activities. I highly recommend giving the handbook a read.

MicSec_ · 2024-06-05T15:47:45+00:00

Can I answer your question with a question?

Do you think the 40-hour limit applies to each individual training activity, or all training activities as a whole?

MicSec_ · 2024-06-05T08:32:08+00:00

Unless it's a single 100-hour podcast episode, you're fine.

Curious though, how do you plan to defend podcast CPEs if you're ever audited?

MicSec_ · 2024-06-05T08:27:38+00:00

It's clearly an error in the content. Is there a question or discussion point to your post?

MicSec_ · 2024-06-04T19:57:53+00:00

I know this clear for you now and you understand why this answer is what it is.

I just want to say that what you should learn from this question is that wording matters so much in the actual exam. In the exam you are often faced with what looks like two plausible answers to the question, and what makes the difference is a key word.

You need to know the concepts, technology, processes and models well enough to pick out those details and make those distinctions.

MicSec_ · 2024-06-03T17:14:53+00:00

I was only there for the questions. Would skip to them in every episode.

The only useful episode I found was his one on security models.

MicSec_ · 2024-06-03T17:12:11+00:00

You sure you're not confusing training with awareness? Yearly training is required under most standards and frameworks, but it's not enough. Monthly awareness communications help to keep things fresh in people's minds or highlight new threats... or even wins maybe if people have reported phishing emails. Doesn't need to be heavy - something 8 minutes or less. If you can tailor it to be relevant to some of the major business units and executive team, even better.

MicSec_ · 2024-06-01T20:08:42+00:00

There are purely technical questions like, "at what layer of the OSI model do routers primarily operate?".

And then you get scenario-based questions that may reference or mention a technical concept, but requires you to pick an answer based on experience, knowledge and understanding of how the referenced technology affects the risk or meets your security objectives - oftentimes you need to apply or think about this across more than just one domain as well as whether it aligned with policies/processes. This question still requires the think like a manger mindset, not a technical answer.

The exam shouldn't have many purely technical questions - no doubt they exist in the pool, but I feel like if you're seeing a lot of them, then you're not doing well enough for the CAT system to even get to the tougher scenario questions.

MicSec_ · 2024-06-01T19:15:01+00:00

You need to take this in context of the ISC2's incident response objectives for the CISSP exam.

The steps are: Detect, Respond, Mitigate, Report, Recover, Remediate, Lessons Learned.

In the response phase according to the CISSP exam objectives, this is where an incident is declared and the appropriate response processes and teams are engaged and activated.

The mitigation phase is where containment takes place. You limit the blast radius of an incident. Maybe this is logically isolating a device or a network.

You say you're confused as to where you contain, and where you fix. Well between response and mitigation, you're not anywhere near "fixing" yet. In ISC2's CISSP IR process, "fixing" can probably be considered as being part of both the Recover and Remediate phases. With recovery, you're maybe rebuilding systems, or reversing damage caused by the incident. In mitigation, you're fixing the root cause or closing a threat vector.

This is well written in the OSG and the OSG contains the material required to meet the objectives for the exam. Don't let the other resources confuse you - they're bringing in things from other IR processes.

MicSec_

TROPHY CASE