The Decidedly and Proudly
Unofficial CISSPforum FAQ
Answers to Frequently Avoided Questions about CISSPforum
a.k.a. The Big Dummy’s Guide to CISSPforum
a.k.a. The CISSPforum Policy Manual
FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects
Latest update one idle Friday in June 2015
Please use the following URL to link to or reference this FAQ:
Or just click here to look it up
2 BASIC FORUM USE
3 FORUM CONTENT
4 ZOMBIE TOPICS
5 FORUM MEMBERSHIP OPERATIONS AND SETTINGS
6 (ISC)2 STUFF
1.1 What is the point [of this FAQ]?
We’re not sure really. Does it need a point? How sharp must it be?
This document is the unofficial FAQ (Frequently Asked/Avoided Questions) for users of the CISSPforum mailing run by (ISC)▓ for all CISSPs and SSCPs (at
least). It is a collection of answers to questions that mostly are or have been repeatedly asked in the forum and (arguably) important information related to appropriate and inappropriate use of the forum.
This FAQ inhabits a lesser-known quiet cul-de-sac just off the information superhighway, a side-turning from the roundabout behind the noisy industrial estate known as: http://www.noticebored.com/html/cisspforumfaq.html
We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs and SSCPs but we know that’s a waste of good bytes. Google
has heard of it anyway. Thank Google for that!
If you’re not entirely sure what an FAQ is, permit Cragin to explain:
FAQ on FAQs.
1. What does FAQ stand for?
Frequently Asked Questions.
2. Frequently? How many times does a question have to be asked before it is added to a FAQ?
None. The entire set of questions was written before the final fielding of the system or web site to which they refer
3. None? Just how often are these questions asked?
4. Asked? Who asked them?
No one asked them. OK, well, actually, the implementation team wrote the questions, but they already knew the answers
when they wrote them, so they were not actually ASKING the questions.
5. Questions? What kind of questions are the FAQ?
They are second and third sub-level topical headings from an unfinished (or unstarted) users' manual that have each
been restructured from a statement to an interrogatory.
6. Why did the implementation team write the FAQ?
Because as they were in the final phases of fielding, they realized that the development team had either never gotten
around to preparing user documentation, or had done such a shabby job that it was useless, and further that the
operational interfaces of the application were so non-intuitive (or counter-intuitive) that end users would only be end, and never users, without instructional hand-holding.
7. Then what is the purpose of the FAQ?
The FAQ is used by Tier 1 Help Desk staff to avoid having to learn the application while at the same time allowing
them to make callers feel simultaneously lazy and stupid: "You want to learn how to framitz the onglethard? It is
clearly explained in the FAQ on our web site. Didn't you look at the FAQ before calling?"
Copyright © D. Cragin Shelton 2008
1.2 What is CISSPforum anyway?
As vaguely hinted-at by its not exactly cryptic name, CISSPforum is basically a discussion forum for CISSPs (Certified Information System Security
Professionals). It is also inhabited by SSCPs (System Security Certified Practitioners) and possibly others such as CSSLPs (Certified Secure Software
Lifecycle Professionals) and Cprofs (Proficient Cyclists). Apart from Dorsey Morrow ((ISC)▓’s former legal counsel, but don’t hold that against him), nobody
much from (ISC)▓ global headquarters appears to hang out on the forum. Whether that is because they are too busy counting great piles of AMFs, hob
-nobbin with the big nobs or simply “having a life”, we’re not sure. Anyway, the upshot is that it is a local forum for local people. It is user-led and user-trailed.
(ISC)2 promotes and describes it thus:
“Subscribe to our CISSP Forum and enjoy communicating with fellow CISSPs about a wide range of information security topics. Your forum quickly
will become a valuable tool for you to use, enabling you to learn from and teach your colleagues around the world. Whether you’re posting a
new topic or responding to a current one, exchanging information is an important part of being an (ISC)▓ member.”
Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because it takes such skill and perseverance to locate
the forum sign-up page buried deep within an underground bunker lurking underneath the (ISC)2 website. As one of the members said, “The most useful
thing I got from my CISSP is this community - a wealth of knowledge and experience.” Some might even agree that we should earn CPEs for actively contributing to CISSPforum.
Although the forum is run as a Yahoo! group, DO NOT WASTE YOUR VALUABLE TIME TRYING TO SIGN UP DIRECTLY ON YAHOO!. Your application to
join the forum will be checked and verified directly by (ISC)▓ to confirm that you really are as qualified as you claim to be. Unless you are an IT forensics
specialist who enjoys bizarre technical challenges, instructions for signing-up are given below.
CISSPs who successfully navigate the virtual obstacle course to sign-up to CISSPforum join a friendly community of several thousand peers
- mostly qualified information security pros from all parts of the globe and all sexes. Some of us are newcomers to the profession, recently qualified, while some
are grey-beards with a decade or four of experience in the trenches. Our ranks are swollen by IT auditors, consultants, trainers, security officers, security
managers, scholars of ancient Greek and others, mostly but not entirely CISSPs. Welcome all.
As a community of professional practice, CISSPforum is a great place to discuss information security and closely related topics. The scope of the forum
naturally includes the ten areas of (ISC)▓’s Common Body of Knowledge (the CBK) which coincides, thankfully, with the CISSP exam. We also discuss the ISO/IEC 27000 series (ISO27k, ISMS), ISO 9000 (QA), ISO/IEC 20000 (ITIL), IT governance, SOX, IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking, vulnerabilities, Windows, Windows vulnerabilities, (and occasionally Mac vulnerabilities, Linux
vulnerabilities ...), Stuxnet/Duqu/Flame and other alleged cyberweapons, APTs, BYOD, in fact anything that’s hot in information security is likely to be
brought up at some point, often before it hits the industry rags if slightly behind the blogosphere. It’s like an information security club, an online
interactive encylopaedia with several thousand qualified contributors.
OK, to be honest its more like a few dozen really active contributors plus a few thousand lurkers but we “feel their presence” in a spooky sixth-sense Stephen King’s Carrie kind of way.
Some of the discussions are straightforward questions and answers, that’s it. Others develop into full-blown discussion threads, depending on the skill or
good fortune with which the original poster crafted a post containing such subtle nuances or contentious language that more people felt compelled to
respond. Urgent but un-lame help messages generally get answers within minutes, while more contemplative posts can trigger threads that run for days
or sometimes weeks. By and large, it is all very good natured, open and safe, though there’s often the very feintest whiff of sarcasm, especially when
someone purports to be an expert on some topic. The forum is a wonderful safety vent for burning information security issues that bug you, and to
challenge accepted norms. You’ll find deep technical threads running alongside lighter topics. Members contribute wisdom, knowledge, opinions and
more for the benefit of all. Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their
participation. We’re never stuck for friendly local guides when visiting far-off foreign lands although we’re still patiently waiting for our first forum
romance, or rather the first one to be publicly acknowledged.
1.3 What are CISSP and SSCP?
CISSP (Certified Information Systems Security Professional
) is a certification awarded to the deserving by ANSI-accredited (ISC)▓ confirming that the holder has:
Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security qualification. It
requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth over depth of knowledge. That said, many CISSPs do have deep technical security knowledge and expertise in one or more of the ten domains defined by (ISC)▓ in the
Common Body of Knowledge (CBK), whereas some of us just wing it.
SSCP (Systems Security Certified Practitioner
) is a qualification demonstrating some practical experience of working in the infosec trenches (for
example in security administration). It is seen by some as a foot in the infosec career door, a means to show commitment to the field prior to gaining
much work experience and a ticket to join CISSPforum. It is also suitable for those infidels who have not yet fully dedicated their lives to the glory of
infosec, those who in other words “have a life”. The pre-qualification criteria reflect pretty much any professional/junior management job, with just the barest hint, the merest smidgeon of infosec.
1.4 Is there an official CISSPforum FAQ?
Yes, well kind of. (ISC)▓ published the (ISC)▓ forum guidelines independently of and prior to first publication of this FAQ.
In case of unexpected conflict between the official (ISC)▓ forum guidelines and this unofficial FAQ, expect weird things to happen as the space-time
continuum is rent asunder.
The information provided in this FAQ is not guaranteed <full stop>
The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them, there may conceivably be
valid opposing views. Use the information in this FAQ at your own risk. Your mileage may vary. Do not run with scissors. Do not pass Go.
This is not legal advice. The legal buck doesn’t even think about wandering through this quiet turnpike on the information souperhighway while charging its time by the second.
The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates, nor by any government, nameless government agency or
religion. It is technology-neutered. This is an independent unofficial and decidedly cranky work by a tiny albeit vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified by self-acknowledged beards-of-colour who are clearly disturbed, senile or
‘under the influence’, and possibly all of the above.
GM-free. Ford-free too. No cute cuddly animals were harmed in its production, only nasty slimy ones.
This FAQ is so environmentally friendly, it is likely to slip quietly away to hug yet another tree the very instant your back is turned. Please don’t print it out, especially if you have an evil printer from hell.
1.6 Other versions of this FAQ
The original plain text FAQ was and remains available only to CISSPforum members. It was extensively updated, worked over and generally roughed up a
bit by Rob Slade and assorted elves in 2005/6. To take a look (provided you are a member), logon to Yahoo! Groups, open the “cisspforum” group, go to
“files” and scroll down to find “cisspforum-faq.txt”. It’s the one cunningly titled “cisspforum-faq.txt”.
The sexy HTML web version now appearing on a screen near you was conceived by Gary Hinson in October 2006 and is updated when inspiration happily
coincides with a spare hour, which frankly is not very often these days. Comments, further questions, answers and jokes are always welcome, via CISSPforum if possible. See the contact details towards the end whether you’d like to contribute something deep and meaningful or chuck rotten eggs.
2 BASIC FORUM USE
2.1 How do I post messages to CISSPforum?
Any member of CISSPforum can post messages to CISSPforum simply by emailing email@example.com
. Please use plain text and be reasonably succinct. Messages can also be posted online using the Yahoo! web interface by members who have tied their membership address to a
CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their login credentials to be stolen by a spam
bot (which happens occasionally - CISSPS are only human). Nevertheless, this is still the most effective anti-spam system we have. Spammers who join
the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).
Identify yourself, please. Your Yahoo! profile name or email address is seldom sufficient to identify you, at least until you have posted often enough that
others will mutter under their breaths “Oh no, not him again!”. Simply end your posting with a standard business-like salutation including your name or
else a nickname or some other term that you are happy for us to call you. Otherwise we will choose our own name, and it may not be to your liking. The
person who posts under the pseudonym “/bpm”, for instance, probably does not appreciate being called “Slash” but at least he/she has a sense of humour.
When asking a question or seeking advice, give us a clue about your context.
Your situation is probably relevant to the advice you seek. Government practice is different from commercial, not-for-profit, finance, healthcare, SME ....
If you are posting a long hyperlink, please either create and supply a shortened URL as well as the full link
or simply enclose your long URL in angle brackets < and > which allegedly tells some email clients not to break the URL into little bits.
Do your homework before posting to CISSPforum to avoid being soundly lampooned. This is a professional forum for qualified information security
people. Some Forumites just love to show off their extensive knowledge at every available opportunity and you’ll often get a broad range of opinions from
the Forum ranging from short snippets to extensive diatribes. However, we resent being used as the research mechanism of first resort. If a poster is too
lazy to craft a simple Google search or two and follow up on the results before coming to us, some of us are not afraid to say so. It may help to
demonstrate that you have already made an effort to answer your own question. By briefly describing your research and analysis so far, you can prove
that you are not just an information leech. You will also give the experts here a chance to go directly for the deep dive without repeating the basics you already know. You might try Asking Questions The Smart Way and, whether you are a Microsofty or not, read this advice also.
Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button
. If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this. If you are pillorying someone for asking a
question the wrong way or saying something dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:
It is better to be thought a fool than to open your mouth and remove all doubt.
Please be tolerant of others. We are not all on your wavelength. Some of us barely even speak your language (and you’ve probably never even heard of ours). CISSPforum is a global melting pot, so please don’t post anything racist, sexist, elitist or any other kind of ist and please don’t fan the flames.
2.2 Is it safe to post my first message?
Of course! We’re all friends here! To the few thousand CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge and experience.
Don’t be shy. Even “me too” is marginally better than stony silence. But please re-read the tips just above before you dive right in.
There’s a special CISSPforum rule for Those Who Have Never Posted
(you know who you are - we call you the Forum Virgins). You have full permission to
make Your First Posting without fear of retribution, dissent or ridicule. The trick is to write “First posting” or similar in the subject line and include
something interesting in the body of an email message to firstname.lastname@example.org.
The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting. To be honest, we’re all generally nice people who
don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree. Hot discussions break out from time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).
2.3 How do I get people to respond positively and helpfully to my queries?
Good question! We heartily recommend and endorse the excellent advice in How to ask questions the smart way. It’s also not bad, by the way, on how to
reply smartly to questions ...
2.4 How do I reply to messages?
CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message. That’s several thousand
information security professionals. If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware
that your peers will see your ‘private’ message. The cranky ones will give you grief to add to your misfortune, no doubt ribbing you rotten for your mistake.
If you wish your reply to go to only the originator, copy that person’s address into a new message or choose the individual address as an option if you are using using the Yahoo! web interface. If you insist on sending ‘private’ messages to us all, please make them juicy if not defamatory, and prepare to be
2.5 Where have my messages gone?
Sometimes, for no obvious reason, messages sent to the forum get delayed. It happens unpredictably, with differing delays. The forum is run by Yahoo!
which, we are led to believe, is a fairly popular interwebpipes thingummy that gets overloaded and backlogged at times, presumably because it is running
on a steam-powered Acorn Atom, a PDP-11 or perhaps a much more modern machine ... running Windows 10. It might be interesting to check whether your message was listed on the Yahoo! Groups web interface at about the time you sent it (implying a delay on the Yahoo! output) or the time it finally
arrived (an input delay) ... but either way, there’s not much (a classic understatement!) we can do about it. It’s annoying, especially when messages
finally get distributed sequence out of. Yahoo! presumably has a technical/admin contact, someone who occasionally stokes the chicken poo in the boiler maybe. Alternatively, (ISC)2’s Wilf Camilleri or Blaise Kengoum might be able to help (email email@example.com). Ask them to ask Yahoo! to poke the
2.6 How do I turn down the volume?
At times, CISSPforum can be a LOUD mailing list with up to 3,000 messages per month. Other mailing lists only go up to ten. CISSPforum sometimes reaches eleven. If it is too LOUD for you, here are seven volume-moderating techniques:
Skim the subject lines and just delete anything mentioning, for example, LinkeDin
or other lame topics
. Don’t fret.
Read CISSPforum as a daily digest with all the day’s takings in one mega email. This is a Yahoo! option.
Check the senders. Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit bucket without even
opening. Your email client probably has the tools to do this automagically. Look for ‘email rules’ or ‘filtering’.
Set aside a certain period of time each day to peruse the latest mailings. When your time is up, delete the remaining unopened messages and go back to Real Life.
Don’t bother about keeping up with the latest topics. Use Yahoo!’s search routines to check the archives. There is a wealth of accumulated
information, and it’s surprising how often we discuss the same things over and over like a recurrent nighmare.
Read the forum using Gmail or a similar email facility that automatically links postings with similar subject lines into threads. Pick out interesting threads. Ignore the rest.
Ignore everything. Delete without reading. Unsubscribe. Go on, miss out on those golden nuggets that would make all the difference to your
career. Go ahead - see if we care. Talk to the fingers cos the keyboard ain’t listening.
(Bonus idea) Don’t send complaints about the volume of the list to the list. Don’t send complaints about LinkeDin, daft jokes and comments
to the list. Don’t try to send attachments to the list. In particular, if you are catching up with emails, look through the list of emails to see if
anyone else has already commented or complained about a posting that upsets you, and leave it at that. Think twice before posting fresh junk, even on Fridays
. Use your delete key as it was meant to be used and move along - in other words Get A Life.
2.7 What do I do if (when) a posting upsets me?
Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that offends you in some way.
Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a huge and unedifying “discussion”.
People telling other people to take their complaints offline will, of course, do this online.
Personal attacks are more hurtful than helpful. While you might really want to say something along the lines of “You need a good kick to the head or an
enema - in your case, those may end up being one and the same”, the following fire-retardant advice, originally posted on the forum by a wrinkly diplomat, sums up how to avoid fanning the flame wars:
I’d recommend peace, love and understanding all round.
Be tolerant and respectful of others on the forum. We have many
cultures, abilities and styles here. We are not all like you.
Many of us have never even been to your country.
The forum is self-moderated. Self restraint and tolerance are the watchwords.
Count to twenty before responding to jibes. If someone has upset you,
explain to them (and only them
) what upset you, and let them respond privately, off-list.
If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line
behind the bike sheds perhaps.
If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are. We all had to start somewhere.
This is a community of peers. There is room for humour and occasional
off-topic discussion but, please, take it easy on our <Delete> keys.
Enjoy the variety of experience. Relish the challenge of
understanding others’ points of view. Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.
If you think the emperor has no clothes, speak up. Some of the best threads start that way.
And if all else fails, hit your <delete> key, chill out and move along.
2.8 Trolling and troll-baiting
/| /| | |
||__|| | DO NOT FEED THE |
/ * *\__ | TROLL. Thank you. |
/ \| CISSPforum |
/ \ \____________________|
/ \ \ ||
/ |\____\ \ ||
/ | | | |\____/ ||
/ \|_|_|/ | _||
/ / \ |_____| ||
/ | | | --|
| | | |______ --|
| |_|_|_| | \_/
\ |/ /
/\ / \ | /
/ \__/ | | |
__________ c_c_c_C/ \C_c_c_c______________________
If you are a troll, or if you feel compelled to point out that someone else is trolling, or are responding to a posting by a troll, or posting about someone else responding to a troll, or are defending or criticising a troll or those who have previously defended or criticised a troll, or are in any other way referring
to trolling, please add [Troll] to the subject line of your message so that those of us with automated anti-troll filters have an easier time*. Better yet,
before posting your message, please reconsider whether doing so will increase or decrease the signal-to-noise level for the majority of Forum members or
whether your spleen might be better vented against the alleged troll directly, off-list. On behalf of us who actually do have a life, thanks very much.
* The more advanced CISSPs simply configure their systems to route all troll messages directly to Write Only Memory (WOM) devices installed at several
highly redundant but totally secret locations on the intergalactic Interwebnet. It is alleged that one of these black holes has been found lurking within the (ISC)2 website but the last brave datagram we sent in there to check it out never surfaced, at least not in our galaxy.
2.9 Are there rules for the forum other than this FAQ?
Yes - go to the back of the class and re-read an earlier section. Remember, this is the unofficial FAQ.
The universal rules for posting stuff to newsgroups and similar online discussion fora, neatly summed up in a short video, apply here too. In this sense alone, CISSPforum is not special at all.
Furthermore, thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain “unwritten” rules for the forum
. Look under Yahoo! Groups > CISSPforum > files for the file “cisspforum-faq-unwritten.txt”.
2.10 Can I distribute files via CISSPforum?
No, at least not directly. Any file attachments sent to the mailing list will be summarily stripped off by Yahoo!. Members who post documents or other
materials will be embarrassed at having posted, essentially, nothing. “Here it is!” they exclaim, triumphantly but here it is not. This is lame.
However, any forum member can upload a file to the Yahoo! Groups files area and optionally announce it on CISSPforum. Be sure you have permission from the copyright holder before publishing anything in this manner: reaching thousands of peers effectively places it in the public domain and we
wouldn’t like to see you marched-off by the DMCA Gestapo...
An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs and post a forum
message inviting CISSforumites to collaborate on writing/completing it. The combined brain power is awesome and we have yet to see a document that
cannot be improved by the wider perspective. We’d encourage you to acknowledge all those who actively contribute and ideally publish the finished item
to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s your choice.
2.11 Is this forum private?
What do you think? (ISC)2 and Yahoo! are both American organizations. The servers are probably in America, land of the free. Do we really need to spell it
out for you? Ask Edward Snowden.
Membership in the CISSPforum is allegedly restricted by (ISC)2 to those holding CISSP and SSCP. Generally speaking, a number of respected CISSPforum
members take the membership restriction to imply that it’s a discreet and exclusive private gentlepersons’ club. They hold that discussions on CISSPforum
should not be discussed or reproduced elsewhere, outside the forum, believing that “what happens on the forum stays on the forum”. Restricting
discussions to the CISSP community will hopefully result in a freer and franker exchange of ideas, the theory goes.
That said, given the membership of thousands, it is not entirely sensible for members to assume that the content of messages they post to the forum will
remain restricted to the membership. Those concerned about privacy and confidentiality (and which of us isn’t?) should bear in mind the old adage that
you should never send anything by email (or indeed by courier) that you would not want to see on the front page of the newspaper. Do your own risk assessment, folks.
As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is best either to rewrite the salient points in your own words
(sanitizing the identities and expunging the facts as appropriate) or to contact the original author/s for explicit permission, or both. Members contacted in
this way are invariably flattered to be asked. You will almost certainly get the help you need to re-publish or at least plagiarize the salient parts from original piece, and make a new friend in the process.
3 FORUM CONTENT
3.1 Is there an archive of CISSPforum postings?
Yes, postings to CISSPforum are automatically archived for all posterity on Yahoo! Groups. Remember this if you are about to flame another member or post something private, off-topic or lame. The cream of CISSPforum postings may also be shamelessly plundered for FAQ content.
3.2 Is this the proper place to compare certifications?
Probably not. The topic has been raised before and you are free to give it another go. You’ll get replies, some thoughtful, some not.
Strangely enough, most CISSPs maintain that CISSP rocks. Many of us, having CISSP on our CVs and business cards, are curiously defensive of the
certification’s integrity and value. We have something of a vested interest.
3.3 Is this a good place to ask ethical questions?
Yes if you like but try firstname.lastname@example.org instead for a more reasoned discussion.
3.4 Is it OK to ask about topics previously covered?
Everybody does it but if you do not normally monitor the forum, it would be appreciated if you would first check the archives. Please see the next section too for information about zombie topics.
3.5 What is OT (off-topic)?
Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More Important Things To
Do. It is considered rude to post off-topic messages without the “OT”, and in fact slightly naughty to post on-topic messages with subject lines that just
happen to contain those two specific letters in conjunction. As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement, or rather that of the majority of people on the list, or rather that of the vocal minority who feel
compelled to tell us all whether something was on- or off-topic.
To be fair, on/off-topic is not a binary choice when it comes to many discussion threads, but subjects such as US gun laws are likely to descend rapidly
into the abyss of politics, religion or both, leaving information security for dust.
There is some guidance on this point in the (ISC)2 policies:
“(ISC)2 forums are not moderated. Note that this is prime: you might see anything here. Don’t complain about it.”
Actually, membership in the forum is strictly moderated, as you know. Postings are not specifically moderated. However, if you say something really annoying, somebody from (ISC)2, usually that nice man Dorsey Morrow, (ISC)2’s corporate counsel, will send you a nasty note and if you
persist, you’ll be unceremoniously booted-off.
The issue of moderation is another running joke on the forum: if you post a message asking why the moderator isn’t doing something, one of the
long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message claiming to be, or to nominate, the
moderator of the week, and dispense moderation, in moderation.
It is traditional for the moderator not to be informed of his/her/its status. For example, Rob Slade was moderator during the early part of
December, while he was out of town, only finding out upon his return. There being no moderator at that point, he had nobody to complain to.
Some of the subsequent (ISC)2 guidelines contradict the issue of non-moderation a little by laying down explicit rules:
Others are a little more helpful:
“Use of a forum to advertise conferences, seminars and training related to the list topics is permitted.
When replying to postings, please include the original posting but only include the relevant parts of the message.”
... with which last point we in the forum heartily concur.
The normal rules are relaxed slightly on Fridays but always beware going too far off-topic.
3.6 What topics are lame?
We all say dumb things from time to time but asking genuinely lame questions or offering supremely lame answers on CISSPforum can be a character-building experience, unless it is your first post anyway.
Before you ask a question, have you at least Googled it? Have you made even the slightest effort to search for the answer yourself? If so, great, go ahead
and ask away. If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.
Zombie topics, out-of-office messages and off-topics are also considered more or less lame.
Responses can be lame too. It’s fair to assume, for starters, that the original questioner has a modicum of intelligence and security expertise. To avoid
cluelessness, take this classic response as a warning: “In order to attack your target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites I’ve found useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com).
The attacker should of course know how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you can
recognize since it all starts with the characters http://). One thing that is often overlooked by junior hackers (explaining many failures to achieve desired
goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”
3.7 Where can I find thread summaries?
Basically, you can’t, but you can search the archives. The upgraded Yahoo! search facility is not too bad, compared to say pulling your own teeth out with
a rusty farm implement. Don’t worry, though, because this situation was accurately predicted by a rather boring prophet: “There shall in that time be
rumors of things going astray, erm, and there shall be a great confusion as to where things really are, and nobody will really know where lieth those little
things with the sort of raffia-work base, that has an attachment. At that time, a friend shall lose his friend's hammer, and the young shall not know where
lieth the things possessed by their fathers that their fathers put there only just the night before, about eight O'clock.”
You may like to subscribe to the list using a Gmail account that automatically threads the responses.
3.8 When is Friday?
One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on Fridays in preparation
for the weekend’s fun (the equivalent of dress-down-day, bad shirt day, or POETS day), within reason. Since “within reason” is itself part of the unwritten
rules that are relaxed, even that is optional but please be sensible. This is a multicultural professional forum and we’re all pretty busy. OK perhaps not quite so busy on Fridays.
On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness, delicacy and discernment,
humour (sometimes without you) and satire, derision and hyperbole, alliteration and synecdoche turned up a notch, with the occasional deep and
meaningful discussion on coffee, donuts, poutine and sushi. Have fun, just avoid turning up the heat.
It has been alleged that some members literally dress down on Fridays. Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask.
Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance when other less
fortunate members to the East are still living in the past. Therefore, Fridays start on Thursdays. What’s more, when the less fortunate Easterners post
their Friday messages, it is already The Future for the very same Westerners. Although certain grammatical problems are created by this particular form
of time travel, the Westerners enjoy Easterners’ Friday postings on Saturdays. So, to summarize, “Friday” = Thursday + Friday + Saturday. With the ever-worsening delays in Yahoo! Groups, postings can now come two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and
postings sent “Friday” may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.”
It has subsequently been suggested that “Friday” be celebrated only on days that begin with the letter "T" including Tuesday, Thursday, Today, Tomorrow,
Thaturday and Thunday. We like Fridays on the Forum.
4 ZOMBIE TOPICS
4.1 What are zombie topics?
All manner of information security and other fascinating topics have been discussed on CISSPforum over the years. It is a fairly high-volume list with a
large and active membership. The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die. Please check the archives for the full nine yards on any of these topics. The forum is not moderated so you are welcome to raise these topics yet again
(provided you have Something Important to say on the subject) but if you do, be prepared for a somewhat less than enthusiastic response and watch out
for silver bullets, pointed wooden crosses or garlic around the door.
4.2 Zombie topic: reformed hackers
Been argued, no resolution. Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white (hats). Some hold that
reformed hackers have “paid their debt to society” and have useful knowledge to contribute. The ensuing exchange is a bit like the Pope discussing religion with an atheist.
The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the likes of Messrs. Mitnick
and Abagnale. Some of us will, some of us won’t. It all depends on the height of one’s horse.
4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)
This is undoubtedly an important topic but most of us are tired of seeing the same old same old. CISSPs have at various times challenged the “R” and “I”
part of ROI, and the future is not so ROSI according to some. To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis
thread often gets intertwined with the ROI zombie, making our lives a misery for a couple of weeks at a time.
If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach, a revolutionary
investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it.
4.4 Zombie topic: cissp.txt
We are really
tired of this topic. One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:
a) “There is a list of CISSPs at [someURL].cissp.txt. This is appalling!”
b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it! What gives?”
c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it! Aaaiiieeee!”
Yes, it’s true. There is a list that appears at various places around the net, usually named cissp.txt. This contains some names and contact information
(some of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org (some people say circa 2003, others
say early 2005). At one time someone lame evidently mined the public directory, possibly for marketing purposes. Later, someone thought it would be a
good joke to post the list on the web to see if they could get lots of people upset. They appear to have succeeded. Several times around.
Oh, and a special note for posters in category (c). You have had your CISSP for a while and posted some info to the (ISC)2 public directory, so why are you
so upset? Get real.
4.5 Zombie topic: terrorism
Terrorism and indeed cyberwarfare/WWIII does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat. Check out the archives and see what has already been said. Postings advocating violence against any persons or groups are DEFINITELY
4.6 Zombie topic: can I get CPEs with that?
Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)2 guidance but what do you think?” ... and the forum groans.
Forum members can only give unofficial and generally unreliable advice on this point. Does the material in the [course | iPod | film | etc.] pertain to the
CBK domains of the CISSP certification? If the material is pertinent to the CBK, Jack Holleran for one would say “yes”. One hour of relevant infosec study
earns you one CPE, provided it can be validated in some way.
For the definitive answer on CPEs, (re-)check the official (ISC)2 CPE guidance, download and read the official CPE guidelines or contact (ISC)2 directly. The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free. Remember also this helpful point
from (ISC)▓: “As a professional who follows the (ISC)▓ Code of Ethics, please use your best judgment within these guidelines to select those activities
which qualify for CPE credits and which will enhance your professional development.” In other words, be sensible and play nicely.
FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:
Attend local chapter meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 etc
. Better still, join the groups and actively participate. Even better, research topics, write presentations and offer to deliver them at such
meetings. Best of all, join the committee and serve on the board of directors.
Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product vendors, infosec
luminaries and other CISSPs. Actively participate where possible. Posing awkward questions is especially recommended in the case of vendor
presentations (and really ought to qualify for special bonus CPEs). Many organizations that routinely release webcasts (such as CERT) send
email notifications to their mailing lists when new ones are announced. Most webcasts, conference presentations etc. are archived and remain
available for a while, which is handy if the initial broadcast happens in a different time zone to you and thus interferes with “having a life”. It’s
also a legitimate way to cut down the total time commitment thanks to the fast forward button and skimming stuff you already know (use with
care - in some cases, there may be nothing of any substance left). Better still, research, prepare and deliver such presentations.
Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars. Some mags on (ISC)2’s
recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have actually read and understood the content. The
quizzes are not that hard to fake but remember why you became a CISSP, and why ‘Continuing Professional Education’ is worthwhile. No matter
how devious and diligent you may be, I don’t believe “Researching and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon.
Write articles on information security and related topics for publication in professional journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE.
Read information security books and ideally write reviews of them for other prospective readers. Better still, write good infosec books.
Read and preferably comment on or otherwise contribute to infosec blogs.
Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
Review and comment on draft information security standards, professional practice statements and the like. Please at least try to be constructive.
Write new CISSP
(or CISA or CISM) questions. This is well worthwhile but much harder than it may appear. You are unlikely to earn as many CPEs
as the number of hours you actually put into researching, writing and honing your questions.
Study for further qualifications. In the case of information security-related qualifications such as CISSP concentrations or CISM and CISA, don’t
forget that CPEs earned for any one probably qualify for the others too. Honestly, it gets easier.
Volunteer to proctor CISSP (or CISA or CISM) exams. Several CISSPforum members say they signed up but never got the call so don’t bank on this one.
Volunteer to take over publishing and maintaining this FAQ. Please.
Last but not least, actively participate in CISSPforum. Share your security wisdom. Challenge the accepted order. You don’t earn CPEs purely for
participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum postings. Remember this point when
getting ready to post something. While it’s easy to dash off a quick email with little if any thought, taking a bit more time to get your thoughts in
order, find, check and incorporate relevant references, and provide something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.
The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning sufficient CPEs. If you are
scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for CISSPs), step back and take a look at your
commitment level. Are you in the right profession? Is your personal development and career advancement really of so little concern to you? Gosh.
See also the notes on submitting CPEs, a lame topic.
4.7 Zombie topic: why are we still using Yahoo! Groups?
Every so often, someone asks indignantly why we are still using Yahoo! Groups because it is plainly horrible and there are many much better alternatives
Out There. If you check back through the archives you will see numerous and expansive discussions of alternatives. This issue has been discussed ad nauseum, with the consensus being that there are distinct benefits to this forum being maintained on a non-(ISC)2 system.
(ISC)2 has tried alternatives in the past and even got as far as announcing the imminent closure of the Yahoo! Groups forum in January 2005 “within 3 months” but all previous attempts fizzled out without seeing the light of day.
Of course we could declare independence and hoist the flag on our own breakaway CISSPforum ... except for two little caveats:
(ISC)2 owns and for good reason jealously guards the CISSP trademark to prevent confusion with other - lesser - products. This means we
probably could not use “CISSP” in the name or web pages promoting the breakaway forum.
Only the all-seeing (ISC)2 knows who is currently certified so, unless we simply trust everyone who applied to join the breakaway forum (and
trust doesn’t come easily to paranoid security types like us), we have no way to limit the membership to CISSPs. There is of course a plethora
of non-CISSP information security forums already in existence and we would simply be adding to Web entropy.
Now if only someone could persuade (ISC)2 to issue digital certificates to CISSP holders, certificates that could be validated by anyone, then we’d all be
deliriously happy and the world would be a nicer place. Job candidates could prove their CISSPness. Forum moderators could check the CISSPness of
applicants. Global warming (allegedly) would reverse (or not). Unfortunately, since (ISC)2 evidently finds it difficult even to structure its own website,
there’s about as much chance of this happening as <insert your choice of something really not very likely at all>.
4.8 Zombie topic: “We’ve been hacked - what do I do?”
Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the big red panic button and
emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute. A typical question might be “I’ve just had a call from the Help
Desk. They have taken a call from a user in the business who says his PC is acting strangely. The network boys and girls tell me there is loads of traffic on
the user’s LAN segment and it looks as if the machine is spewing out spam like it’s going out of fashion. HELP! What do I do?”.
The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to analyze the live system
before shutting it down, and why it is so important to brew up an incident management process BEFORE not DURING an incident, but the best immediate
response to date on this sort of query is: “If you believe the system is compromised, and you don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert. Don’t switch it off. Don’t even run a directory listing.”
If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, things are different, obviously.
5 FORUM MEMBERSHIP OPERATIONS & SETTINGS
5.1 How do I subscribe to CISSPforum?
First, get the easy bit out of the way: get yourself certified as a CISSP or SSCP by (ISC)2. The forum is allegedly for the certified only - or at
least we thought so: according to some, you may be admitted if you merely apply for the qualifications and consider yourself certifiable. (ISC)▓ owns the group and can do what they jolly well like.
Go to Yahoo!
and create yourself a profile if you don’t already have one. Use the email account you will want to use on the CISSPforum. (This
step is not strictly necessary, but comes in handy at times later on, and is easy to do while waiting for glacially slow results from (ISC)2
step doesn’t even have to be done first, either, hence the reason it is conveniently numbered ‘2’.
Visit the (ISC)2 website
and request an account there if you haven’t already got one. An account on the (ISC)2
website will let you access the private CISSP area on the site. You’ll need it anyway to submit your CPE credits
online to maintain your certification. It’s also handy for getting
onto the jobs board there which is notable for its lack of results but why not give it a try, eh? Warning
has won the World’s Least
Intuitive Website Interface Award hands-down.
When you have your (ISC)2
account, login to (ISC)2 website
using your CISSP number/exam candidate number as your login ID and your secret password.
Browse around fruitlessly until you eventually stumble across the link for (ISC)2
forums ... or just click here
. REMEMBER THIS PAGE AND
HOW YOU GOT TO IT! YOU WILL NEED IT TO UNSUBSCRIBE, IF YOU WANT TO. TWEET IT! BOOKMARK IT! WRITE IT ON A POST-IT NOTE NEXT TO YOUR PASSWORD! TELL YOUR FRIENDS ABOUT IT!
Starting part way down the page are a bunch of forum sign-up forms, one of which casually mentions CISSP Forum. Fill out the form using the
email account that you want or the one you used in creating the Yahoo profile. Make sure that you choose the correct CISSP Forum, currently
listed as “Yahoo!Groups” since (ISC)2 has been experimenting with alternatives since 2004 (!).
Wait a few hours. Wait a few days. Wait a week or two longer. Eventually you will either get an invite or start getting email from CISSPforum.
After lurking and watching for a while, please
send us a nice ‘hello’ message
, ideally with something interesting about you, your job, your
interests, your favorite security standards, almost anything really. Tell us what you thought of the CISSP examination maybe. Say how you
found out about the CISSPforum (was it through this FAQ?). Once you have successfully posted to the CISSPforum, you will be able search the archive
. If you never post, you won’t.
If you get stuck, you might contact Wilf Camilleri or Blaise Kengoum using email@example.com but try to find and complete the (ISC)2 forum sign-up form first.
You could always ask a fellow CISSP for help or ask them to post your question on CISSPforum. Good coffee or alcohol usually helps.
5.2 How do I join CISSPforum if I’m not yet a CISSP?
Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial
from ardent CISSPforum member and security evangelist Clement Dupuis. Become a CISSP or SSCP and you will be welcome, if not compelled, to join the CISSPforum.
For fans of the UK comedy series, Little Britain, yes, CISSPforum is a local forum for local people.
Alternatively, try appealing to (ISC)▓.
5.3 Since this is “CISSP Forum”, that means that all participants have their CISSP, right?
Kind of. Lapsed CISSPies have been known to hang around like a bad smell long after their certifications have expired. (ISC)▓ also allows wet-behind-the
-ears candidates to become members so long as they are exam candidates, thus the members of this forum may or may not have anything to do with the
CISSP certification. (ISC)▓ claims to have it all under control but whether you trust them depends on your paranoia quotient. Regardless, you can usually tell the actual CISSPies and especially the CUStards by how cranky they are, but not always: some remain stealthy.
5.4 Can I access the forum and files on Yahoo!?
Errrr. When you sign up for CISSPforum at the (ISC)2 site, you are subscribed to the mailing list. You can’t access the forum with any method other than
email until you either create a new Yahoo! Groups ID or associate an existing Yahoo! Groups ID with the CISSPforum. Here are explicit instructions for both options:
a) Create a new Yahoo! Groups ID (if you don’t already have one):
Go to Yahoo!
and click the blue “Register” link on the left or right hand side near the top. In alternate email address, enter the address that is
currently receiving the CISSPforum. If you fake the demographic information on this page, it will come back and bite you when you need to
recover the password you forgot. Be sure to clear the “send me special offers ...” checkbox unless you really want to fill your inbox and make
sure your birthdate makes you at least 18 or Yahoo! will ask for your mommy or daddy ;-)
Once you have registered, be sure to set your “marketing preferences” which Yahoo! will promptly honor within a week (says so on the screen).
b) Add CISSPforum to your existing Yahoo! Groups:
Log in to Yahoo! Groups
then click “My Groups” in the upper right hand portion of the page.
Click ‘Edit my groups’
Link your login ID to the CISSPforum by searching for groups with your email address on their list.
5.5 How do I temporarily stop getting email from the forum or change to digest mode?
Well done to you if you thought of this before shooting off on that extended vacation or business trip. Please read the next answer also.
First, you must have a Yahoo! ID and password and that account must be associated with this list. See above
for how to do this.
Once logged in click on ‘My Groups’, find the link for the group ‘cisspforum’ and click on it.
Then click on ‘Edit My Membership’ near the upper right part of the page. You will see a list of options.
DO NOT UNSUBSCRIBE FROM THE GROUP! It’s a pain to have to sign-up again later. Rather, look for the section ‘Message Delivery’. In this
section select ‘No Email’ and click on the ‘Save Changes’ button at the bottom of the page.
To start receiving email again, get back to the options page but select ‘Individual emails’ instead. Don’t forget to click on the ‘Save Changes’ button.
5.6 How do I set up my Out-Of-Office message so I don’t spam the whole forum?
Do not turn on “reply-to-messages-not-sent-directly-to-me” or “reply-to-all”. Your best bet is to RTFM for your email system or call your IT Help/Service Desk.
5.7 How do I change the email address with which I subscribed to CISSPforum?
Go to Yahoo!
and create yourself a Yahoo! profile if you don’t already have one.
On the “Manage My Groups” -> “My Email Preferences” page, associate the currently-subscribed email account with the Yahoo! account. Confirm it.
On the “Manage My Groups” -> “My Email Preferences” page, associate your new email account with the Yahoo! account. Confirm it.
On the “Manage My Groups” -> “Edit My Groups” page select from the “Email Address” drop-down the email address which you wish each
Yahoo! Groups list you’re on to use.
If desired, you can then delete the old email account.
5.8 How do I unsubscribe?
CISSPforum is a lifelong commitment. Unsubscription is not an option: once you’re in you’re in. You can check out any time you like, but you can never leave.
First, do not unsubscribe using the Yahoo! Groups subscription maintenance features for fear of renting asunder the very fabric of the known universe. To subscribe and unsubscribe, always use the (ISC)2 website.
Log in from the main page with your User ID and password. The same page you used to
subscribe is the one you use to unsubscribe (it’s a different form, lower down the page). (Told you you’d need it) (Bet you wished you’d saved it to your favorites now, huh?)
If you are absolutely desperate to leave CISSPforum, there are still further alternatives:
Follow the instructions towards the bottom of every CISSPforum email (you know, that big load of nonsense you always skim), where you will find
“To UNSUBSCRIBE, visit the CISSP Services Page, https://www.isc2.org/cgi-bin/cissp_forum.cgi
Do not send unsubscribe messages to the CISSP
Send unsubscribe messages to the CISSPforum, several if you like. Be rude back when forum members complain. If you are outrageously
obnoxious, you will be unceremonially booted-off the forum although if you take this too far there’s a distinct chance you may end up in court and/or be de-certified on ethical grounds.
Configure a spam rule in your email software to route every message with [cisspforum] in the subject line to the bit-bucket.
Sign in to Yahoo! Groups, access the CISSPforum list settings page and set it to ‘no email’. This won’t actually unsubscribe you but will stop the pain.
5.9 How do I join LinkeDin for CISSPs?
Both CISSPforum and LinkeDin are business-related social networking services, allowing you to leverage your professional network to gain access to a
broader range of professional colleagues and their contacts. They are both good for staying in touch or getting back in touch with long lost colleagues.
The CISSP group on LinkeDin is simply a subset of LinkeDin members, all of whom are CISSPs and have been verified as such by (ISC)2.
Sign-in to the (ISC)2 website, opt-in to the LinkeDin group under the communication preference tab on your profile, request to join the CISSP
group on LinkeDin ... and wait patiently.
LinkeDin allows you to have different email addresses associated with your profile. Ensure your (ISC)▓ primary email address is one of those
associated and confirmed with your LinkedIn profile. Your (ISC)▓ primary email does not need to be your primary LinkedIn email address, but must be associated with it.
Go to ‘My Profile’ then ‘My Contact Preferences’.
Under the section headed “LinkedIn for CISSPs”, select the ‘Yes’ option, then at the bottom of the page click the SAVE button.
Request to join the CISSP LinkeDin Group on LinkeDin if you have not done so already, using this link
If you are ‘declined’ from the group and have faithfully followed all the steps shown here, email your information to firstname.lastname@example.org
including the magic word ‘declined’ in the message subject.
Please DO NOT post LinkeDin validation messages, requests or complaints to CISSPforum
6 (ISC)2 STUFF
6.1 How do I receive regular communication from (ISC)2?
Method 1: subscribe to the (ISC)2 newsletter. To do this, simply sign into the (ISC)2 website, then click on “Subscribe to (ISC)2 newsletter.” You will be
taken to a bcentral.com partner site where you must provide your email address, name, city, state, country and company name, or at least you need to
supply entries that satisfy the data entry validation routines. You may also disclose your interests (very short list) and certifications (also a short list).
Within a few minutes you will receive a confirmation message welcoming you to the (ISC)2 newsletter mailing list, or not if you did not supply a valid
Method 2: receive (ISC)2’s Infosecurity Professional magazine
either as a free electronic softcopy by email or in print if you pay the postage and packing charge and don’t mind slaying trees. The magazine is just one of many benefits for “members” of (ISC)2. The first edition was released in April 2008 -
search the CISSPforum archives for informed comment on the content.
6.2 How do I submit CPEs?
Read the (ISC)2 instructions which contain lots of detail plus a helpful link to the submission form.
Most questions about CPEs on the forum are lame since the (ISC)2 guidance generally answers them all.
6.3 How many CPEs can I get for that?
The CISSPforum is just a bunch of guys and gals, you know. We are not (ISC)2.
We don’t award CPEs.
Most of us really don’t care much about CPEs because we are active infosec professionals who are awash with CPEs as a result of lots of reading,
research, webinars, conferences, training courses and stuff. We don need no steenkin CPEs. Several of us teach, present to or write stuff for other CISSPs and CISSPwannabies to consume and claim their CPEs.
If you need to find out precisely how many CPEs to claim for something, and what Type they are, just ask (ISC)2 not us. If you insist on asking us, expect a
flatulent response. You could try setting up one of those web survey things and inviting us to vote. Just make sure you include the option “322 Type C’s”.
6.4 Where do I find anything on ISC2.ORG?
Good question! Some have speculated that when the late Douglas Adams wrote the Hitchhikers Guide To The Galaxy, he was thinking of the (ISC)2 website ...
Mr Prosser said: "You were quite entitled to make any suggestions or protests at the appropriate time you know."
"Appropriate time?" hooted Arthur. "Appropriate time? The first I knew about it was when a workman arrived at my home
yesterday. I asked him if he'd come to clean the windows and he said no he'd come to demolish the house. He didn't
tell me straight away of course. Oh no. First he wiped a couple of windows and charged me a fiver. Then he told me."
"But Mr Dent, the plans have been available in the local planning office for the last nine month."
"Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out
of your way to call attention to them had you? I mean like actually telling anybody or anything."
"But the plans were on display ..."
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused
lavatory with a sign on the door saying Beware of the Leopard."
We’re still looking for the “Beware of the Leopard” sign at the (ISC)2 website. If you find it, please post a message to CISSPforum and we’ll call off the
hunt. Meanwhile try Google.
6.5 What do I get for my AMFs (Annual Mugging Fees)?
Quite often the discussion about which activities do or do not qualify for CPEs and/or how difficult it is to find information on the (ISC)2 website ends up with someone asking “What does (ISC)2 do for us anyway?”. This is not unlike Monty Python’s “What have the Romans done for us?” in the Life of Brian.
Even (ISC)2 accepts that it’s perfectly reasonable for CISSPs and SSCPs to ask “Do we get value for money for our Annual Maintenance Fees (AMFs)?”. (ISC
)2’s official response mentions obvious member benefits such as security webinars and the career center, and talks about the wider benefits through
various marketing efforts to promote the security profession in general and, by implication at least, CISSP and SSCP holders in particular. It’s unfortunate
that they neglected to mention the biggest benefit of all, CISSPforum, though!
The bottom line is a personal value decision: will the benefits to you of CISSP/SSCP qualification exceed the AMFs? If you are working for an employer who
requires security qualifications, the answer should be obvious, especially if you are privileged enough to reclaim your AMFs and associated
training/educational costs as legitimate business expenses. Likewise if you are searching for a new position and your qualifications will earn you a higher
salary or land you a better job with a more enlightened employer/manager (not so obvious a benefit maybe but, believe me, job satisfaction is worth a lot).
Finally, there is the Zen perspective. Will the effort to achieve and maintain your qualification make you a better person? Will it satisfy your inner drive to
be good at information security? Do you value being part of the global professional infosec community? Do you maintain motorcycles?
7.1 What is the 11th domain?
The 11th CBK domain is an obscure reference to any topic that the membership of the forum currently considers clueless whether off-topic, misguided or just plain lame. It includes the old favorites “Out-Of-Office”, “Unsubscribe” and “Could have found it on Google in 2 ÁS.” Occasionally, it is a genuine
proposal to extend the CBK to cover additional domains such as ‘human factors’ but such proposals seldom get anywhere due to conservatism, inertia and apathy, a killer combination.
7.2 Who are the Usual Suspects?
Never mind life, the universe, everything. Who or what are the Usual Suspects? That’s the Ultimate Question. The designation “Usual Suspects” arose in
the dim and distant past from an accidental mis-posting to the CISSPforum of a private message from an (ISC)2 staffer to another regarding certain
outspoken and unnamed CISSPforum members. The comment is alleged to have spawned a sinister (or is it dextral?) secret society within the inner
sanctum of CISSPforum, the Certified Usual Suspects (CUS), also known as the CUStards. Even the CUStards do not know precisely who the CUStards are
nor what they have done to deserve the dubious distinction beyond being “outspoken” but rumors abound of special handshakes and blackballing, weird
initiation ceremonies involving sushi and/or poutine, an unwritten but staunchly upheld code of honor, and a predilection for emitting well-aged bodily
gases. There is no known method to join the CUStards, nor indeed to leave, although most members tend not to contribute quite as much volume post-mortem, though just as much value.
7.3 Who is responsible for this unofficial FAQ?
mug editor/maintainer of this FAQ is, allegedly: Gary Hinson Gary@isect.com
By all means chuck rotten eggs at me but be warned: the more you throw, the greater the chances you’ll be “invited” (cosa nostra style) to become the new FAQ editor/maintainer ...
7.4 Can I submit new questions and answers or corrections to the FAQ?
Absolutely! Send them directly to the current editor (write each one on a $10 bill for the special express service) or better still post them to the
CISSPforum for general discussion. All potential submissions are gratefully received. The best bits will be shamelessly plagiarized. Alternatively, you can edit Anton’s wiki version directly yourself. Have a go: it’s an information security geek’s version of Having a Good Time.
7.5 FAQ Credits
Thanks to the following for their invaluable contributions to this FAQ: Chris Brown, the late lamented Laurie McQuillan, John McGuire, Matt Curtin, Jack
“Hollerin” Holleran, Rob “Grandpa” Slade, Pat “Spring Bunny” McGregor, Anton “Cats in Context” Aylward, Les “G’day Jimmy” Bell, Karen “Stop”ford
(head of the No Department), D. “Cragin” Shelton, Mim The Merciless (slayer of the humor impaired), and Gary “Passionate” Hinson. Other members of
CISSPforum and CUStards have contributed to the FAQ either through insightful postings to the forum or by pestering the editors privately (i.e. in a private place).
I’d like to thank my producer, the director, the investors, the NSA and of course the venerable Consortium without which this FAQ would not have been
7.6 What’s new here?
October 2006-now: occasional tweaks and “improvements” (YMMV).
: Gary took up the editorial cudgel in October 2006, beating Rob’s rather quaint plain ASCII text version into a modern, sleek
-looking HTML web page with go-faster stripes, giving us the luxury of actual headings, working hyperlinks and most of all, readability. If you
think you might prefer the original, it’s stored for all posteriors on the CISSPforum files area on Yahoo! Groups, where it is available to current
members of the CISSPforum ... which hints at the real reason this FAQ was published as a public web page: the instructions for how to sign-up for the CISSPforum
used to be available only to current members of CISSPforum. Doh!
That’s a bit like printing the “pull cord before passing 1,000
foot altitude” inside
the parachute, or having a black button on a black panel light up black to tell you it’s on. Shades of Catch-22 and HHGTTG.
: Rob Slade copied a ton of Chris’s stuff, modified the rest so that it made less sense and did a fabulous job of injecting the odd ray of
humor. He skillfully incorporated new stuff from CISSPforum including contributions from Laurie, John, Gary, Anton, Axel and Matt. In parallel, Anton set up the wiki version
, after searching in vain for the ancient Greek word for wiki.
: The original editor of this FAQ was Chris Brown who has mysteriously vanished into the ether, if not the net. Before he passed, Chris
freely admitted that much of the content was outrageously stolen from posts to CISSPforum. The FAQ was uploaded to the CISSPforum files area
in October 2003 and updated a couple of times before Chris evidently gave it up as a dead loss and went back to Real Life. We remain
eternally grateful, Chris (that you started this, not that you went away)(Seriously, Chris, do get in touch. Are you OK mate?).
The end of the unofficial CISSPforum FAQ is nigh.
That’s it, there is no more.
Just a horizontal line (yes, yet another rule!),
and a final link back to the top for those poor unfortunates
lacking page-up keys, vertical sliders and wheely mice.