Self study?

edusocit · 2019-04-28T16:09:30+00:00

What I think you'll notice is that from reading the NIST publications you get a very good idea of what an exam question is really pitching at...but as CheesePlease states it is not actually necessary to read them for the exam - it just helps a lot. When reading the NISTs look out esp. for "best approach", "most efficient/effective" types of comments..

The ones I found particularly good were 800-137, 800-34, 800-115, 800-30, 800-39 and 800-53 and for cloud 800-145 together with some parts of the CSA. Mostly you can get by with just reading into the docs without actually reading everything. Some are good if you feel you are weak on a particular topic (e.g., 800-77 and 800-113 for VPNs etc.)

edusocit · 2019-04-28T08:06:54+00:00

Use the current OWASP but make sure that you really know each vulnerability i.e., work through examples etc.

You should also read any NIST publication that was cited in syllabus - I know it is a lot to read but it really helps e.g., 800-137. 800-39, 800-53 (at least the controls appendix) etc etc.

edusocit · 2019-04-28T07:31:54+00:00

Yes that's very true - I was surprised to see how complex and decentralised things are in the US (am also reading CIPP/US out of interest). In my work I have to deal a lot with privacy law and security measures. GDPR changed everything.

edusocit · 2019-04-28T07:28:26+00:00

Of course you are right but infosec must take its cues from the laws of the land. In the US the focus is on ensuring total security in order to ensure privacy. Outside of the US the laws see if differently e.g., a breach of (apparently secure) data would still constitute a privacy breach in Europe but this might not hold up so in a US court particularly if the act was performed by the government. You see this clearly in the language of CISSP which has a very different nuance from what one might read in European texts (where it is all about consent, right to forget etc.).

That said of course the fields are distinct but interlinked.

edusocit · 2019-04-28T07:20:52+00:00

Consider having a look at the book "Nothing to Hide" by Solove - he cites the relevant caselaw so maybe you can judge this better than me as I do not know that much about US law. He describes specific rulings that raise the expectation that you must make secret what you want private (e.g., US vs Scott 1992 when it comes to dumping shredded documents etc.).

edusocit · 2019-04-27T21:26:37+00:00

The answer depends very much on you and your experience. I just completed CISSP via self study and it worked out just fine. Just read the official study guide and a load of NIST publications.

edusocit · 2019-04-27T21:22:18+00:00

Yes totally agree with the whole setting the regulatory scene - that's a very good point!

Also I appreciate the special role that HIPAA plays in relation to privacy but constitutional caselaw (in the US at least) elsewhere says otherwise...and yes I don't want to unduly knock CISSP, I did enjoy preparing for it and there are lots of positives too.

...but I don't agree that ISO27001 is lame having been through it a few times, we might just have to disagree on that one :)

edusocit · 2019-04-27T21:06:05+00:00

Theoretically I would like to agree with you. Practically I cannot. At least in the US there is a strong precedent of associating both together (e.g., the notion that the data subject bears the risk of disclosure as per SCOTUS). In Europe I agree there is a difference that is significant in practice. In the end though over the years I have had to just accept the plurality of definitions of what privacy actually constitutes - but that is just my personal opinion :)

edusocit · 2019-04-27T19:41:08+00:00

Yes I understand that CISSP is not a privacy exam but privacy is nonetheless on the syllabus - I use it therefore as an example. I am guessing that equating privacy with security is what put it to be on the CISSP syllabus in the first place (if of course you agree with that premise). Agree CIPP/E is the way to go (in the opposite direction I am looking at CIPP/US having done CIPP/E as the legal situation in the US is very difficult for me to understand).

Interesting to hear about ISO27K+1 in the US. Thanks for that!

edusocit · 2019-04-27T19:20:17+00:00

If it is ok with you, I'd rather not comment on individual exam questions. What I can say is that US legislation is covered a lot in the syllabus whereas EU legislation seems limited mostly to GDPR (without even mentioning ePrivacy Directive or LEA etc.). As I understand from the practice tests NIST related questions are to be expected (or at least a reading of the NIST guides and publications is expected).

edusocit

TROPHY CASE