The Unofficial CISSPforum FAQ
Unofficial Answers to Frequently Avoided Questions
about the CISSPforum, unofficially
a.k.a. The Big Dummy’s Guide to CISSPforum
a.k.a. The CISSPforum Policy Manual
FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects
Latest update one idle Friday in August 2012
Please use the following URL to link to or reference this FAQ:
Or just click here to look it up
2 BASIC FORUM USE
3 FORUM CONTENT
4 ZOMBIE TOPICS
5 FORUM MEMBERSHIP OPERATIONS AND SETTINGS
6 (ISC)2 STUFF
1.1 What is the point [of this FAQ]?
We’re not sure really. Does it need a point? How sharp must it be?
This document is the unofficial FAQ (Frequently Asked/Avoided Questions) for users of the CISSPforum mailing run by (ISC)▓ for all CISSPs and SSCPs (at least). It is a collection of answers to questions that mostly are or have been repeatedly asked in the forum
and (arguably) important information related to appropriate and inappropriate use of the forum.
This FAQ inhabits a lesser-known quiet cul-de-sac just off the information superhighway, a side-turning from the roundabout behind the noisy industrial estate known as:
We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs and SSCPs but we know that’s a waste
of good bytes. Google has heard of it anyway. Thank Google for that!
If you’re not entirely sure what an FAQ is, permit Cragin to explain:
FAQ on FAQs.
1. What does FAQ stand for?
Frequently Asked Questions.
2. Frequently? How many times does a question have to be asked before it is added to a FAQ?
None. The entire set of questions was written before the final fielding of the system or web site to which they refer.
3. None? Just how often are these questions asked?
4. Asked? Who asked them?
No one asked them. OK, well, actually, the implementation team wrote the questions, but they already knew the answers
when they wrote them, so they were not actually ASKING the questions.
5. Questions? What kind of questions are the FAQ?
They are second and third sub-level topical headings from an unfinished (or unstarted) users' manual that have each been
restructured from a statement to an interrogatory.
6. Why did the implementation team write the FAQ?
Because as they were in the final phases of fielding, they realized that the development team had either never gotten
around to preparing user documentation, or had done such a shabby job that it was useless, and further that the
operational interfaces of the application were so non-intuitive (or counter-intuitive) that end users would only be end, and never users, without instructional hand-holding.
7. Then what is the purpose of the FAQ?
The FAQ is used by Tier 1 Help Desk staff to avoid having to learn the application while at the same time allowing them
to make callers feel simultaneously lazy and stupid: "You want to learn how to framitz the onglethard? It is clearly
explained in the FAQ on our web site. Didn't you look at the FAQ before calling?"
Copyright © D. Cragin Shelton 2008
1.2 What is CISSPforum anyway?
As vaguely hinted-at by its not exactly cryptic name, CISSPforum is basically a discussion forum for CISSPs (Certified Information
System Security Professionals). It is also inhabited by SSCPs (System Security Certified Practitioners) and possibly others. Apart
from Dorsey Morrow ((ISC)▓’s legal counsel, but don’t hold that against him), nobody much from (ISC)▓ global headquarters appears
to hang out on the forum. Whether that is because they are too busy counting great piles of AMFs, hob-nobbin with the big nobs or
simply “having a life”, we’re not sure. Anyway, the upshot is that it is a local forum for local people. It is user-led and user-trailed.
(ISC)2 promotes and describes it thus:
“Subscribe to our CISSP Forum and enjoy communicating with fellow CISSPs about a wide range of information security topics.
Your forum quickly will become a valuable tool for you to use, enabling you to learn from and teach your colleagues around the
world. Whether you’re posting a new topic or responding to a current one, exchanging information is an important part of being an (ISC)▓ member.”
Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because it takes such skill and perseverance to locate the forum sign-up page buried deep within an underground bunker lurking underneath the (ISC)2 website. As
one of the members said, “The most useful thing I got from my CISSP is this community - a wealth of knowledge and experience.” Some might even agree that we should earn CPEs for actively contributing to CISSPforum.
One of our members asserts that CISSPforum membership is good for your health. “You obviously do this for health reasons. If you
were not affiliated with (ISC)▓, you would not have access to this list. Without this, you would not have a group to rant to that
thoroughly understands your position. As a result, you would keep your fuming internal. Lack of emotional outlet has been proven to
increase stress in men. Increased stress leads to higher blood pressure. With increased blood pressure comes the possibility of
stroke. So, you remain affiliated to stay healthy. Therefore, I posit that (ISC)▓ is a (mental) health care provider and therefore
subject to the rules of HIPAA. I shall be notifying DHHS immediately to schedule a compliance audit.” So there we have it, CISSPforum membership comes with free health benefits.
Although the forum is run as a Yahoo! group, DO NOT WASTE YOUR VALUABLE TIME TRYING TO SIGN UP DIRECTLY ON YAHOO!
. Your application to join the forum will be checked and verified directly by (ISC)▓ to confirm that you really are as qualified
as you claim to be. Unless you are an IT forensics specialist who enjoys bizarre technical challenges, instructions for signing-up are given below.
CISSPs who successfully navigate the virtual obstacle course to sign-up to CISSPforum join a friendly community of over 6,200 professional peers
- mostly qualified information security pros from all parts of the globe and all sexes. Some of us are newcomers
to the profession, recently qualified, while some are grey-beards with a decade or three of experience in the trenches. Our ranks are
swollen by IT auditors, consultants, trainers, security officers, security managers and others, mostly but not entirely CISSP or SSCP-qualified. Welcome all.
As a community of professional practice, CISSPforum is a great place to discuss information security and closely related topics. The
scope of the forum naturally includes the ten areas of (ISC)▓’s Common Body of Knowledge (the CBK) which coincides, thankfully, with the CISSP exam. We also discuss the ISO/IEC 27000 series (ISMS), ISO 9000 (QA), ISO/IEC 20000 (ITIL), IT governance, SOX
(and/or socks), IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking, vulnerabilities,
Windows, Windows vulnerabilities, (and occasionally Mac vulnerabilities, Linux vulnerabilities ...), Stuxnet/Duqu/Flame and other alleged
cyberweapons, in fact anything that’s hot in information security is likely to be brought up at some point, often before it hits the industry rags if slightly behind the blogosphere.
It’s like an information security club, an online interactive encylopaedia with more than 6,200 qualified contributors.
OK, to be honest its more like 500 active contributors with >5,700 lurkers but we “feel their presence” in a spooky sixth-sense Stephen King’s Carrie kind of way.
Some of the discussions are straightforward questions and answers, that’s it. Others develop into full-blown discussion threads,
depending on the skill or good fortune with which the original poster crafted a post containing such subtle nuances or contentious
language that more people felt compelled to respond. Urgent but un-lame help messages generally get answers within minutes, while
more contemplative posts can trigger threads that run for days or sometimes weeks. By and large, it is all very good natured, open
and “safe”, though there’s often the very feintest whiff of sarcasm, especially when someone purports to be an expert on some topic.
The forum is a wonderful safety vent for burning information security issues that bug you, and to challenge accepted norms. You’ll
find deep technical threads running alongside lighter topics. Members contribute wisdom, knowledge, opinions and more for the
benefit of all. Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their
participation. We’re never stuck for friendly local guides when visiting far-off foreign lands although we’re still patiently waiting for our
first forum romance, or rather the first one to be publicly acknowledged.
1.3 What are CISSP and SSCP?
CISSP is an acronym standing for one of the following:
Certified Information Systems Security Professional - the premier security qualification from (ISC)▓ and a registered trade mark to boot
Can I/Indeed Shoot/See/Slight/Snub/Scorn/Smear/Slur Stupid People
- first suggested after a discussion thread on US gun law (another candidate for zombie
’Cos I Said So Pal - explains why people have to listen to every word a CISSP says, or else
Canadian (or Canukistani) Information Systems Security Professional - reflecting the disproportionate number of active
contributors to the forum who live in or come from the frozen wastelands North of some of the remaining active contributors
Cohorts Implementing Stealthy Secret Practices - goes with the funny handshake
Curmudgeons Irreverently Satirizing Sloppy Processes - pull up your keyboard to be ruthlessly ridiculed
Cautiously Investigating Suspicious Satanic Publications - that’s part of the job spec
Callously Ignoring Stylishly Sentimental Politics - both company and real politics
Cats Insistently Striking Silly Poses - my furry ones made me put that in
Cat Intelligence Security Services and Patrolling - uncovering cats' secret names (don’t ask me, I only cut-n-paste this stuff).
CISSP is an ANSI ISO accredited certification confirming that the holder has:
Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security
qualification. It requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth over depth of knowledge. That said, many CISSPs do have deep technical security knowledge and expertise in
one or more of the ten domains defined by (ISC)▓ in the Common Body of Knowledge (CBK), whereas some of us just wing it.
The CISSP CBK covers these ten fields (shown with their approximate ISO/IEC 27002:2005 equivalents):
Access control (’27002 section 11);
Application security (’27002 section 12, some);
Business continuity and disaster recovery planning (’27002 section 14);
Cryptography (’27002 section 12.3++);
Information security and risk management (’27002 sections 4, 5, 6, 7 & 8!);
Legal, regulations, compliance and investigations (’27002 sections 13 & 15);
Operations security (’27002 section 10, some);
Physical (environmental) security (’27002 section 9);
Security architecture and design (’27002 section 12, more);
Telecommunications and network security (’27002 section 10, rest).
One might have (and indeed one has) argued that the curriculum lacks clear reference to ‘human factors’, which most CISSPs agree
are an extremely important element of information security, and in fact the cause of many security issues. Another might argue that
‘human factors’ are an inherent part of the ten domains, so here is no need for an eleventh domain. We don’t know (ISC)▓’s position
except that, since there remain only ten domains, they presumably agree with the latter not the former ones.
The “CISSP concentrations” are nothing to do with furrowed brows but emphasize specific ‘domains of expertise’. Currently these are:
The concentrations build on exactly the same broad base as CISSP - in fact, candidates for the concentrations must pass their CISSP
first and have extra-wide business cards. ISSAP and ISSMP candidates must also have at least 2 years work experience in their
chosen concentration but there is no such requirement for ISSEP, so candidates who cannot concentrate for 2 years on security engineering are still suitable to be considered for US Gummt infosec work, evidently.
SSCP stands for one of the following:
Systems Security Certified Practitioner - a qualification demonstrating some practical experience of working in the infosec trenches (e.g. security administration).
Solid Security Currently Practicing - it’s a pragmatist’s qualification
Should Soon Certify Properly - since some snobs view SSCP as merely a stepping stone to CISSP
International Respect for Tacticians
- according to the heading on (ISC)▓’s SSCP page
at one time anyway. That phrase
melded into “The Go-To-Guy That’s an Information Security Must-Have” which is even more obscure and hypen-heavy.
SSCP is seen by some as a foot in the infosec career door, a means to show commitment to the field prior to gaining much work
experience and a ticket to join CISSPforum. It is also suitable for those infidels who have not yet fully dedicated their lives to the glory
of infosec, those who in other words “have a life”. The pre-qualification criteria reflect pretty much any professional/junior
management job, with just the barest hint, the merest smidgeon of infosec.
For the sake of completeness, we’d better mention (ISC)▓’s Certification and Accreditation Professional (CAP) credential, “an
objective measure of the knowledge, skills and abilities required for personnel involved in the process of certifying and accrediting the
security of information systems. Specifically, the credential applies to professionals responsible for formalizing processes used to
assess risk and establish security requirements, as well as ensure information systems possess security commensurate with the level
of exposure to potential risk.” The ‘accreditation’ mentioned relates to the process of reviewing and certifying system security
configurations against official system security configuration standards such as NISTs, much beloved of the military and those
sheltering under FISMA’s umbrella. Federal managers have to review their systems every 3 years or after a major change, whichever
comes first (for unspecified values of “major”). They use the process to identify needs and then translate those into budgetary needs
so that Congress won’t shut down their system (a.k.a. legislative denial of service). Despite the name, CAP is in fact nothing to do with tinfoil headgear.
1.4 Is there an official CISSPforum FAQ?
Yes, well kind of. (ISC)▓ published the (ISC)▓ forum guidelines independently of and prior to first publication of this FAQ. Their
summary(also available to logged-in (ISC)▓ members here) reads thus:
“Membership to (ISC)▓ forums is restricted and must be approved by the forum administrator.
To access an (ISC)▓ forum, members must enter a password.
Messages posted to the forum can be seen by all members of the forum, but are not made available to anyone outside the forum.
(ISC)▓ forums are not moderated.
Advertising of products and services or posting of “junk mail” messages is strictly prohibited. However, discussion regarding products and services is allowed.
Use of a forum to advertise conferences, seminars and training related to the list topics is permitted.
Members are encouraged to keep postings brief.
When replying to postings, please include the original posting but only include the relevant parts of the message.
Use of a forum to post messages that are not related to security topics is strictly prohibited.
Any disregard of these policies and guidelines, or abuse of forum access privileges, may result in revocation of membership to the forum.”
The following topics are covered in the (ISC)▓ forum guidelines:
What is a forum?
Who can become a member of an (ISC)▓ forum?
Who hosts (ISC)▓ forums?
Who should I contact if I’m having any difficulties with my subscription?
How do I subscribe to or unsubscribe from a forum?
How do forums work?
I’m receiving too many messages. Should I unsubscribe?
What is unacceptable content?
How do I reply to postings?
How do I report abuse of a forum?
What if my email program has an “Out of the Office” option?
Who do I contact if I need help with a forum?
Dorsey Morrow, (ISC)▓’s helpful legal counsel, reminded us that CISSPforum must not be used for campaigning by those seeking
election to the Board of Directors, although it can be used to garner popular support for those seeking to become candidates (a single posting only - see the official official guidelines for the official rules, officially). A separate forum (cissp-elections) has been created
by and for CISSPs to discuss the Board elections, the candidates and their manifestos, the elections process, governance accountability of ISC2 management as a whole and related matters.
In case of conflict between the official (ISC)▓ forum guidelines and this unofficial FAQ, expect weird things to happen as the space
-time continuum is torn asunder.
The information provided in this FAQ is not guaranteed <full stop>
The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them, there
may conceivably be valid opposing views. Use the information in this FAQ at your own risk. Your mileage may vary. Do not run with scissors. Do not pass Go.
This is not legal advice. The legal buck doesn’t even think about wandering through this quiet turnpike on the information souperhighway while charging its time by the second.
The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates, nor by any government, nameless
government agency or religion. It is technology-neutered. This is an independent unofficial and decidedly cranky work by a tiny albeit
vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified by self
-acknowledged beards-of-colour who are clearly disturbed, senile or ‘under the influence’, and possibly all of the above.
GM-free. Ford-free too. No cute cuddly animals were harmed in its production, only nasty slimy ones.
This FAQ is so environmentally friendly, it is likely to slip away to hug a tree the very moment your back is turned. Please don’t print it out, especially if you have an evil printer from hell.
1.6 Other versions of this FAQ
The original plain text FAQ was and remains available only to CISSPforum members. It was extensively updated, worked over and
generally roughed up a bit by Rob Slade and assorted elves in 2005/6. To take a look (provided you are a member), logon to Yahoo! Groups, open the “cisspforum” group, go to “files” and scroll down to find “cisspforum-faq.txt”. It’s the one entitled “cisspforum-faq
A cool wiki version was created by Anton Aylward, Les Bell and other CISSPforumites during 2005. You are invited, nay encouraged
to edit and contribute directly to the CISSPforum wiki FAQ. Go for it. Knock yourself out. Feel free to cut-n-paste great swathes of
content from here into the wiki if you have the patience or better still come up with some novel material of your very own.
The sexy HTML web version now appearing on a screen near you was conceived, spawned even, by Gary Hinson in October 2006 and
is updated when inspiration happily coincides with a spare hour. Comments, further questions, answers and jokes are always welcome, including via CISSPforum of course. See the contact details towards the end whether you’d like to contribute something
deep and meaningful or chuck rotten eggs.
Back to contents
2 BASIC FORUM USE
2.1 How do I post messages to CISSPforum?
Any member of CISSPforum can post messages to CISSPforum simply by emailing firstname.lastname@example.org
. Please use plain text and be reasonably succinct. Messages can also be posted online using the Yahoo! web interface by members who have tied their
membership address to a Yahoo! identity.
CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their login credentials to be
stolen by a spam bot (which happens). Nevertheless, this is still the most effective anti-spam system we have. Spammers who join
the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).
If you are responding to a previous posting, please refrain from “top posting” i.e. simply adding your own comments to the top of
what came before without any attempt to trim the original response and the ludicrous Yahoo! spam from the end. By all means
select the relevant bits of the original post, add the ‘greater than’ characters and re-send them, along with your comments but, please
, not the whole thing. This is especially important if you choose to monitor CISSPforum through a single daily digest message as we
won’t necessarily know which message in the digest you are rambling on about (adjusting the Subject: line is also highly recommended).
Identify yourself, please. Your Yahoo! profile name or email address is seldom sufficient to identify you, at least until you have
posted often enough that others will mutter under their breaths “Oh no, not him again!”. Simply end your posting with a standard
business-like salutation including your name or else a nickname or some other term that you are happy for us to call you. Otherwise
we will choose our own name, and it may not be to your liking. The person who posts under the pseudonym “/bpm”, for instance,
probably does not appreciate being called “Slash” but at least he/she has a sense of humour.
When asking a question or seeking advice, give us a clue about the context. Your situation is probably relevant to the advice you
need. Government practice is different from commercial is different from legal is different from medical .... Let us know roughly where
you are, what country at least. This is a marvelously well-connected international forum but national laws and regional practices may
make a big difference to the advice. Privacy laws and practices are remarkably variable, for example.
If you are posting a long hyperlink, please either create and supply a TinyURL as well as the full link or simply enclose your long
URL in angle brackets < and > which allegedly tells some email clients not to break the URL over more than one line.
Do your homework before posting to CISSPforum to avoid being soundly lampooned. This is a professional forum for qualified information security people. Some Forumites just love to show off their extensive knowledge at every available opportunity and
you’ll often get a broad range of opinions from the Forum ranging from short snippets to extensive diatribes. However, we resent
being used as the research mechanism of first resort. If a poster is too lazy to craft a simple Google search or two and follow up on
the results before coming to us, some of us are not afraid to say so. It may help to demonstrate that you have already made an
effort to answer your own question. By briefly describing your research and analysis so far, you can prove that you are not just an
information leech. You will also give the experts here a chance to go directly for the deep dive without repeating the basics you already know. You might try Asking Questions The Smart Way and, whether you are a Microsofty or not, read this advice also.
Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button
. If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this.
If you are asking something and expect a sensible/helpful answer, consider How to Ask Questions The Smart Way. Or just send
anyway and risk being pilloried. You choose. If you are pillorying someone for asking a question the wrong way or saying something
dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:
It is better to be thought a fool than to open your mouth and remove all doubt.
Please be tolerant of others. We are not all on your wavelength. Some of us barely even speak your language (and you’ve probably
never even heard of ours). CISSPforum is a global melting pot, so please don’t post anything racist, sexist, elitist or any other kind of ist and please don’t fan the flames beneath.
2.2 Is it safe to post my first message?
Of course! We’re all friends here! To the ~5,700 CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge and
experience. Don’t be shy. Even “me too” is marginally better than stony silence. But please re-read the tips just above before you dive right in.
There’s a special CISSPforum rule for Those Who Have Never Posted (you know who you are - we call you the Forum Virgins).
You have full permission to make Your First Posting without fear of retribution, dissent or ridicule. The trick is to write “First posting”
or similar in the subject line and include something interesting in the body of an email message to email@example.com.
‘Something interesting’ in this context may be:
Where did you first hear about CISSPforum? Was it this FAQ maybe, or another?
A link to a novel security risk, vulnerability, control or concept, with a word or three of explanation
Comments or queries about any other posting or discussion thread
How many other people you have invited to join CISSPforum this month :-)
Questions about information security, risk, control, poutine etc.
Your favourite security theory/model ... or the worst
Something That Gets You Going, preferably but not necessarily relating to information security. What’s your passion in life? Tell
us something about you, as deep and meaningful or superficial and glossy as you choose. Contentious postings often get a good response but don’t be surprised if some are rather rude.
Other interesting stuff - essentially anything other than “Me too”. Go ahead, surprise us with your creativity and genius. Failing that, just surprise us.
The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting. To be honest, we’re all
generally nice people who don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree. Hot discussions break out from
time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).
2.3 How do I get people to respond positively and helpfully to my queries?
Good question! We heartily recommend and endorse the excellent advice in How to ask questions the smart way. It’s also not bad,
by the way, on how to reply to messages ...
2.4 How do I reply to messages?
CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message. That’s
about 6,200 fellow security professionals. If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware that around 6,199 peers will see your ‘private’ message. The cranky ones will give you grief to add to
your misfortune, no doubt ribbing you rotten for your mistake. If you wish your reply to go to only the originator, copy that person’s
address into a new message or choose the individual address as an option if you are using using the Yahoo! web interface. If you
insist on sending ‘private’ messages to us all, please make them juicy if not defamatory.
2.5 Where have my messages gone?
Sometimes, for no obvious reason, messages sent to the forum get delayed. It happens unpredictably, with differing delays. The
forum is run by Yahoo! which, we are led to believe, is a fairly popular interwebpipes thingummy that gets overloaded and backlogged
at times, presumably because it is running on a steam-powered Acorn Atom, a PDP-11 or perhaps a much more modern machine ...
running Windows. It might be interesting to check whether your message was listed on the Yahoo! Groups web interface at about the
time you sent it (implying a delay on the Yahoo! output) or the time it finally arrived (an input delay) ... but either way, there’s not
much (a classic understatement!) we can do about it. It’s annoying, especially when messages finally get distributed sequence out of.
Yahoo! presumably has a technical/admin contact, someone who occasionally stokes the chicken poo in the boiler maybe. Alternatively, (ISC)2’s Wilf Camilleri or Blaise Kengoum might be able to help (email firstname.lastname@example.org). Ask them to ask Yahoo! to poke the boilerman.
2.6 How do I turn down the volume?
CISSPforum is a LOUD mailing list, with an average of around 1,000 messages per month (more than 30 per day). Other mailing lists only go up to ten. CISSPforum sometimes reaches eleven.
If you don’t have the stomach or the free time to read 30-odd (sometimes very odd) messages per day, here are seven vital survival techniques:
Skim the subject lines and just delete anything mentioning, for example, LinkeDin
or other lame topics
. Don’t fret.
Read CISSPforum as a daily digest with all the day’s takings in one mega email. This is a Yahoo! option.
Check the senders. Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit bucket
without even opening. Your email client probably has the tools to do this automagically. Look for ‘email rules’ or ‘filtering’.
Set aside a certain period of time each day to peruse the latest mailings. When your time is up, delete the remaining unopened messages and go back to Real Life.
Don’t bother about keeping up with the latest topics. Use Yahoo!’s search routines to check the archives.
Read the forum using Gmail or a similar email facility that automatically links postings with similar subject lines into threads. Pick
out interesting threads. Ignore the rest.
Ignore everything. Delete without reading. Unsubscribe. Miss out on those golden nuggets that would make all the difference
to your career. Go ahead - see if we care. Talk to the fingers cos the keyboard ain’t listening.
(Bonus idea) Configure your email client to dump all the LinkeDin
verification messages and complaints unceremoniously and cut
the volume in half. For extra marks, do this on the mail server, using Python or LISP.
(Bonus bonus) Don’t send complaints about the volume of the list to the list. Don’t send complaints about LinkeDin to the list.
Don’t send daft jokes and comments to the list. Don’t try to send attachments to the list. In particular, if you are catching up
with emails, look through the list of emails to see if anyone else has already commented or complained about a posting that
upsets you, and leave it at that. Think twice before posting fresh junk, even on Fridays
. Use your delete key as it was meant to
be used and move along - in other words Get A Life.
2.7 What do I do if (when) a posting upsets me?
Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that offends
you in some way. Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a
huge and unedifying “discussion”. People telling other people to take their complaints offline will, of course, do this online.
Personal attacks are more hurtful than helpful. While you might really want to say something along the lines of “You need a good kick
to the head or an enema - in your case, those may end up being one and the same”, the following fire-retardant advice, originally
posted on the forum by a wrinkly diplomat, sums up how to avoid fanning the flame wars:
I’d recommend peace, love and understanding all round.
Be tolerant and respectful of others on the forum. We have many
cultures, abilities and styles here. We are not all like you.
Many of us have never even been to your country.
The forum is self-moderated. Self restraint and tolerance are the watchwords.
Count to twenty before responding to jibes. If someone has upset you,
explain to them (and only them
) what upset you, and let them respond privately, off-list.
If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line
behind the bike sheds perhaps.
If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are. We all had to start somewhere.
This is a community of peers. There is room for humour and occasional
off-topic discussion but, please, take it easy on our <Delete> keys.
Enjoy the variety of experience. Relish the challenge of
understanding others’ points of view. Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.
If you think the emperor has no clothes, speak up. Some of the best threads start that way.
And if all else fails, hit your <delete> key, chill out and move along.
If having done all that you’re still steaming gently, try the CISSPforum serenity prayer:
Lord*, give me the capacity and resources to implement the controls
that truly will protect my organization;
the fortitude to ignore those “best practices” which will not;
and kill files properly formatted for certain individuals,
all OoO replies, and most of all LinkeDin membership requests.
* Appeals to similar deities, magnanimous all-seeing beings and/or email system administrators will be equally efficacious.
2.8 Trolling and troll-baiting
/| /| | |
||__|| | DO NOT FEED THE |
/ * *\__ | TROLL. Thank you. |
/ \| CISSPforum |
/ \ \____________________|
/ \ \ ||
/ |\____\ \ ||
/ | | | |\____/ ||
/ \|_|_|/ | _||
/ / \ |_____| ||
/ | | | --|
| | | |______ --|
| |_|_|_| | \_/
\ |/ /
/\ / \ | /
/ \__/ | | |
__________ c_c_c_C/ \C_c_c_c______________________
If you are a troll, or if you feel compelled to point out that someone else is trolling, or are responding to a posting by a troll, or posting about someone else responding to a troll, or are defending or criticising a troll or those who have previously defended or criticised a
troll, or are in any other way referring to trolling, please add [Troll] to the subject line of your message so that those of us with
automated anti-troll filters have an easier time*. Better yet, before posting your message, please reconsider whether doing so will
increase or decrease the signal-to-noise level for the majority of Forum members or whether your spleen might be better vented
against the alleged troll directly, off-list. On behalf of us who actually do have a life, thanks very much.
* The more advanced CISSPs simply configure their systems to route all troll messages directly to Write Only Memory (WOM) devices
installed at several highly redundant but totally secret locations on the intergalactic Interwebnet. It is alleged that one of these black holes has been found lurking within the (ISC)2 website but the last brave datagram we sent in there to check it out never surfaced, at least not in our galaxy.
2.9 Are there rules for the forum other than this FAQ?
Yes - go to the back of the class and re-read section 1.4 above. Remember, this is the unofficial FAQ.
The universal rules for posting stuff to newsgroups and similar online discussion fora, neatly summed up in a short video, apply here too. In this sense alone, CISSPforum is not special at all.
Furthermore, thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain
“unwritten” rules for the forum. Look under Yahoo! Groups > CISSPforum > files for the file “cisspforum-faq-unwritten.txt”.
2.10 Can I distribute files via CISSPforum?
No, at least not directly. Any file attachments sent to the mailing list will be summarily stripped off by Yahoo!. Members who post
documents or other materials will be embarrassed at having posted, essentially, nothing. “Here it is!” they exclaim, triumphantly but here it is not. This is lame.
However, any forum member can upload a file to the Yahoo! Groups files area and optionally announce it on CISSPforum. Be sure
you have permission from the copyright holder before publishing anything in this manner: reaching over 6,199 peers effectively places
it ‘in the public domain’ and we wouldn’t like to see you marched off by the DMCA Gestapo...
An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs and
post a forum message inviting CISSforumites to collaborate on writing/completing it. The combined brain power is awesome and we
have yet to see a document that cannot be improved by the wider perspective. We’d encourage you to acknowledge all those who
actively contribute and ideally publish the finished item to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s your choice.
2.11 Is this forum private?
Membership in the CISSPforum is restricted by (ISC)2 to those holding CISSP and SSCP (well possibly: see section 5). Generally
speaking, a number of respected CISSPforum members take the membership restriction to imply that it’s a discreet and exclusive
private gentlepersons’ club. They hold that discussions on CISSPforum should not be discussed or reproduced elsewhere, outside the
forum, believing that “what happens on the forum stays on the forum”. Restricting discussions to the CISSP community will hopefully
result in a freer and franker exchange of ideas, the theory goes. And we should all wear suits and ties, smoke ridiculously large cigars
and drink copious quantities of the very finest brandy and port while twiddling our handlebar moustaches.
That said, given the membership of over 6,200, it is not entirely sensible for members to assume that the content of messages they
post to the forum will remain restricted to the membership. Those concerned about privacy and confidentiality (and which of us isn’t?
) should bear in mind the old adage that you should never send anything by email (or indeed by courier) that you would not want to see on the front page of the newspaper. Do your own risk assessment, folks.
Some members have evidently taken things into their own hands. They write such cryptic and convoluted messages that one might
be forgiven for thinking they are speaking in tongues, whereas in fact they are merely trying to disclose certain alleged facts in a
plausibly deniable manner. Others have tried brute-force attacks but rarely find the key. [There are less charitable explanations but, hey, it’s Friday.]
As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is best either to rewrite the salient points
in your own words (sanitizing the identities and facts as necessary) or to contact the original author/s for explicit permission, or both.
Members contacted in this way are invariably flattered to be asked. You will almost certainly get the help you need to re-publish or at
least plagiarize the salient parts from original piece, and make a new friend in the process.
Back to contents
3 FORUM CONTENT
3.1 Is there an archive of CISSPforum postings?
Yes, postings to CISSPforum are automatically archived for all posterity on Yahoo! Groups. Remember this if you are about to flame another member or post something private, off-topic or lame. The cream of CISSPforum postings may also be shamelessly
plundered for FAQ content.
3.2 Is this the proper place to compare certifications?
Probably not. The topic has been raised before and you are free to give it another go. You’ll get replies, some thoughtful, some not.
Strangely enough, most CISSPs maintain that CISSP rocks. Many of us are curiously defensive of the certification’s integrity and value.
3.3 Is this a good place to ask ethical questions?
Yes if you like but try email@example.com instead for a more reasoned discussion.
3.4 Is it OK to ask about topics previously covered?
Everybody does it but if you do not normally monitor the forum, it would be appreciated if you would first check the archives. Please see the next section too for information about zombie topics.
3.5 What is OT (off-topic)?
Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More
Important Things To Do. It is considered rude to post off-topic messages without the “OT”, and in fact slightly naughty to post on
-topic messages with subject lines that just happen to contain those two specific letters in conjunction. As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement, or
rather that of the majority of people on the list, or rather that of the vocal minority who feel compelled to tell us all whether something was on- or off-topic.
To be fair, on/off-topic is not a binary choice when it comes to many discussion threads, but subjects such as US gun laws are likely
to descend rapidly into the abyss of politics, religion or both, leaving information security for dust.
There is some guidance on this point in the (ISC)2 policies:
“(ISC)2 forums are not moderated. Note that this is prime: you might see anything here. Don’t complain about it.”
Actually, membership in the forum is strictly moderated, as you know. Postings are not specifically moderated. However, if you say something really
annoying, somebody from (ISC)2, usually that nice man Dorsey Morrow, (ISC)2’s corporate counsel, will
send you a nasty note and if you persist, you’ll be unceremoniously booted-off.
The issue of moderation is another running joke on the forum: if you post a message asking why the moderator isn’t doing
something, one of the long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message
claiming to be, or to nominate, the moderator of the week, and dispense moderation, in moderation.
It is traditional for the moderator not to be informed of his/her/its status. For example, Rob Slade was moderator during the
early part of December, while he was out of town, only finding out upon his return. There being no moderator at that point, he had nobody to complain to.
Some of the subsequent (ISC)2 guidelines contradict the issue of non-moderation a little by laying down explicit rules:
Others are a little more helpful:
“Use of a forum to advertise conferences, seminars and training related to the list topics is permitted.
When replying to postings, please include the original posting but only include the relevant parts of the message.”
... with which last point we in the forum heartily concur.
The normal rules are relaxed slightly on Fridays but always beware going too far off-topic, or stretching a topic a bit (or indeed a byte)
too far. Just because there are a number of people who are dolts doesn't detract from those few with wit. Of course, the target rich
environment does make the wit easier. Occasional tongue-in-cheek asides are tolerated, enjoyed even. However, flame wars may
erupt if someone objects to wading through more OT than on-topic posts, and hasn’t read or ignores the earlier suggestion about
complaining directly to the original poster/s rather than spamming the whole CISSPforum community. As with sex, alcohol and tipping
, moderation is key. We’re not talking teetotal celibate monks here, rather a middle-aged person who enjoys the odd tipple and a long-term partner.
3.6 What topics are lame?
We all say dumb things from time to time but asking genuinely lame questions or offering supremely lame answers on CISSPforum can be a character-building experience, unless it is your first post anyway.
Before you ask a question, have you at least Googled it? Have you made even the slightest effort to search for the answer yourself?
If so, great, go ahead and ask away. If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.
You can apparently construct anything using the base URL of www.justfuckinggoogleit.com/search?q= and then adding the terms
separated by a +, such as: www.justfuckinggoogleit.com/search?q=security+glossary. If the olde English word in that URL is too
offensive, try www.LetMeGoogleThatForYou.com/q= followed by the search term for a more polite version. If you don’t think any of
this is funny, you might benefit from a subscription to cissp-humour-impaired.
Zombie topics, out-of-office messages and off-topics are also considered more or less lame.
Responses can be lame too. It’s fair to assume, for starters, that the original questioner has a modicum of intelligence and security
expertise. To avoid self-nominating for membership of cissp-clueless, take this classic response as a warning: “In order to attack your
target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites I’ve found
useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com). The attacker should of course know
how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you can recognize
since it all starts with the characters http://). One thing that is often overlooked by junior hackers (explaining many failures to achieve
desired goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”
3.7 Where can I find thread summaries?
Basically, you can’t, but you can search the archives. The upgraded Yahoo! search facility is not too bad, compared to say pulling your
own teeth out with a rusty farm implement. Don’t worry, though, because this situation was accurately predicted by a rather boring
prophet: “There shall in that time be rumors of things going astray, erm, and there shall be a great confusion as to where things
really are, and nobody will really know where lieth those little things with the sort of raffia-work base, that has an attachment. At that
time, a friend shall lose his friend's hammer, and the young shall not know where lieth the things possessed by their fathers that their
fathers put there only just the night before, about eight O'clock.”
You may like to subscribe to the list using a Gmail account that automatically threads the responses.
3.8 When is Friday?
One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on
Fridays in preparation for the weekend’s fun (the equivalent of dress-down-day or POETS day), within reason. Since “within reason”
is itself part of the unwritten rules that are relaxed, even that is optional but please be sensible. This is a multicultural professional
forum and we’re all pretty busy. OK perhaps not quite so busy on Fridays.
On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness,
delicacy and discernment, humour (sometimes without u) and satire, derision and hyperbole, alliteration and synecdoche turned up a
notch, with the occasional deep and meaningful discussion on coffee, donuts, poutine and sushi. Have fun, just avoid turning up the heat.
It has been alleged that some members literally dress down on Fridays. Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask.
Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance
when other less fortunate members to the East are still living in the past. Therefore, Fridays start on Thursdays. What’s more, when
the less fortunate Easterners post their Friday messages, it is already The Future for the very same Westerners. Although certain grammatical problems are created by this particular form of time travel, the Westerners enjoy Easterners’ Friday postings on
Saturdays. So, to summarize, “Friday” = Thursday + Friday + Saturday. With the ever-worsening delays in Yahoo! Groups, postings
can now come two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and postings sent “Friday”
may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.”
It has subsequently been suggested that “Friday” be celebrated only on days that begin with the letter "T" including Tuesday,
Thursday, Today, Tomorrow, Thaturday and Thunday. We like Fridays on the Forum.
3.9 Announcing the CISSPforum Loyalty Scheme
Communications engineers use a metric called “signal to noise ratio” (SNR) to describe the quality of a communications mechanism or
link. The SNR, and hence the rate at which useful information is imparted, is improved by higher relative signal levels and degraded by
increased noise. SNR is also an important metric for email forums such as CISSPforum since we all have a limited communications
bandwidth - we just can’t afford to spend all day sifting through chaff to find the wheat. Life’s too short.
In recognition of this, the CUStards have, allegedly, instituted the CISSPforum Loyalty Scheme to reward forumites who move the
SNR in a positive direction. CISSPforum Loyalty Points are awarded for posts that:
Contain genuine, useful content and don’t top-post or “me too”
Are factually accurate, ideally with short URLs or references for those who want the full 8.2 metres
Are good to read - well written and clearly thought-out, preferably insightful (vaguely correct spelling and grammar earn special
bonus points, especially from those for whom English is not their mother tongue)
Are amusing (and not just on Fridays
like a blazing oil rig (contentious is OK, nasty, sharp and viciously pointed is definitely not)
Remember, CISSPforum Loyalty Points are about SNR - the CUStards are looking for quality not volume.
As anyone who watches TV surely knows, points make prizes. Accumulated CISSforum Loyalty Points can be exchanged for benefits such as:
Latitude to sound-off, expressing strongly-held opinions and beliefs on CISSPforum
Leeway and forgiveness in case of occasional CISSPforum indiscretions
Job offers, higher pay and tax concessions (allegedly)
A rice steamer. That only works once. And not very well at that.
Most of all, though, loyal CISSPforumites earn the respect of their peers in the profession. Respek!
The CUStards are hoping to persuade (ISC)2 to exchange CISSPforum loyalty points for CPEs. Hopefully this issue will make it on to
the agenda for the next round of (ISC)2 management board elections. Start lobbying now.
Back to contents
4 ZOMBIE TOPICS
4.1 What are zombie topics?
All manner of information security and other fascinating topics have been discussed on CISSPforum over the years. It is a fairly high
-volume list with a large and active membership. The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die. Please check the archives for the full nine yards on any of these topics. The forum is not
moderated so you are welcome to raise these topics yet again (provided you have Something Important to say on the subject) but if
you do, be prepared for a somewhat less than enthusiastic response and watch out for silver bullets, pointed wooden crosses or garlic around the door.
4.2 Zombie topic: reformed hackers
Been argued, no resolution. Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white
(hats). Some hold that reformed hackers have “paid their debt to society” and have useful knowledge to contribute. The ensuing
exchange is a bit like the Pope discussing religion with an atheist.
The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the likes
of Messrs. Mitnick and Abagnale. Some of us will, some of us won’t. It all depends on the height of one’s horse.
4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)
This is undoubtedly an important topic but most of us are tired of seeing the same old same old. CISSPs have at various times
challenged the “R” and “I” part of ROI, and the future is not so ROSI according to some. To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis thread often gets intertwined with the ROI zombie, making our lives a misery for a couple
of weeks at a time.
If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach, a
revolutionary investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it.
4.4 Zombie topic: standards and resources
This is not really a dead topic, so much as a hint to check out the following resource collections before you make a fool of yourself
with “Hey I’ve just discovered site X, it’s cool!” or “Where can I read about topic Y?”:
General information security knowledge is stored in Anton Aylward’s infosec wiki
, a collaborative project to which all CISSPs are
invited to contribute
For information on the ISO/IEC 27000-series Information Security Management System standards plus links to many other information security standards, NIST Special Publications etc.
, visit ISO27001security.com
To meet your fellow CISSPs in Real Life, consider joining ISSA
, the Information Systems Security Association. ISSA is a global
community and traveling members are welcomed with open arms by overseas chapters. ISSA created (ISC)2
so many moons
ago that it has almost forgotten who’s the daddy. Other ways of meeting CISSPs include volunteering to teach classes or proctor CISSP exams, pulling strings in LinkeDin
or hanging out or speaking at security conferences, and specifying “CISSP
essential” in infosec job vacancies.
If you come across something new (including information security pieces you wrote yourself and published on the web), by all means add them to the infosec wiki and, if you are willing to take the risk of them being savagely criticized by your peers, share the links
through the CISSPforum. You can even save them to the forum files area.
4.5 Zombie topic: cissp.txt
We are really tired of this topic. One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:
a) “There is a list of CISSPs at [someURL].cissp.txt. This is appalling!”
b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it! What gives?”
c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it! Aaaiiieeee!”
Yes, it’s true. There is a list that appears at various places around the net, usually named cissp.txt. This contains some names and
contact information (some of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org (some people say circa 2003, others say early 2005). At one time someone lame evidently mined the public directory, possibly
for marketing purposes. Later, someone thought it would be a good joke to post the list on the web to see if they could get lots of
people upset. They appear to have succeeded. Several times around.
Oh, and a special note for posters in category (c). You have had your CISSP for a while and posted some info to the (ISC)2 public
directory, so why are you so upset? Get real.
4.6 Zombie topic: terrorism
Terrorism does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat. Check out the archives and see what has already been said.
Those who want to blame terrorism on various religions should probably try firstname.lastname@example.org instead.
Postings advocating violence against any persons or groups are DEFINITELY way off-topic.
Those wanting to discuss terrorism in more depth than CISSPforum can stomach might try email@example.com.
4.7 Zombie topic: can I get CPEs with that?
Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)2 guidance but what do you think?” ... and the forum groans.
Forum members can only give unofficial and generally unreliable advice on this point. Does the material in the [course | iPod | film | etc.] pertain to the 10 CBK domains of the CISSP certification? If the material is pertinent in one or more of the magic 10, Jack
Holleran for one would say “yes”. One hour of relevant infosec study earns you one CPE, provided it can be validated in some way.
For the definitive answer on CPEs, (re-)check the official (ISC)2 CPE guidance, download and read the official CPE guidelines or contact (ISC)2 directly. The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free. Remember also this helpful point from (ISC)▓: “As a professional who follows the (ISC)▓ Code of Ethics, please use your best
judgment within these guidelines to select those activities which qualify for CPE credits and which will enhance your professional development.” In other words, be sensible and play nicely.
FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:
Attend local chapter meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 etc
. Better still, join the groups and actively participate. Even better, research topics, write
presentations and offer to deliver them at such meetings. Best of all, join the committee and serve on the board of directors.
Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product
vendors, infosec luminaries and other CISSPs. Actively participate where possible. Posing awkward questions is especially
recommended in the case of vendor presentations (and really ought to qualify for special bonus CPEs). Many organizations that
routinely release webcasts (such as CERT) send email notifications to their mailing lists when new ones are announced. Most webcasts, conference presentations etc. are archived and remain available for a while, which is handy if the initial broadcast
happens in a different time zone to you and thus interferes with “having a life”. It’s also a legitimate way to cut down the total
time commitment thanks to the fast forward button and skimming stuff you already know (use with care - in some cases, there
may be nothing of any substance left). Better still, research, prepare and deliver such presentations.
Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars. Some mags on (ISC)2’s recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have actually read
and understood the content. The quizzes are not that hard to fake but remember why you became a CISSP, and why
‘Continuing Professional Education’ is worthwhile. No matter how devious and diligent you may be, I don’t believe “Researching
and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon.
Write articles on information security and related topics for publication in professional journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE.
Read information security books and ideally write reviews of them for other prospective readers. Better still, write good infosec books.
Read and preferably comment on or otherwise contribute to infosec blogs.
Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
Review and comment on draft information security standards, professional practice statements and the like. Please at least try to be constructive.
Write new CISSP
(or CISA or CISM) questions. This is well worthwhile but much harder than it may appear. You are unlikely to
earn as many CPEs as the number of hours you actually put into researching, writing and honing your questions.
Study for further qualifications. In the case of information security-related qualifications such as CISSP concentrations or CISM
and CISA, don’t forget that CPEs earned for any one probably qualify for the others too. Honestly, it gets easier.
Volunteer to proctor CISSP (or CISA or CISM) exams. Several CISSPforum members say they signed up but never got the call so don’t bank on this one.
Volunteer to take over publishing and maintaining this FAQ. Please.
Last but not least, actively participate in CISSPforum. Share your security wisdom. Challenge the accepted order. You don’t
earn CPEs purely for participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum
postings. Remember this point when getting ready to post something. While it’s easy to dash off a quick email with little if any
thought, taking a bit more time to get your thoughts in order, find, check and incorporate relevant references, and provide
something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.
The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning sufficient
CPEs. If you are scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for CISSPs), step
back and take a look at your commitment level. Are you in the right profession? Is your personal development and career advancement really of so little concern to you? Gosh.
See also the notes on submitting CPEs, a lame topic.
4.8 Zombie topic: why are we still using Yahoo! Groups?
Every so often, someone asks indignantly why we are still using Yahoo! Groups because it is plainly horrible and there are many much
better alternatives Out There. If you check back through the archives you will see numerous and expansive discussions of alternatives. This issue has been discussed ad nauseum, with the consensus being that there are distinct benefits to this forum being maintained
on a non-(ISC)2 system.
(ISC)2 has tried alternatives in the past and even got as far as announcing the imminent closure of the Yahoo! Groups forum in January 2005 “within 3 months” but all previous attempts fizzled out without seeing the light of day.
Of course we could declare independence and hoist the flag on our own breakaway CISSPforum ... except for two little caveats:
(ISC)2 owns and for good reason jealously guards the CISSP trademark to prevent confusion with other - lesser - products.
This means we probably could not use “CISSP” in the name or web pages promoting the breakaway forum.
Only the all-seeing (ISC)2 knows who is currently certified so, unless we simply trust everyone who applied to join the
breakaway forum (and trust doesn’t come easily to paranoid security types like us), we have no way to limit the membership to
CISSPs. There is of course a plethora of non-CISSP information security forums already in existence and we would simply be adding to Web entropy.
Now if only someone could persuade (ISC)2 to issue digital certificates to CISSP holders, certificates that could be validated by anyone
, then we’d all be deliriously happy and the world would be a nicer place. Job candidates could prove their CISSPness. Forum
moderators could check the CISSPness of applicants. Global warming (allegedly) would reverse (or not). Unfortunately, since (ISC)2 evidently finds it difficult even to structure its own website, there’s about as much chance of this happening as <insert your choice of something really not very likely at all>.
4.9 Zombie topic: how should we word our email disclaimers and/or system banners?
When someone asks our opinion on how best to word a standardized email disclaimer or website/FTP/telnet “login banner” or similar,
there inevitably follows a tussle between the “We don’t need no steenkin’ banners” brigade, the “Ask your lawyers” camp and those
who start with “Here’s ours”. The arguments generally boil down to these salient points:
Some claim that disclaimers and banners are not worth the electrons they are written in because they have no legal standing.
They argue that it is not possible for the sender to enforce legal or contractual conditions imposed unilaterally on the recipient in
this manner. The pseudo-legal language so often used (“This message may or may not contain legally privileged information ...”
) typically makes things worse by being so vague as to be totally ambiguous and laughable in court. The argument is supported by sites such as this
. Arguers of this persuasion typically point out that the welcome mat outside your front door is not an
invitation to breaking-and-entering.
Lawyers appear somewhat divided
on the value of banners and disclaimers. There are some
cases in some
appear to support
their use, and others which apparently don’t. All lawyers, however, are universally agreed that clients should
seek their highly-paid professional advice on matters of this nature.
If one accepts that there may be some value in them, and the costs are negligible (aside from those arising from the previous
point), then we’re back where we started: what is the “best” way to word them?
Way back in 1992, a CERT advisory (quoted on RISKS-List) advised the use of something like this for a banner:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of
their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
CERT further noted that “each site using this suggested banner should tailor it to their precise needs. Any questions should be directed
to your organization’s legal counsel.” The fact that this issue was discussed well over a decade ago surely qualifies this thread for zombie status.
According to the security compliance tool Secutor Prime, the US Gummt's Security Content Automation Protocol (SCAP)
recommends the following:
This computer system is for official use only. This computer system, including all related equipment, networks and network
devices (specifically including Internet access), are provided only for authorized use. This computer system may be monitored
for all lawful purposes, including to ensure that its use is authorized, for management of the system, to facilitate protection
against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes
authorized active attacks to test or verify the security of the system. During monitoring, information may be examined,
recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this
system may be monitored. Use of this computer system, authorized or unauthorized, constitutes consent to monitoring of this
system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring
may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
The US Gummt, having assigned a crack team of top-notch disclaimer experts to the job, came up with a universal disclaimer for all USG systems but then, allegedly, pulled it prior to implementation for as-yet unstated reasons. Perhaps someone read this FAQ and
noted the above? Anyway, watch this space for the next thrilling episode. Chickens at eleven.
Meanwhile, if you find creating a single, succinct general purpose banner/disclaimer too difficult or if you laugh at the very idea of a
universal disclaimer, you may prefer a selection, a soupcon, a veritable smorgasbord of different banner/disclaimers:
One for your website with a privacy statement/policy plus terms and condition of use, especially for eCommerce sites (e.g. at
what point is a sales transaction considered final and binding? What if there are genuine errors or omissions in the prices, descriptions etc.?).
One for internal network domains, displayed to employees before they logon, warning against unauthorized use and that use is
logged (and perhaps displaying security awareness messages or further dire warnings after they logon).
One for network devices (routers, switches, application servers etc.), warning that all use which is not specifically authorized by
the organization is considered unauthorized (circular though that is) and that use is routinely monitored (is it?! Golly! Well done!).
One for emails mentioning that the sender does not represent the organization and is not authorized to enter into contractual commitments on behalf of the organization (or whatever).
If you are still searching for The Answer, Attrition offers a characteristically entertaining disclaimer. The Commonwealth of PA says
“Login banners provide a definitive warning that network intrusion is illegal and also to advise authorized users of their obligations
relating to acceptable use of the network.” They go on to suggest the following examples:
This is an actively monitored system. Unauthorized access is prohibited.
WARNING! THIS SYSTEM CONTAINS GOVERNMENT DATA. UNAUTHORIZED ACCESS IS PROHIBITED. Use of this system
constitutes CONSENT TO MONITORING AT ALL TIMES and no expectation of privacy exists.
Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored.
THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access is prohibited. System personnel may give to law
enforcement officials any potential evidence of crime found on this system. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED
OR UNAUTHORIZED, CONSTITUTES EXPRESS CONSENT TO MONITORING, INTERCEPTION, RECORDING. READING, COPYING, or CAPTURING and DISCLOSURE of use. IF YOU DO NOT CONSENT, LOG OFF NOW.
Space aliens will eat your head. P*SS OFF AND DIE EVIL HAX0R5!
(Possibly, one of the above is a spoof. I’m not saying which, if any, it is.)
Google of course lists many more resources for ‘legal login banner’. There is even an FAQ entirely devoted to the subject of email disclaimers. You can probably get a certificate in it too, complete with CPEs.
Don’t forget to ask a tame lawyer. This is not legal advice. The heretofore abovementioned information under sections one (1)
through seven (7) subsection seven (7) may, or may not, be illegal, allegedly and is totally and utterly DISCLAIMED.
4.10 Zombie topic: “We’ve been hacked - what do I do?”
Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the big
red panic button and emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute. A typical question
might be “I’ve just had a call from the Help Desk. They have taken a call from a user in the business who says his PC is acting
strangely. The network boys and girls tell me there is loads of traffic on the user’s LAN segment and it looks as if the machine is
spewing out spam like it’s going out of fashion. HELP! What do I do?”.
The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to analyze
the live system before shutting it down, and why it is so important to brew up an incident management process BEFORE not DURING
an incident, but the best immediate response to date on this sort of query is: “If you believe the system is compromised, and you
don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert. Don’t switch it
off. Don’t even run a directory listing.”
If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, things are different, obviously.
Back to contents
5 FORUM MEMBERSHIP OPERATIONS & SETTINGS
5.1 How do I subscribe to CISSPforum?
First, get the easy bit out of the way: get yourself certified as a CISSP or SSCP by (ISC)2. The forum is allegedly for the certified
only - or at least we thought so: according to some, you may be admitted if you merely apply for the qualifications and consider
yourself certifiable. (ISC)▓ owns the group and can do what they jolly well like.
Go to Yahoo!
and create yourself a profile if you don’t already have one. Use the email account you will want to use on the
CISSPforum. (This step is not strictly necessary, but comes in handy at times later on, and is easy to do while waiting for glacially slow results from (ISC)2
. This step doesn’t even have to be done first, either, hence the reason it is conveniently
Visit the (ISC)2 website
and request an account there if you haven’t already got one. An account on the (ISC)2
website will let you access the private CISSP area on the site. You’ll need it anyway to submit your CPE credits
online to maintain your
certification. It’s also handy for getting onto the jobs board there which is notable for its lack of results but why not give it a try, eh? Warning
has won the World’s Least Intuitive Website Interface Award for at least four years running.)
When you have your (ISC)2
account, login to (ISC)2 website
using your CISSP number/exam candidate number as your login
ID and your secret password.
Browse around fruitlessly until you eventually stumble across the link for (ISC)2
forums ... or just click here
. REMEMBER THIS
PAGE AND HOW YOU GOT TO IT! YOU WILL NEED IT TO UNSUBSCRIBE, IF YOU WANT TO. TWEET IT! BOOKMARK
IT! WRITE IT ON A POST-IT NOTE NEXT TO YOUR PASSWORD! TELL YOUR FRIENDS ABOUT IT!
Starting part way down the page are a bunch of forum sign-up forms, one of which casually mentions CISSP Forum. Fill out the
form using the email account that you want/you used in creating the Yahoo profile. Make sure that you choose the correct
CISSP Forum, currently listed as “Yahoo!Groups” since (ISC)2 has been experimenting with alternatives since 2004 (!).
Wait a few hours. Wait a few days. Wait a week or two longer. Eventually you will either get an invite or start getting email from CISSPforum.
After lurking and watching for a while, please
send us a nice ‘hello’ message
, ideally with something interesting about you, your
job, your interests, your favorite security standards, almost anything really. Tell us what you thought of the CISSP examination
maybe. Say how you found out about the CISSPforum (was it through this FAQ?). Once you have successfully posted to the CISSPforum, you will be able search the archive
. If you never post, you won’t.
If you get stuck, you might contact Wilf Camilleri or Blaise Kengoum using firstname.lastname@example.org but try to find and complete the (ISC)2 forum sign-up form first. You could always ask a fellow CISSP for help or ask them to post your question on CISSPforum. Good coffee or alcohol usually helps.
5.2 How do I join CISSPforum if I’m not yet a CISSP?
Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial from ardent CISSPforum member and security evangelist Clement Dupuis. Become a CISSP or SSCP and you
will be welcome, if not compelled, to join the CISSPforum.
For fans of the UK comedy series, Little Britain, yes, CISSPforum is a local forum for local people.
Alternatively, try appealing to (ISC)▓.
5.3 Since this is “CISSP Forum”, that means that all participants have their CISSP, right?
Kind of. Lapsed CISSPies have been known to hang around like a bad smell long after their certifications have expired. (ISC)▓ also
allows wet-behind-the-ears candidates to become members so long as they are exam candidates, thus the members of this forum
may or may not have anything to do with the CISSP certification. (ISC)▓ claims to have it all under control but whether you trust
them depends on your paranoia quotient. Regardless, you can usually tell the actual CISSPies and especially the CUStards by how cranky they are, but not always: some remain stealthy.
5.4 Can I access the forum and files on Yahoo!?
Errrr. When you sign up for CISSPforum at the (ISC)2 site, you are subscribed to the mailing list. You can’t access the forum with
any method other than email until you either create a new Yahoo! Groups ID or associate an existing Yahoo! Groups ID with the
CISSPforum. Here are explicit instructions for both options:
a) Create a new Yahoo! Groups ID (if you don’t already have one):
Go to Yahoo!
and click the blue “Register” link on the left or right hand side near the top. In alternate email address, enter the
address that is currently receiving the CISSPforum. If you fake the demographic information on this page, it will come back and
bite you when you need to recover the password you forgot. Be sure to clear the “send me special offers ...” checkbox unless
you really want to fill your inbox and make sure your birthdate makes you at least 18 or Yahoo! will ask for your mommy or daddy ;-)
Once you have registered, be sure to set your “marketing preferences” which Yahoo! will promptly honor within a week (says so on the screen).
b) Add CISSPforum to your existing Yahoo! Groups:
Log in to Yahoo! Groups
then click “My Groups” in the upper right hand portion of the page.
Click ‘Edit my groups’
Link your login ID to the CISSPforum by searching for groups with your email address on their list.
5.5 Why is the forum so lame that it makes me want to spew/leave?
Create your own space
Meaningful content only
Comes to those who post.
Silence calls silence
Lurkers don't disturb quiet
Sleep beckons as well.
The posts are boring?
Raise topic of interest
Thread starter lauded.
Forum like sewer:
What you get out of forum
Depends on input.
Is much better than being
Tagged as complainer.
These are your colleagues.
Why are you so much better
That they must start first?
The forum that is
Is not what must always be.
Build a better world.
5.6 How do I temporarily stop getting email from the forum or change to digest mode?
Well done to you if you thought of this before shooting off on that extended vacation or business trip. Please read the next answer also.
First, you must have a Yahoo! ID and password and that account must be associated with this list. See above
for how to do this.
Once logged in click on ‘My Groups’, find the link for the group ‘cisspforum’ and click on it.
Then click on ‘Edit My Membership’ near the upper right part of the page. You will see a list of options.
DO NOT UNSUBSCRIBE FROM THE GROUP! It’s a pain to have to sign-up again later. Rather, look for the section ‘Message
Delivery’. In this section select ‘No Email’ and click on the ‘Save Changes’ button at the bottom of the page.
To start receiving email again, get back to the options page but select ‘Individual emails’ instead. Don’t forget to click on the
‘Save Changes’ button.
5.7 How do I set up my Out-Of-Office message so I don’t spam the whole forum?
Do not turn on “reply-to-messages-not-sent-directly-to-me” or “reply-to-all”. Your best bet is to read the manual for your email
system or call your IT Help/Service Desk.
The opinions of your fellow CISSPs in regard to those who fail to take appropriate actions on this score can be found in cissp-ooo
-email@example.com and firstname.lastname@example.org. Basically, it is assumed that CISSPforum members should have
more than just a vague clue about how to make the technology work properly without gratuitously annoying thousands of their peers. In addition, remember that the group is composed of security
professionals who should be aware that randomly announcing their absence from the office is an open invitation to mischief and social engineering (not from forum members, of course, oh no. We are
all certified professionals who vehemently uphold the fine ethical principles of CISSPdom. I’m talking about other, lesser recipients of
your OOO message, including any lucky spammers who succeed in breaching your wonderful anti-spam defenses). The good
humored ribbing you will inevitably receive through the forum is the least of your worries. If this tip is the one thing you learn from this FAQ, we consider it to be a roaring success.
5.8 How do I change the email address with which I subscribed to CISSPforum?
The following process has been found to be generally reliable:
Go to Yahoo!
and create yourself a Yahoo! profile if you don’t already have one.
On the “Manage My Groups” -> “My Email Preferences” page, associate the currently-subscribed email account with the Yahoo! account. Confirm it.
On the “Manage My Groups” -> “My Email Preferences” page, associate your new email account with the Yahoo! account. Confirm it.
On the “Manage My Groups” -> “Edit My Groups” page select from the “Email Address” drop-down the email address which you
wish each Yahoo! Groups list you’re on to use.
If desired, you can then delete the old email account.
CISSPforumite Benjamin Tomhave says “I’ve used this method a few times over the years to alter email delivery preferences,
particularly when spam gets to be too much of a problem.”
5.9 How do I unsubscribe?
CISSPforum is a lifelong commitment. Unsubscription is not an option: once you’re in you’re in. You can check out any time you like,
but you can never leave.
First, do not unsubscribe using the Yahoo! Groups subscription maintenance features for fear of renting asunder the very fabric of the
known universe. To subscribe and unsubscribe, always use the (ISC)2 website. Log in from the main page with your User ID and
password. The same page you used to subscribe is the one you use to unsubscribe (it’s a different form, lower down the page).
(Told you you’d need it) (Bet you wished you’d saved it to your favorites now, huh?)
More vituperative, if less helpful, suggestions can be found in email@example.com
If you are absolutely desperate to leave CISSPforum, there are still further alternatives:
Follow the instructions towards the bottom of every CISSPforum email (you know, that big load of nonsense you always skim),
where you will find “To UNSUBSCRIBE, visit the CISSP Services Page, https://www.isc2.org/cgi-bin/cissp_forum.cgi
Do not send
unsubscribe messages to the CISSP Forum!”.
Send unsubscribe messages to the CISSPforum, several if you like. Be rude back when forum members complain. If you are
outrageously obnoxious, you will be unceremonially booted-off the forum although if you take this too far there’s a distinct chance you may end up in court and/or be de-certified on ethical grounds.
Configure a spam rule in your email software to route every message with [cisspforum] in the subject line to the bit-bucket.
Sign in to Yahoo! Groups, access the CISSPforum list settings page and set it to ‘no email’. This won’t actually unsubscribe you but will stop the pain.
5.10 How do I join LinkeDin for CISSPs?
Both CISSPforum and LinkeDin are business-related social networking services, allowing you to leverage your professional network to
gain access to a broader range of professional colleagues and their contacts. They are both good for staying in touch or getting back in touch with long lost colleagues.
The CISSP group on LinkeDin is simply a subset of LinkeDin members, all of whom are CISSPs and have been verified as such by (ISC)2.
Sign-in to the (ISC)2 website, opt-in to the LinkeDin group under the communication preference tab on your profile, request to join
the CISSP group on LinkeDin ... and wait patiently.
LinkeDin allows you to have different email addresses associated with your profile. Ensure your (ISC)▓ primary email address is
one of those associated and confirmed with your LinkedIn profile. Your (ISC)▓ primary email does not need to be your primary LinkedIn email address, but must be associated with it.
Go to ‘My Profile’ then ‘My Contact Preferences’.
Under the section headed “LinkedIn for CISSPs”, select the ‘Yes’ option, then at the bottom of the page click the SAVE button.
Request to join the CISSP LinkeDin Group on LinkeDin if you have not done so already, using this link
If you are ‘declined’ from the group and have faithfully followed all the steps shown here, email your information to linkedin@isc2
including the magic word ‘declined’ in the message subject.
Please DO NOT post LinkeDin validation messages, requests or complaints to CISSPforum
Woe unto thee shouldst thou attempt to join, or disjoin, LinkeDin by posting a message to the CISSPforum. The CUStards
shall smite thee on thy left shift key, and on thy right. Newbies shall rise up and call thee accursed. Thy name shall be a
hissing and a byword, as in the name of Him Who Cannot Be Spelt. Thou shalt be reviled as if thou hast set thy Out-of-Office reply and it had been seen by Axel. Thou shalt join those cast into the outer darkness of cissp-clueless@egroups
.com and firstname.lastname@example.org, and if this is done in error thou shalt only get a membership in email@example.com.
Having the CISSP logo on your LinkeDin profile confers no special mojo or magic and will not guarantee your fame and fortune.
Joining the group is NOT like winning the lottery. It will not revolutionize your job searching or make you a better person. To be perfectly frank, active participation
in the CISSPforum is likely to be far more beneficial to your career prospects than joining the LinkeDin group but, for whatever reason, there is no end in sight to the long line of LinkeDin lemmings.
PS Before you are overwhelmed with the burning desire to share every last detail of your career and private life with the world via
LinkeDin, or indeed any other social networking sites, read this brief warning about the risks and if that wakes you up, read this longer one too. Remember your CISSP training. Do not run with scissors.
6 (ISC)2 STUFF
6.1 How do I receive regular communication from (ISC)2?
Method 1: subscribe to the (ISC)2 newsletter. To do this, simply sign into the (ISC)2 website, then click on “Subscribe to (ISC)2
newsletter.” You will be taken to a bcentral.com partner site where you must provide your email address, name, city, state, country
and company name, or at least you need to supply entries that satisfy the data entry validation routines. You may also disclose your
interests (very short list) and certifications (also a short list). Within a few minutes you will receive a confirmation message welcoming you to the (ISC)2 newsletter mailing list, or not if you did not supply a valid email address.
Method 2: receive (ISC)2’s Infosecurity Professional magazine
either as a free electronic softcopy by email or in print if you pay the postage and packing charge and don’t mind slaying trees. The magazine is just one of many benefits for “members” of (ISC)2.
The first edition was released in April 2008 - search the CISSPforum archives for informed comment on the content.
6.2 How do I submit CPEs?
Read the (ISC)2 instructions which contain lots of detail plus a helpful link to the submission form.
Most questions about CPEs on the forum are lame since the (ISC)2 guidance generally answers them all.
6.3 How many CPEs can I get for that?
The CISSPforum is just a bunch of guys and gals, you know. We are not (ISC)2.
We don’t award CPEs.
Most of us really don’t care much about CPEs because we are active infosec professionals who are awash with CPEs as a result of lots
of reading, research, webinars, conferences, training courses and stuff. We don need no steenkin CPEs. Several of us teach, present
to or write stuff for other CISSPs and CISSPwannabies to consume and claim their CPEs.
If you need to find out precisely how many CPEs to claim for something, and what Type they are, just ask (ISC)2 not us
. If you insist on asking us, expect a flatulent response. You could try setting up one of those web survey things and inviting us to vote. Just make
sure you include the option “322 Type C’s”.
6.4 Where do I find anything on ISC2.ORG?
Good question! Some have speculated that when the late Douglas Adams wrote the Hitchhikers Guide To The Galaxy, he was
thinking of the (ISC)2 website ...
Mr Prosser said: "You were quite entitled to make any suggestions or protests at the appropriate time you know."
"Appropriate time?" hooted Arthur. "Appropriate time? The first I knew about it was when a workman arrived at my home
yesterday. I asked him if he'd come to clean the windows and he said no he'd come to demolish the house. He didn't tell
me straight away of course. Oh no. First he wiped a couple of windows and charged me a fiver. Then he told me."
"But Mr Dent, the plans have been available in the local planning office for the last nine month."
"Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of
your way to call attention to them had you? I mean like actually telling anybody or anything."
"But the plans were on display ..."
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory
with a sign on the door saying Beware of the Leopard."
We’re still looking for the “Beware of the Leopard” sign at the (ISC)2 website. If you find it, please post a message to CISSPforum
and we’ll call off the hunt. Meanwhile try Google.
6.5 What do I get for my AMFs (Annual Mugging Fees)?
Quite often the discussion about which activities do or do not qualify for CPEs and/or how difficult it is to find information on the (ISC)2 website ends up with someone asking “What does (ISC)2 do for us anyway?”. This is not unlike Monty Python’s “What have the
Romans done for us?” in the Life of Brian.
Even (ISC)2 accepts that it’s perfectly reasonable for CISSPs and SSCPs to ask “Do we get value for money for our Annual
Maintenance Fees (AMFs)?”. (ISC)2’s official response mentions obvious member benefits such as security webinars and the career center, and talks about the wider benefits through various marketing efforts to promote the security profession in general and, by
implication at least, CISSP and SSCP holders in particular. It’s unfortunate that they neglected to mention the biggest benefit of all, CISSPforum, though!
The bottom line is a personal value decision: will the benefits to you of CISSP/SSCP qualification exceed the AMFs? If you are working
for an employer who requires security qualifications, the answer should be obvious, especially if you are privileged enough to reclaim
your AMFs and associated training/educational costs as legitimate business expenses. Likewise if you are searching for a new position
and your qualifications will earn you a higher salary or land you a better job with a more enlightened employer/manager (not so obvious a benefit maybe but, believe me, job satisfaction is worth a lot).
Finally, there is the Zen perspective. Will the effort to achieve and maintain your qualification make you a better person? Will it satisfy
your inner drive to be good at information security? Do you value being part of the global professional infosec community? Do you maintain motorcycles?
Back to contents
7.1 What is the 11th domain?
The 11th CBK domain is an obscure reference to any topic that the membership of the forum currently considers clueless whether off-topic, misguided or just plain lame. It includes the old favorites “Out-Of-Office”, “Unsubscribe” and “Could have found it on Google in 2 ÁS.” Occasionally, it is a genuine proposal to extend the CBK to cover additional domains such as ‘human factors’ but such
proposals seldom get anywhere due to conservatism, inertia and apathy, a killer combination.
7.2 What other CISSP-related mailing forums are there?
Please note that none of the following are official, (ISC)2 sponsored or endorsed mailing lists:
There is an inactive, archived group at http://groups.yahoo.com/group/cissp/
Regional/area CISSP study groups include:
* SOME MAILING LISTS EVIDENTLY OPERATE IN COUNTRIES WHERE EITHER LOWER CASE IS TAXED OR SHOUTING IS SOCIALLY ACCEPTABLE
Some might be a little questionable:
The former groups are all deadly serious but the remainder are just for fun. In particular, note that none of these last are in any way sponsored or endorsed by (ISC)2. Their very existence would probably be denied by (ISC)2:
7.3 Who are the Usual Suspects?
Never mind life, the universe, everything. Who or what are the Usual Suspects? That’s the Ultimate Question. The designation “Usual
Suspects” arose in the dim and distant past from an accidental mis-posting to the CISSPforum of a private message from an (ISC)2
staffer to another regarding certain outspoken and unnamed CISSPforum members. The comment is alleged to have spawned a
sinister (or is it dextral?) secret society within the inner sanctum of CISSPforum, the Certified Usual Suspects (CUS), also known as
the CUStards. Even the CUStards do not know precisely who the CUStards are nor what they have done to deserve the dubious
distinction beyond being “outspoken” but rumors abound of special handshakes and blackballing, weird initiation ceremonies involving
sushi and/or poutine, an unwritten but staunchly upheld code of honor, and a predilection for emitting well-aged bodily gases. There is
no known method to join the CUStards, nor indeed to leave, although most members tend not to contribute quite as much volume post-mortem, though just as much value.
7.4 Who is responsible for this unofficial FAQ?
mug editor/maintainer of this FAQ is, allegedly: Gary Hinson Gary@isect.com
By all means chuck rotten eggs at me but be warned: the more you throw, the greater the chances you’ll be “invited” (cosa nostra style) to become the new FAQ editor/maintainer ...
7.5 Can I submit new questions and answers or corrections to the FAQ?
Absolutely! Send them directly to the current editor (write each one on a $10 bill for the special express service) or better still post
them to the CISSPforum for general discussion. All potential submissions are gratefully received. The best bits will be shamelessly plagiarized. Alternatively, you can edit Anton’s wiki version directly yourself. Have a go: it’s an information security geek’s version of
Having a Good Time.
7.6 FAQ Credits
Thanks to the following for their invaluable contributions to this FAQ: Chris Brown, the late lamented Laurie McQuillan, John McGuire,
Matt Curtin, Jack “Hollerin” Holleran, Rob “Grandpa” Slade, Pat “Spring Bunny” McGregor, Anton “Cats in Context” Aylward, Les
“G’day Jimmy” Bell, Karen “Stop”ford (head of the No Department), D. “Cragin” Shelton, Mim The Merciless (slayer of the humor impaired), and Gary “Passionate” Hinson. Other members of CISSPforum and CUStards have contributed to the FAQ either through
insightful postings to the forum or by pestering the editors privately (i.e. in a private place).
I’d like to thank my producer, the director and of course the venerable Consortium without which this FAQ would not have been
7.7 What’s new here?
August 2012: wasted another hour of my miserable existence purging broken URLs. Naturally I have left a few for next time.
That really gives me something to look forward to. It wouldn’t be so bad if it weren’t for this pain in the diodes down my left side.
: after a mysterious year-long lull in proceedings, the FAQ was updated by answering How do I get people to respond to my queries
? Thanks to Cragin for pointing out the gem of an FAQ on asking questions the smart way.
: seems ejecting the troll wasn’t enough for some esteemed members who don’t contribute to the discussions but
simply complain about them and ‘threaten’ to leave. Go ahead, make my day
(haiku contributed by Rob Slade).
January 2011: although (ISC)2 hasn’t actually confirmed this, they also haven’t denied that an annoyingly persistent and
persistently annoying troll has finally been ejected from CISSPforum. 6,199 members rejoice! We hope the return to normal
professional discourse and friendly banter, mostly on information security matters, will once again make CISSPforum by far the coolest place for CISSPs to hang out.
August 2010: added a cute ASCII art “Don’t Feed the Troll” sign. Feel free to add it to your email sigs, but don’t bother
sending them to the CISSPforum as Yahoo! unilaterally and silently removes the ‘extra’ spaces that make it work as a picture.
January 2010: referred, again, to lame questions about how many CPEs one can earn. 6,200 members can’t all be wrong, surely?
September 2009: quoted (ISC)2’s description of CISSPforum. Noted that some members speak in tongues. Quoted some
gratuitous Python. We’re up to 6,200 members!
: added a new definition of Friday
(thanks Mim the Merciless).
: it seems not all member of the Forum are CISSP or SSCP qualified. Some are only thinking about it. “We used to
dream of joining CISSPforum ...” Thanks to Walt, added a new Q&A
. Mentioned sending troll-messages to WOM
. Added a graph of the message volume, which does sometimes go to eleven.
: added advice on dealing with trolls
: explained the free health benefits
associated with membership of CISSPforum (thank you Dr Richard).
: secretly rearranged a few of the words in the covert section on forum privacy
(or rather the lack thereof).
: spent a merry hour patiently reminding NetObjects Fusion, yet again, where its internal links should go (you’d
think it would know, but oh no, not NoF, that would be too easy, too customer-friendly) and exorcising dead external links. Added a note about posting long URLs
. Corrected a an entire IBM Golfball of typos (thanks Graciela). LINKEDIN FOR CISSPs VALIDATION IS SUSPENDED UNTIL FURTHER NOTICE
: noted (ISC)2
’s new Infosecurity Professional rag
, due out in April. Oooh, can’t wait. Increased page width to
make better use of that lovely LCD screen real-estate in which most of our employers have invested, with our apologies to
any pixel-challenged visitors (please complain to 127.0.0.1)
. Fixed a bunch of broken links (Net
Objects Fusion must be going senile since it forgets, ah, what it was, um ...). Announced the CISSPforum Loyalty Scheme
: further explained the nature of Friday postings
: added a suggestion to link to your LinkeDin profile
when posting a “me too” message to the forum (thanks
Andrew) and a link to a paper on LinkeDin risks posted to the forum by someone who evidently listened when we asked CISSP LinkeDin wannabes to post something interesting (thanks Michael).
: Lee Imrey says applications to join the CISSP LinkeDin group
are taking 4-6 weeks to process, largely because
people don’t follow the proper procedures (tut tut).
: added more content on the disclaimer/banner zombie
. Removed reference to Javed’s zSquad archives
Yahoo! Groups search is OK now and Javed’s server has popped a fuse due to the number of people hunting zombies
: added the section for CISSPwannabes
referring to Clement’s CISSP tutorial.
: Gary took up the editorial cudgel in October 2006, beating Rob’s rather quaint plain ASCII text version into a
modern, sleek-looking HTML web page with go-faster stripes, giving us the luxury of actual headings, working hyperlinks and
most of all, readability. If you think you might prefer the original, it’s stored for all posteriors on the CISSPforum files area on
Yahoo! Groups, where it is available to current members of the CISSPforum ... which hints at the real reason this FAQ was published as a public web page: the instructions for how to sign-up for the CISSPforum
used to be available only to current
members of CISSPforum. Doh!
That’s a bit like printing the “pull cord before passing 1,000 foot altitude” inside
the parachute. Shades of Catch-22.
: Rob Slade copied a ton of Chris’s stuff, modified the rest so that it made less sense and did a fabulous job of
injecting the odd ray of humor. He skillfully incorporated new stuff from CISSPforum including contributions from Laurie, John, Gary, Anton, Axel and Matt. In parallel, Anton set up the wiki version
2003-2004: The original editor of this FAQ was Chris Brown who has mysteriously vanished into the ether, if not the net.
Before he left us, Chris freely admitted that much of the content was outrageously stolen from posts to CISSPforum. The FAQ
was uploaded to the CISSPforum files area in October 2003 and updated a couple of times before Chris evidently gave it up as a
dead loss and went back to Real Life. We remain eternally grateful, Chris (that you started this, not that you went away).
The end of the unofficial CISSPforum FAQ is nigh.
That’s it, there is no more.
Just a horizontal line (yes, yet another rule!),
and a link back to the top for those poor unfortunates
lacking page-up keys, vertical sliders and wheely mice.