CISSP After-Action Report

4 minute read

TL;DR

On 18 February 2020, I “provisionally passed” the CISSP examination on my first attempt at 100 questions with self-study. I’m writing this post to give back to the community some of my study practices that allowed me to conquer this beast of an exam. The r/CISSP Reddit Community was instrumental in their general guidance, after-action reports and recommended study materials. Therefore, in order to tell them everything they already know BUT especially to reinforce everything they already know, this is what I did:

Resources Used

Books I used:

Audio Book:

Testing Engines:

Videos:

Quick Review:

I was fortunate enough to get access to O’Reilly Learning provided by my employer, so if you can swing that it will get you access to all the books (and much more). If you have never had Audible, you should be able to get a free or inexpensive trial period for the Essential CISSP audiobook. Boson Practice Exams are no doubt one of the best resources you can get because of the way they word the questions and explain the answers. Do read all the answers to get the true value of these exams. The product normally goes for $99, but they frequently run sales.

Previous Experience

To get view into my professional experience, take a look at my LinkedIn. I’ve worked in Government/Military Information Security & IT roles for quite a while, but still felt very far from where I needed to be to conquer this exam. I identified pretty early on that my trouble domain was going to be Domain 8 - SDLC!

A Working Father’s Study Plan

60 Days total study-time was my goal.

Days 1 - 15
├── Essential CISSP (Listened during commute DAILY)
├── IT Dojo Question of the Day (I watched around 25% of the videos)
├── Cybrary CISSP (Kelly Handerhan) 1.25x Speed - Take Notes!
└── Read CISSP 11th Hour

Days 15 - 45
├── Bi Weekly Tests (Boson/Wiley) (Identify weak areas)
├── Read the Sybex OSG! Must be done within 30 days. (See Book Attack Plan Below)
└── Deepen notes while reading. Skim all major references (i.e., NIST Special Pubs, ISO, etc.).

Days 45 - 60
├── Daily Practice Tests (Settings: 20-50 Question Tests; >3 Right Boson OR Pearson)
└── Deep Dive Key Processes (SDLC, RMF, BCP/DR, etc.)

Days 53 - 60 
├── Daily FULL Tests (Settings: >4-5 Right Boson OR Pearson) & Full Notes Review
└── Read CISSP 11th Hour (A Few Days Before Exam)

With Boson, at the end of the exam it will show you a listing of all the references. My advice is to open all the external references and read them. In addition, I did a lot of Googling, solidifying my knowledge with various sources in areas I felt I was weak on.

Book Attack Plan

I wanted to take no longer than a month to digest the book. On average, it takes roughly 32 hours to read based on read-time metrics found on O’Reilly Learning. Below is how I broke down the book to hold myself accountable to a plan.

Week 1: Domain 1 & 2

Domain 1: Security and Risk Management (315 mins)
├── Chapter 1 Security Governance Through Principles and Policies (103:30 mins) 
├── Chapter 2 Personnel Security and Risk Management Concepts (94:18 mins) 
├── Chapter 3 Business Continuity Planning (51:45 mins) 
└── Chapter 4 Laws, Regulations, and Compliance (63:15 mins) 

Domain 2: Asset Security (71 mins) 
└── Chapter 5 Protecting Security of Assets (71:18 mins)

Week 2: Domain 3

Domain 3: Security Architecture and Engineering (489 mins)
├── Chapter 6 Cryptography and Symmetric Key Algorithms (70:09 mins)
├── Chapter 7 PKI and Cryptographic Applications (67:51 mins)
├── Chapter 8 Principles of Security Models, Design, and Capabilities (85:06 mins)
├── Chapter 9 Security Vulnerabilities, Threats, and Countermeasures (182:51 mins)
└── Chapter 10 Physical Security Requirements (80:30 mins)

Week 3: Domain 4, 5 & 6

Domain 4: Communication and Network Security (278 mins)
├── Chapter 11 Secure Network Architecture and Securing Network Components (162:09 mins)
└── Chapter 12 Secure Communications and Network Attacks (114:60 mins)

Domain 5: Identity and Access Management (165 mins)
├── Chapter 13 Managing Identity and Authentication (88:33 mins)
└── Chapter 14 Controlling and Monitoring Access (75:54 mins)

Domain 6: Security Assessment and Testing (60 mins)
└── Chapter 15 Security Assessment and Testing (59:48 mins)

Week 4: Domain 7 & 8

Domain 7: Security Operations (349 mins)
├── Chapter 16 Managing Security Operations (79:21 mins)
├── Chapter 17 Preventing and Responding to Incidents (134:33 mins)
├── Chapter 18 Disaster Recovery Planning (85:06 mins)
└── Chapter 19 Investigations and Ethics (47:09 mins)
 
Domain 8: Software Development Security (152 mins)
├── Chapter 20 Software Development Security (86:15 mins)
└── Chapter 21 Malicious Code and Application Attacks (64:24 mins)

Timeline

  • 18Feb2020: Exam Passed
  • 19Feb2020: (ISC)² Email Received and Endorsement Application Submitted
  • 19Feb2020: Member endorsed my application and (ISC)² received endorsement documentation and have placed it in queue.

The Long Wait Begins…

  • 16Mar2020: Received a Congratulations/Approved Application email from (ISC)², but it did not let me pay my AMF fees right away. But hey, 26 days from endorsement… not bad!
  • 16Mar2020: It finally showed the link to pay my fees, $125 later and I’m “officially” a CISSP.

Thanks!

Overall, not a bad experience and I’m glad it’s behind me. Looking forward to getting back to deep diving AWAE from Offensive Security, and hopefully come out with OSWE this year.

Good luck future CISSPs, be confident in your knowledge, and DM me on Twitter if you need anything.