CISSP exam changes: Tips to pass the new CAT format

Chris Sienko: Hello and welcome to another episode of the Cyber Speak with Infosec Institute podcast. Today's episode is a rebroadcast of a recent webinar entitled CISSP Exam Changes: Tips and Tricks to Pass the New Computer Adaptive Training Format. Your speaker is longtime InfoSec instructor and president of Data Security Consultation and Training, Ken Magee. Ken will discuss the ways the CISSP exam has changed, the challenges and benefits of the CAT format, strategies to pass the exam on your first attempt, as well as answering questions from our live attendees. Just a reminder, if you'd like to see this webinar as it unfolds, including its presentation slides, you can also find this podcast on our YouTube page by searching InfoSec Institute, I-N-F-O-S-E-C, and visiting our channel. So, without further ado, here are along with moderator Camille DuPuis, Ken Magee.

Camille DuPuis: Today We're fortunate enough to have Ken Magee with us. Ken is the president and owner of Data Security Consultation and Training LLC, and they specialize in data security auditing, and information security training. Ken has over 40 years of IT experience in both private industry and the public sector with the last 25 devoted to IT security and risk management. Ken holds degrees from Robert Morris University and Farley Dickinson University and, incredibly, he holds 35 certifications including the CISSP which he'll be going over with us shortly. So really great person to have joining us today. Ken's got a lot of experience and knowledge to share with us, so we thank him for joining us. Ken, I'll now pass it over.

Ken Magee: Thank you Camille for that introduction. Yes, I have been around the block a couple of times. My experience is varied. I've got experience with the federal government in DOD, having worked with US Army. I've got state government having worked with the Commonwealth of Virginia. I've got local government having worked with Orange County, now, that's Orange County New York, not Orange County, California, in a variety of different positions. And, I guess, my last full corporate position was I was fortunate enough to have the chief information security officer role, the CISO role with the Virginia Community College system. So yes, a lot of experience in information. I've been in IT, it seems like forever. But that's not why you're here. You're here to find out what's different and what's new about this new CAT testing, computer adaptive training or computer adaptive testing, from ISC square.

In terms of what has changed on the exam, the format of the question and the question pool itself are the same as they were before this change. The change is in how ISC square is doing the testing and that that is the new CAT format. And we'll talk a little bit about that CAT format, what has changed. We'll also give you some tips on how to prepare for that. But let me, just for a second, talk about that new CAT format, what is it? It is adaptive testing and, by that, I mean every question that you get is your first question. You cannot go back, you cannot flag a question, and then review it later. So, the only way that you can remember what you had before that when you go to the testing center, they will give you a blank sheet of paper and a magic marker to write notes on, and you can make as many manual notes as you want. But, in terms of the testing itself, there's no way of going back to a previous question that's part of the adaptive process.

CISSP has, for a long time now and probably at least for the last 10 or 15 years that I know about, been the gold standard for information security certifications. It is supported, and maintained, and developed by ISC square. That's two I's, two S's two C's, International Information Systems Security Certification Consortium. It's made up of a number of representatives from major countries, and companies throughout the world. So, when you get to the exam, you may look at some of the questions and say, "Well, wait a minute, this doesn't apply to me. This is old technology," but remember it's an international organization. And there were some locations throughout the world where high speed modems are still considered fast internet connection. Currently, there are about 82,000 CISSP holders in the US, and then about 127,000 around the world.

Now, when we say gold standard, for those of you that are familiar with DOD 85-70 that's a regulation that specifies minimum certification requirements if you want to have a security position within the Department of Events and CISSP is one of those certifications that you'll need to have and to have current. You have to make sure that we keep that certificate current. In other words, as Camille said, we have to make sure that we have 20 minimum CPEs per year. And then, over the course of three years, to make sure that we've accumulated 120 so that we maintain that.

Now, one of the questions that may come up is, do I have to retake the exam? The answer to that is no. And I say no because if you maintain your CPEs, in other words, if you get 20 new ones each year, and over the course of three years you accumulate 120 then, ISC square will send you a renewal notification. And as long as you pay your fees and maintain your CPEs, you never have to take the test again. So that might be a question that somebody might be asking.

What's different between the old format computer-based testing and the new computer adaptive testing? The obvious change is that they went from six hours to three hours. They changed it from 250 questions down to 100 or 150. The old and the new with respect to that group of pooled questions remain the same. So out of your, let's say 150, 25 of those are still questions that are being evaluated by ISC square for inclusion in the next iteration, which might be next year's exam.

Now, on the old format you could flag questions, you could go back and review questions, you could go back and change your answers. The questions are the same, so the question pool that ISC square has hasn't changed. They're still the same questions in the new format. What ISC square has done is they've changed it so that they can give you a question in a topic area, let's say, identity and access management, and they can give you an initial question that basically says 50% of the people should be able to answer this question. And if you get that one right, then they give you a question that has a higher degree of difficulty. Get that one right, then they give you another one even more difficult to answer. Once ISC square, and they have an algorithm to determine, if you know identity access management, then they'll mark that as an area that, okay, this test taker knows that area, let's go maybe to business continuity and disaster recovery. And they'll start asking questions in that topic area.

And, again, they go back to the, "Okay, 50% of the people should be able to answer this question." Like, for example, if they were talking about alternate disaster recovery sites, what are the three possibilities? And we know those to be hot sites, warm sites, and cold sites. You get that one right, then they give you a question that's more difficult to do that. But each time they change topic areas. They go back to that, "Okay, 50% of the people should be able get this one right." Now, if you miss one then they might give you another one that's at that 50%, but then they may give you an easier one. You have to pass each domain. You can't fail like you couldn't fail the domain on communications and network security, and pass the certification exam. You have to pass each domain.

Now, the other thing that's interesting about CAT is the number of questions that you get. It is possible for you to get, when you finish question number 100, that the test will stop and then you will go out to the receptionist at Pearson VUE, or PSI, or whoever your testing center is, and they'll hand you a sheet of paper that says, "Congratulations, you passed." And that could be like in an hour and you're like, "Wait a minute, I only spent an hour, I answered 100 and you tell me I passed?" And I've had a couple of students that felt like they were ... I don't want to say cheated, but they felt like they weren't really tested. But believe me, you are tested. You do get questions that are very difficult to answer, and if you can answer those correctly, it is possible to only get 100 questions on the exam.

Now, what I've seen and what I've heard from students that are taking CAT is that it seems to break in increments of 10. Like if you get 100 and then you get question number 101, then it might stop at 110. Or if you get to 110 and then you get question number 111 you might go to 120. And I've had students recently, this week as a matter of fact, that took the exam last week, "Ken, I got 150 questions and I was really worried that I wasn't going to pass." But then they went out to the receptionist, sure enough they had passed. But they had to go all the way to 150. And, again, that's ISC square using enough questions to make sure that you know each one of those eight domains that are contained.

And, again, the question pool is exactly the same. It's the delivery vehicle of those questions that is different. That's all. It's just the way that it's being delivered. We go from six hours down to three, okay? And the maximum amount of time that you have is three. Again, you cannot go back. And I want to emphasize that. You can't flag questions. If you skip a question it's wrong. Every time they ask a question they're using that answer, that information to set your knowledge level for that domain. Again, they started the 50% mark and then as you get questions right they'll give you more difficult, more difficult, more difficult. And then once you reach 100% expertise in an area, they say, "Okay, they know communication and network security. Let's go to risk management and security."

Take your time. Maximum 150 questions, three hours. That means 50 questions per hour. If you just sort of grind your way through, that's a full minute and six seconds for each question that you get, take a minute. If I could give you one piece of advice, when you read the question, stop, take a breath and read the question again. Look for keywords in that. When you get questions, ISC square has gotten rid of all of the double negative questions, they're gone. For, the most part, they have gotten rid of the negative questions. Those questions that say, "Of the following, which one is not part of risk management," so the nots and the excepts, for the most part, those are all gone. Most of the acronyms are now spelled out, so you don't have to memorize 1000 different acronyms. When you get a question they're going to be what is the first thing that you do? Which response is best? Which activity is most likely to occur? So it's first, best, most. We're looking into the positive side of that.

You're going to get some questions and you're going to look at it and you're going to say, "Hmm, I wonder how to answer this one." Remember, CISSP is certified in information security for security professionals. We are making a recommendation to management for what they need to do from a security perspective, so think like the manager. What does the manager need to know? What do they want to think about in order to be able to answer that question, or address that situation that they're facing it? For those of you that have a really strong in depth detail, technical knowledge this might be difficult for you because you have to get out of answering the nuts and bolts, the ones and zeros, and you have to think like a manager. And as long as you can think like a manager, bring yourself up to that next level and get away from being the technical expert you'll be more successful with the questions when they show up on the exam.

There are eight different domains that are spread across this. And if you look at it, for all intent and purposes, they have pretty much remained the same. The major change is two areas. One, telecommunications and network security is a little bit higher, about 2% higher than it was prior to April 15th of this year. They went through, they did a job analysis task force study to see what most of the CISSP holders were doing, and what work they were performing. What they found was there was more emphasis in communication, and I think a lot of that has to deal with the fact that a lot of our data is now in the cloud, and we have to move that data from the cloud to the end user, and we have to go through communications in order to do that.

And what they reduced is security operations, the data center, they dropped that down by about 3%. Again, the whole idea that we're getting away from having our own data centers, and we're moving a lot of that processing into that third-party cloud service provider. So, those are the two big changes that you're going to see. And, again, it's looking at what's happening in the industry, we're moving a lot of our applications into the cloud, so we're getting rid of our in-house data centers and that's why we see an increased emphasis on communication and network security. And, at the same time, a decrease in emphasis on operations, or running that data center. The rest of them remain relatively the same.

Now, just one caveat, and I want to make sure that everybody at least hears this from me, a lot of people seem to be struggling with the fifth domain. That is identity and access management, that fifth one on the list here. And the reason being is that now because we have a lot of our information in the cloud, we have also moved identification and authentication, the identity process to a third-party identity provider. We've moved active directory into the cloud. And then, how do we have a user sign on, put in their credentials, user ID, password, but now that active directory is in the cloud? And that's all that cloud provider's doing is identification and authentication. And then, they're passing a ticket, an assertion ticket over to the cloud storage provider that has your data, and that storage provider is making the authorization decision based upon the fact that the identity provider is saying this is an authentic user.

Now, if you look at things like OAT, you know that you see a lot of webpages where you can sign into, like Orbitz for example, you can sign in with your Twitter account, or your Facebook account. So, the identity provider is really Facebook and Facebook is saying to Orbitz, "I have authenticated Ken Magee as an authentic user," and Orbitz says, "Okay, you're an authentic user, you can sign in and here's what you're authorized to do in Orbitz." And a lot of students have trouble with that domain and understanding that concept, and how we pass that assertion ticket to say that they're an identified, authenticated user over to that other third-party cloud provider that's providing us with the information.

But, again, that's just a focus area. If you're not familiar with what happens with that you might want to make sure that you focus on that, or at least get your bootcamp instructor to spend a little bit of extra time going through IDAM. that's an area that might cause some of you some problems.

Camille: All right, thanks Ken, so much for going over all that with us. That's a really informative session. You have some great knowledge that you're sharing with everyone here and we really appreciate that.

Just as a reminder, you will be receiving, later this afternoon in your email, a free exam tip book, and a little ebook from us. So we've got some great information in there for you to use as you think about either signing up for a CISSP course, or taking the exam, or just learning more about the certification itself.

So, if you are thinking about taking a course, Ken is actually one of our instructors here. Just a little glance here, what your InfoSec flex center would kind of look like if you were enrolled in one of our courses. The reason many students choose a flex pro is because all the benefits you see here. You will receive a pre-study course, daily materials to supplement your lessons, and more. You will also get a CISSP concentration course, so that'd be after you have your CISSP you'll be able to enroll in one of those concentrations. And we also have the exam pass guarantee. So, what that means is that if you do not pass your CISSP exam on the first try we will pay for a second try on that for you.

Ken: Can I add one quick note?

Camille: Yeah, Ken, please do.

Ken: For those of you that are in the federal government arena and if you're looking at DOD 85-70 some of those higher level positions, IM3, IT3, CMD when you want to get to the very top level, do require you to have at least one of those concentration courses, whether it is the engineering professional, or the architecture professional, or the management professional. And this is an excellent way of getting that because you've got the flex pro CISSP bootcamp, so you have that base knowledge. You have your CISSP certification. And the instructors that are delivering the material for InfoSec have those certifications. They have the EP, and the AP, and the MP. So they've been there, they know what's required for that certification, for that bootcamp, and they have the certifications. They've done the work, so you're getting benefit of having instructors for the bootcamp, the CISSP, as well as instructors who also have the certifications. They're not just taking course material and teaching it, they've actually done it. Back to you, Camille.

Camille: Thanks Ken for clarifying that. We appreciate those little tips you have for us. So, next it looks like we have a couple of questions streaming in for us here. Looks like we have one question here from Eric. "How many CP hours are required over three years?" So Ken, can you talk about, is that for keeping your certification, or kind of how that works?

Ken: From the CPE perspective, ISC square requires that you accumulate 120 over three years. Now, there is a minimum per year. You have to have a minimum of 20 each year. Now, those have to be new CPEs. For example, let's say, you go to another bootcamp and you get 48 CPEs, and you want to roll those over because you've already got the 120. You can roll them over to count towards the 120 total, but you still have to get 20 new the next year.

Now, getting CPEs from ISC square, if you're a member of ISC square, is relatively easy. ISC square offers, throughout the course of the year, a number of e-symposiums so that you can just log into ISC square, go to the e-symposium. And then, sit there from home at night you can look at the archive, or at work during the day when the session is live, and accumulate anywhere from one to three CPEs just by sitting there and participating in the e-symposium. So, they are relatively easy to achieve. And if you're a member of ISC square, in other words you've paid your dues and you've paid your membership, then they're free basically.

Camille: All right, great. Thank you. That helps clarify Eric's question, I hope there.

We've got another question, "Is there any practice exams that you recommend or where can people find those?"

Ken: There are practice exams. Now, if you take the bootcamp of course from InfoSec, one of the things that is provided to you besides the InfoSec course material is the official ISC square study guide. When you get that book, if you look at the very last page in the book, Cybex gives you a URL where you can register that book. Once you've registered that book, then there are six bonus exams, that are part of that, that are available to you once you've registered the books. And those are very good. I use those as homework, so every night during the bootcamp I will give my students one of those bonus exams to do.

Now they're not domain specific so, for example, if you take bonus exam number one on Sunday night, the first night of the bootcamp, that first bonus exam covers all eight domains, but it's a good way of being exposed to material. I highly recommend once you get that Cybex official study guide from InfoSec that you go ahead and register the book with Cybex because that's going to give you access to six additional bonus exams. Now, again, that's 150 questions times six, that's an additional 900 questions for you to take a look at.

Camille: All right, thank you Ken. Let's see, we have a couple of questions here. And, as I said, we may run out of time to get to all of them but we will followup if we don't get to yours live today. A question we have here is, what are your thoughts, Ken, on reading the whole book, taking the book quizzes, and the practice tests, is that going to be the best way to pass? Or what are some other recommendations on that?

Ken: My recommendation is that sign up for the bootcamp and take that from InfoSec. And I'll share with you my technique. I teach from the InfoSec course material, but I also use that official study guide to supplement that. So, let's say, on the first day of the bootcamp we will actually cover the first four chapters. So for me to say to you, "Yes, sit down and read the book, and do all of the questions, and do all the bonus exams," but you don't get the experience of an instructor who has been there, who has done the work, who has taken the test, who has talked to other students who have taken it, you're missing that part. So, you're sort of isolating yourself from all of that additional experience and knowledge that the instructor brings to that. So could you do that, just read it and do the questions and pass? Yes. I know some people that have done that.

But the majority of the people that are successful have come to the bootcamp, have participated in the class, we sat there in class and we've debated the questions. We go through and explain why is this answer correct. I mean, if you look in the book and you say, "Okay, this is the answer," and then you look it up in the back of the book and you say, "Yes, I got it right," but that doesn't tell you why it's right. And I think one of the things that Infosec's instructors bring to the bootcamp is the ability to take a question and say not only why is B the right answer, but why are A, C and D wrong? And you're not going to get that if you just read the book and do the questions by yourself.

Camille: Looks like we might have time for just one or two more questions here. So we've got a question from David. He said he heard the Cybex test questions online are not really close to the actual exam questions. Is there another resource that more closely mimics the real exam? Or do you think that that's as close as we're going to get to practice questions for that?

Ken: I've looked at most of the Q&A databases that are out there. I've got copies of most of the books that have been written about the CISC exam. The only other book that I would recommend out of the ones that are there, ISC square has a second book called the ISC square official practice tests book. It is nothing but questions. There are 100 questions by domain in the book. And then if you register the book, just like you register the official study guide, then you're also going to get bonus questions there as well.

Now, what you have to understand ISC square does not share their test question pool with anybody. The way people get these questions is that they talk with students, like you and I, "What did you see on the exam?" And then, they try to replicate those questions. And if you look at some of the questions, some of the questions have been out there for the last 10 years in some of the books that are coming out now. But that would be the best recommendation, would be to get that second official ISC square practice test book. The questions in both, in the official study guide and in the official practice test book, are designed to give you content. They're not verbatim questions, they are not exactly what you're going to see on the exam. They're there to help you understand the content, and as long as you understand the content, and can dissect a question, then you'll be successful on the exam.

Camille: Perfect. Thank you to Ken. It looks like we'll followup with one more question here before we end the session today. So, we have Eric asking, "What is the minimum requirement of knowledge to do a bootcamp by InfoSec Institute?" So maybe kind of what's the background of a lot of people that enroll in these courses, or what kind of previous knowledge do you have to have to understand thee course, maybe?

Ken: Most of my students are coming in with a minimum of at least two years of IT experience. Now, that might be as an application developer, that might be as a system administrator or DBA, a network administrator. It could be somebody coming over from the information assurance area, but they have had at least two years of exposure to IT. Now, granted, there are some students that come in that have got bachelor's degrees in computer science, so they've been exposed to it from a collegiate point of view, but they've been hammering at it in college for about four years. But, I would say, at a minimum two years.

Now, the requirements for the certification, when you get to that point, you pass the test, you still have to apply for certification that requires five years of experience, or four years of experience and a bachelor's degree in order to be qualified. Now, you can take the test without that experience, without the five years and you can get something from ISC square called and associate of ISC square. And they kind of track time so that once you get to that five year experience, then they'll get a letter from them saying, "You've met the experience requirements. Would you like to apply for your actual certification?"

Now, let me just take a second to talk about that quickly for those of you that have not experienced that. Once you get and you pass your exam, you still have to apply to ISC square for the actual sheet of paper for the certification. That requires a person who is a current CISSP holder to endorse you, so you have to find somebody maybe in your company that they already have their CISSP and it has to be current. They have to be maintaining their CPEs and paying their fees. And, essentially, what that is, is that ISC square needs somebody, let's say for example, on your application, you say that you've been doing network security for four years, but there needs to be somebody, your boss, or maybe you supervisor, or somebody that could actually say, "Yes, Eric has been working as a network administrator for four years," but that's the endorsement process once you pass the exam.

Camille: All right, well, thanks so much Ken. Eric, that was a great question. I didn't really know about all the time requirements and the years and stuff, so that was really interesting.

Camille: Ken, just want to thank you again so much for joining us today. A great session today. You just have a lot of knowledge and expertise, and we appreciate you sharing that with us. Again, everyone thanks for joining us as well. You can watch for the ebook and the CPE link in your emails this afternoon. If you're looking for more information before you receive that, you can head over to infosecinstitute.com/cissp go ahead and look more there about what we offer and about the CISSP. If you have any other questions, please direct them to info@infosecinstitute.com and we'll be sure to get back to you. So, thanks again for joining us everyone, and thanks to Ken.

Chris: Thank you for listening to this week's episode. If you like what you heard, please check out more episodes of Cyber Speak with InfoSec Institute by visiting infosecpkstage.wpengine.com/cyberspeak. Podcast listeners who would like to qualify for a free pair of headphones can also visit infosecinstitute.com/podcast to learn more. To check out our free security IQ phishing simulator package visit infosecinstitute.com/securityIQ for realistic phishing templates and a host of interactive security awareness videos. Thanks, again, to Ken Magee for today's presentation, and thank you all, again, for listening. We'll talk to you, again, next week.