free page hit counter

 


The Unofficial CISSPforum FAQ

Unofficial Answers to Frequently Avoided Questions
about the CISSPforum, unofficially

 

a.k.a.  The Big Dummy’s Guide to CISSPforum

 

a.k.a. The CISSPforum Policy Manual

 

FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects

 

Latest update one idle Friday in August 2013

 

Please use the following URL to link to or reference this FAQ:

http://www.noticebored.com/html/cisspforumfaq.html

 

Or just click here to look it up

 


Contents

1 INTRODUCTION

 

2 BASIC FORUM USE

3 FORUM CONTENT

 

4 ZOMBIE TOPICS

 

5 FORUM MEMBERSHIP OPERATIONS AND SETTINGS

 

6 (ISC)2 STUFF

 

7 MISCELLANY

 


1 INTRODUCTION

1.1 What is the point [of this FAQ]?

We’re not sure really.  Does it need a point?  How sharp must it be?

This document is the unofficial FAQ (Frequently Asked/Avoided Questions) for users of the CISSPforum mailing run by (ISC)▓ for all CISSPs and SSCPs (at least).  It is a collection of answers to questions that mostly are or have been repeatedly asked in the forum and (arguably) important information related to appropriate and inappropriate use of the forum. 

This FAQ inhabits a lesser-known quiet cul-de-sac just off the information superhighway, a side-turning from the roundabout behind the noisy industrial estate known as:  http://www.noticebored.com/html/cisspforumfaq.html 

We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs and SSCPs but we know that’s a waste of good bytes.  Google has heard of it anyway.  Thank Google for that!

If you’re not entirely sure what an FAQ is, permit Cragin to explain:

    FAQ on FAQs.

     

    1. What does FAQ stand for?

    Frequently Asked Questions.

     

    2. Frequently? How many times does a question have to be asked before it is added to a FAQ?

    None. The entire set of questions was written before the final fielding of the system or web site to which they refer .

     

    3. None? Just how often are these questions asked?

    Never.

     

    4. Asked? Who asked them?

    No one asked them. OK, well, actually, the implementation team wrote the questions, but they already knew the answers when they wrote them, so they were not actually ASKING the questions.

     

    5. Questions? What kind of questions are the FAQ?

    They are second and third sub-level topical headings from an unfinished (or unstarted) users' manual that have each been restructured from a statement to an interrogatory.

     

    6. Why did the implementation team write the FAQ?

    Because as they were in the final phases of fielding, they realized that the development team had either never gotten around to preparing user documentation, or had done such a shabby job that it was useless, and further that the operational interfaces of the application were so non-intuitive (or counter-intuitive) that end users would only be end, and never users, without instructional hand-holding.

     

    7. Then what is the purpose of the FAQ?

    The FAQ is used by Tier 1 Help Desk staff to avoid having to learn the application while at the same time allowing them to make callers feel simultaneously lazy and stupid: "You want to learn how to framitz the onglethard? It is clearly explained in the FAQ on our web site. Didn't you look at the FAQ before calling?"

     

    Copyright © D. Cragin Shelton 2008

1.2 What is CISSPforum anyway?

As vaguely hinted-at by its not exactly cryptic name, CISSPforum is basically a discussion forum for CISSPs (Certified Information System Security Professionals).  It is also inhabited by SSCPs (System Security Certified Practitioners) and possibly others such as CSSLPs (Certified Secure Software Lifecycle Professionals) and Cprofs (Proficient Cyclists).  Apart from Dorsey Morrow ((ISC)▓’s former legal counsel, but don’t hold that against him), nobody much from (ISC)▓ global headquarters appears to hang out on the forum.  Whether that is because they are too busy counting great piles of AMFs, hob-nobbin with the big nobs or simply “having a life”, we’re not sure.  Anyway, the upshot is that it is a local forum for local people.  It is user-led and user-trailed.

(ISC)2 promotes and describes it thus:

    “Subscribe to our CISSP Forum and enjoy communicating with fellow CISSPs about a wide range of information security topics.  Your forum quickly will become a valuable tool for you to use, enabling you to learn from and teach your colleagues around the world.  Whether you’re posting a new topic or responding to a current one, exchanging information is an important part of being an (ISC)▓ member.”

Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because it takes such skill and perseverance to locate the forum sign-up page buried deep within an underground bunker lurking underneath the (ISC)2 website.  As one of the members said, “The most useful thing I got from my CISSP is this community - a wealth of knowledge and experience.”  Some might even agree that we should earn CPEs for actively contributing to CISSPforum.

One of our members asserts that CISSPforum membership is good for your health.  “You obviously do this for health reasons.  If you were not affiliated with (ISC)▓, you would not have access to this list.  Without this, you would not have a group to rant to that thoroughly understands your position.  As a result, you would keep your fuming internal.  Lack of emotional outlet has been proven to increase stress in men.  Increased stress leads to higher blood pressure.  With increased blood pressure comes the possibility of stroke.  So, you remain affiliated to stay healthy.  Therefore, I posit that (ISC)▓ is a (mental) health care provider and therefore subject to the rules of HIPAA.  I shall be notifying DHHS immediately to schedule a compliance audit.”  So there we have it, CISSPforum membership comes with free health benefits.

Although the forum is run as a Yahoo! group, DO NOT WASTE YOUR VALUABLE TIME TRYING TO SIGN UP DIRECTLY ON YAHOO!.  Your application to join the forum will be checked and verified directly by (ISC)▓ to confirm that you really are as qualified as you claim to be.  Unless you are an IT forensics specialist who enjoys bizarre technical challenges, instructions for signing-up are given below.

CISSPs who successfully navigate the virtual obstacle course to sign-up to CISSPforum join a friendly community of about 5,800 professional peers - mostly qualified information security pros from all parts of the globe and all sexes.  Some of us are newcomers to the profession, recently qualified, while some are grey-beards with a decade or four of experience in the trenches.  Our ranks are swollen by IT auditors, consultants, trainers, security officers, security managers, scholars of ancient Greek and others, mostly but not entirely CISSPs.  Welcome all.

As a community of professional practice, CISSPforum is a great place to discuss information security and closely related topics.  The scope of the forum naturally includes the ten areas of (ISC)▓’s Common Body of Knowledge (the CBK) which coincides, thankfully, with the CISSP exam.  We also discuss the ISO/IEC 27000 series (ISO27k, ISMS), ISO 9000 (QA), ISO/IEC 20000 (ITIL), IT governance, SOX, IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking, vulnerabilities, Windows, Windows vulnerabilities, (and occasionally Mac vulnerabilities, Linux vulnerabilities ...), Stuxnet/Duqu/Flame and other alleged cyberweapons, APTs, BYOD, in fact anything that’s hot in information security is likely to be brought up at some point, often before it hits the industry rags if slightly behind the blogosphere.  It’s like an information security club, an online interactive encylopaedia with several thousand qualified contributors.  OK, to be honest its more like a few dozen really active contributors plus a few thousand lurkers but we “feel their presence” in a spooky sixth-sense Stephen King’s Carrie kind of way.

Some of the discussions are straightforward questions and answers, that’s it.  Others develop into full-blown discussion threads, depending on the skill or good fortune with which the original poster crafted a post containing such subtle nuances or contentious language that more people felt compelled to respond.  Urgent but un-lame help messages generally get answers within minutes, while more contemplative posts can trigger threads that run for days or sometimes weeks.  By and large, it is all very good natured, open and safe, though there’s often the very feintest whiff of sarcasm, especially when someone purports to be an expert on some topic.  The forum is a wonderful safety vent for burning information security issues that bug you, and to challenge accepted norms.  You’ll find deep technical threads running alongside lighter topics.  Members contribute wisdom, knowledge, opinions and more for the benefit of all.  Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their participation.  We’re never stuck for friendly local guides when visiting far-off foreign lands although we’re still patiently waiting for our first forum romance, or rather the first one to be publicly acknowledged.

1.3  What are CISSP and SSCP?

CISSP is an acronym standing for one of the following:

  • Certified Information Systems Security Professional - the premier security qualification from (ISC)▓ and a registered trade mark to boot
  • Can I/Indeed Shoot/See/Slight/Snub/Scorn/Smear/Slur Stupid People - first suggested after a discussion thread on US gun law (another candidate for zombie status)
  • ’Cos I Said So Pal - explains why people have to listen to every word a CISSP says, or else
  • Canadian (or Canukistani) Information Systems Security Professional - reflecting the disproportionate number of active contributors to the forum who live in or come from the frozen wastelands North of some of the remaining active contributors
  • Cohorts Implementing Stealthy Secret Practices - goes with the funny handshake
  • Curmudgeons Irreverently Satirizing Sloppy Processes - pull up your keyboard to be ruthlessly ridiculed
  • Cautiously Investigating Suspicious Satanic Publications - that’s part of the job spec
  • Callously Ignoring Stylishly Sentimental Politics - both company and real politics
  • Cats Insistently Striking Silly Poses - my furry ones made me put that in
  • Cat Intelligence Security Services and Patrolling - uncovering cats' secret names (don’t ask me, I only cut-n-paste this stuff).

CISSP is an ANSI ISO accredited certification confirming that the holder has:

  • Passed the CISSP exam, a typical multiple-choice examination that tests the examinees’ retention of key facts and, to some extent, their understanding of the fundamental principles of information security (that well known oxymoron);
  • Work experience in information security;
  • An ongoing commitment to maintaining their education in information security (CPEs);
  • Qualified to apply to join CISSPforum.

Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security qualification.  It requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth over depth of knowledge.  That said, many CISSPs do have deep technical security knowledge and expertise in one or more of the ten domains defined by (ISC)▓ in the Common Body of Knowledge (CBK), whereas some of us just wing it.

The CISSP CBK covers these ten fields (shown with their approximate ISO/IEC 27002:2005 equivalents):

  1. Access control (’27002 section 11);
  2. Application security (’27002 section 12, some);
  3. Business continuity and disaster recovery planning (’27002 section 14);
  4. Cryptography (’27002 section 12.3++);
  5. Information security and risk management (’27002 sections 4, 5, 6, 7 & 8!);
  6. Legal, regulations, compliance and investigations (’27002 sections 13 & 15);
  7. Operations security (’27002 section 10, some);
  8. Physical (environmental) security (’27002 section 9);
  9. Security architecture and design (’27002 section 12, more);
  10. Telecommunications and network security (’27002 section 10, rest).

One might have (and indeed one has) argued that the curriculum lacks clear reference to human factors, which most CISSPs agree are an extremely important element of information security, and in fact the cause of many if not all security issues.  Another might argue that human factors are an inherent part of the ten domains, so here is no need for an eleventh domain.  While we don’t know (ISC)▓’s position, there remain only ten domains so work it out for yourself.

The CISSP concentrations are nothing to do with furrowed brows but emphasize specific domains of expertise.  Currently these are:

The concentrations build on exactly the same broad base as CISSP - in fact, candidates for the concentrations must pass their CISSP first and have extra -wide business cards.  ISSAP and ISSMP candidates must also have at least 2 years work experience in their chosen concentration but there is no such requirement for ISSEP, so candidates who cannot concentrate for 2 years on security engineering are still suitable to be considered for US Gummt infosec work, evidently.

SSCP stands for one of the following:

  • Systems Security Certified Practitioner - a qualification demonstrating some practical experience of working in the infosec trenches (e.g. security administration).
  • Solid Security Currently Practicing - it’s a pragmatist’s qualification
  • Should Soon Certify Properly - since some snobs view SSCP as merely a stepping stone to CISSP
  • International Respect for Tacticians - according to the heading on (ISC)▓’s SSCP page at one time anyway.  That phrase  melded into “The Go-To -Guy That’s an Information Security Must-Have” which is even more obscure and hypen-heavy.

SSCP is seen by some as a foot in the infosec career door, a means to show commitment to the field prior to gaining much work experience and a ticket to join CISSPforum.  It is also suitable for those infidels who have not yet fully dedicated their lives to the glory of infosec, those who in other words “have a life”.  The pre-qualification criteria reflect pretty much any professional/junior management job, with just the barest hint, the merest smidgeon of infosec.

For the sake of completeness, we’d better mention (ISC)▓’s Certification and  Accreditation Professional (CAP) credential, “an objective measure of the knowledge, skills and abilities required for personnel involved in the process of certifying and accrediting the security of information systems. Specifically, the credential applies to professionals responsible for formalizing processes used to assess risk and establish security requirements, as well as ensure information systems possess security commensurate with the level of exposure to potential risk.”  The ‘accreditation’ mentioned relates to the process of reviewing and certifying system security configurations against official system security configuration standards such as NISTs, much beloved of the military and those sheltering under FISMA’s umbrella.  Federal managers have to review their systems every 3 years or after a major change, whichever comes first (for unspecified values of “major”).  They use the process to identify needs and then translate those into budgetary needs so that Congress won’t shut down their system (a.k.a. legislative denial of service).  Despite the name, CAP is in fact nothing to do with tinfoil headgear.

1.4 Is there an official CISSPforum FAQ?

Yes, well kind of.  (ISC)▓ published the (ISC)▓ forum guidelines independently of and prior to first publication of this FAQ.  Their summary(also available to logged-in (ISC)▓ members here) reads thus:

  • “Membership to (ISC)▓ forums is restricted and must be approved by the forum administrator.
  • To access an (ISC)▓ forum, members must enter a password.
  • Messages posted to the forum can be seen by all members of the forum, but are not made available to anyone outside the forum.
  • (ISC)▓ forums are not moderated.
  • Advertising of products and services or posting of “junk mail” messages is strictly prohibited. However, discussion regarding products and services is allowed.
  • Use of a forum to advertise conferences, seminars and training related to the list topics is permitted.
  • Members are encouraged to keep postings brief.
  • Please, no flames.
  • When replying to postings, please include the original posting but only include the relevant parts of the message.
  • Use of a forum to post messages that are not related to security topics is strictly prohibited.
  • Any disregard of these policies and guidelines, or abuse of forum access privileges, may result in revocation of membership to the forum.”

The following topics are covered in the (ISC)▓ forum guidelines:

  1. What is a forum?
  2. Who can become a member of an (ISC)▓ forum?
  3. Who hosts (ISC)▓ forums?
  4. Who should I contact if I’m having any difficulties with my subscription?
  5. How do I subscribe to or unsubscribe from a forum?
  6. How do forums work?
  7. I’m receiving too many messages. Should I unsubscribe?
  8. What is unacceptable content?
  9. How do I reply to postings?
  10. How do I report abuse of a forum?
  11. What if my email program has an “Out of the Office” option?
  12. Who do I contact if I need help with a forum?

Dorsey Morrow, (ISC)▓’s helpful legal counsel, reminded us that CISSPforum must not be used for campaigning by those seeking election to the Board of Directors, although it can be used to garner popular support for those seeking to become candidates (a single posting only - see the official official guidelines for the official rules, officially).  A separate forum (cissp-elections) has been created by and for CISSPs to discuss the Board elections, the candidates and their manifestos, the elections process, governance accountability of (ISC)2 management as a whole and related matters.

In case of unexpected conflict between the official (ISC)▓ forum guidelines and this unofficial FAQ, expect weird things to happen as the space-time continuum is rent asunder.

1.5 Disclaimer

The information provided in this FAQ is not guaranteed <full stop>

The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them, there may conceivably be valid opposing views.  Use the information in this FAQ at your own risk.  Your mileage may vary.  Do not run with scissors.  Do not pass Go.

This is not legal advice.  The legal buck doesn’t even think about wandering through this quiet turnpike on the information souperhighway while charging its time by the second.

The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates, nor by any government, nameless government agency or religion.  It is technology-neutered.  This is an independent unofficial and decidedly cranky work by a tiny albeit vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified by self-acknowledged beards-of-colour who are clearly disturbed, senile or ‘under the influence’, and possibly all of the above.

GM-free.  Ford-free too.  No cute cuddly animals were harmed in its production, only nasty slimy ones.

This FAQ is so environmentally friendly, it is likely to slip away to hug another tree the very moment your back is turned.  Please don’t print it out, especially if you have an evil printer from hell.

1.6 Other versions of this FAQ

The original plain text FAQ was and remains available only to CISSPforum members.  It was extensively updated, worked over and generally roughed up a bit by Rob Slade and assorted elves in 2005/6.  To take a look (provided you are a member), logon to Yahoo! Groups, open the “cisspforum” group, go to “files” and scroll down to find “cisspforum-faq.txt”.  It’s the one entitled “cisspforum-faq.txt”.

A cool wiki version was created by Anton Aylward, Les Bell and other CISSPforumites during 2005.  You are invited, nay encouraged to edit and contribute directly to the CISSPforum wiki FAQ.  Go for it.  Knock yourself out.  Feel free to cut-n-paste great swathes of content from here into the wiki if you have the patience or better still come up with some novel material of your very own.

The sexy HTML web version now appearing on a screen near you was conceived, spawned even, by Gary Hinson in October 2006 and is updated when inspiration happily coincides with a spare hour, which is not very often these days.  Comments, further questions, answers and jokes are always welcome, via CISSPforum if possible.  See the contact details towards the end whether you’d like to contribute something deep and meaningful or chuck rotten eggs.

Back to contents


2 BASIC FORUM USE

2.1 How do I post messages to CISSPforum?

Any member of CISSPforum can post messages to CISSPforum simply by emailing cisspforum@yahoogroups.com .   Please use plain text and be reasonably succinct.  Messages can also be posted online using the Yahoo! web interface by members who have tied their membership address to a Yahoo! identity.

CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their login credentials to be stolen by a spam bot (which happens occasionally - CISSPS are only human).  Nevertheless, this is still the most effective anti-spam system we have.  Spammers who join the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).

If you are responding to a previous posting, please refrain from “top posting” i.e. simply adding your own comments to the top of what came before without any attempt to trim the original response and the ludicrous Yahoo! spam from the end.  By all means select the relevant bits of the original post, add the greater than characters and re-send them, along with your comments but, please, not the whole thing. This is especially important if you choose to monitor CISSPforum through a single daily digest message as we won’t necessarily know which message in the digest you are rambling on about (adjusting the Subject: line is also highly recommended).

Identify yourself, please.  Your Yahoo! profile name or email address is seldom sufficient to identify you, at least until you have posted often enough that others will mutter under their breaths “Oh no, not him again!”.  Simply end your posting with a standard business-like salutation including your name or else a nickname or some other term that you are happy for us to call you.  Otherwise we will choose our own name, and it may not be to your liking.  The person who posts under the pseudonym “/bpm”, for instance, probably does not appreciate being called “Slash” but at least he/she has a sense of humour.

When asking a question or seeking advice, give us a clue about the context.  Your situation is probably relevant to the advice you need. Government practice is different from commercial is different from legal is different from medical ....  Let us know roughly where you are, what country at least. This is a marvelously well-connected international forum but national laws and regional practices may make a big difference to the advice. Privacy laws and practices are remarkably variable, for example.

If you are posting a long hyperlink, please either create and supply a shortened URL as well as the full link or simply enclose your long URL in angle brackets < and > which allegedly tells some email clients not to break the URL into little bits.

Do your homework before posting to CISSPforum to avoid being soundly lampooned.  This is a professional forum for qualified information security people.  Some Forumites just love to show off their extensive knowledge at every available opportunity and you’ll often get a broad range of opinions from the Forum ranging from short snippets to extensive diatribes.  However, we resent being used as the research mechanism of first resort.  If a poster is too lazy to craft a simple Google search or two and follow up on the results before coming to us, some of us are not afraid to say so.  It may help to demonstrate that you have already made an effort to answer your own question. By briefly describing your research and analysis so far, you can prove that you are not just an information leech.  You will also give the experts here a chance to go directly for the deep dive without repeating the basics you already know.  You might try Asking Questions The Smart Way and, whether you are a Microsofty or not, read this advice also.

Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button.  If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this.   If you are pillorying someone for asking a question the wrong way or saying something dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:

It is better to be thought a fool than to open your mouth and remove all doubt.

Please be tolerant of others.  We are not all on your wavelength.  Some of us barely even speak your language (and you’ve probably never even heard of ours).  CISSPforum is a global melting pot, so please don’t post anything racist, sexist, elitist or any other kind of ist and please don’t fan the flames.

2.2 Is it safe to post my first message?

Of course!  We’re all friends here!  To the few thousand CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge and experience.  Don’t be shy.  Even “me too” is marginally better than stony silence.  But please re-read the tips just above before you dive right in.

There’s a special CISSPforum rule for Those Who Have Never Posted (you know who you are - we call you the Forum Virgins).  You have full permission to make Your First Posting without fear of retribution, dissent or ridicule.  The trick is to write “First posting” or similar in the subject line and include something interesting in the body of an email message to cisspforum@yahoogroups.com.  ‘Something interesting’ in this context may be:

  • Where did you first hear about CISSPforum?  Was it this FAQ maybe, or another?
  • A link to a novel security risk, vulnerability, control or concept, with a word or three of explanation
  • Comments or queries about any other posting or discussion thread
  • How many other people you have invited to join CISSPforum this month  :-)
  • Questions about information security, risk, control, poutine etc.
  • Your favourite security theory/model ... or the worst
  • Something That Gets You Going, preferably but not necessarily relating to information security.  What’s your passion in life?  Tell us something about you, as deep and meaningful or superficial and glossy as you choose.  Contentious postings often get a good response but don’t be surprised if some are rather rude.
  • Other interesting stuff - essentially anything other than “Me too”.  Go ahead, surprise us with your creativity and genius.  Failing that, just surprise us.

The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting.  To be honest, we’re all generally nice people who don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree.  Hot discussions break out from time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).

2.3  How do I get people to respond positively and helpfully to my queries?

Good question!  We heartily recommend and endorse the excellent advice in How to ask questions the smart way.  It’s also not bad, by the way, on how to reply to messages ...

2.4 How do I reply to messages?

CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message. That’s several thousand information security professionals.  If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware that your peers will see your ‘private’ message.  The cranky ones will give you grief to add to your misfortune, no doubt ribbing you rotten for your mistake .  If you wish your reply to go to only the originator, copy that person’s address into a new message or choose the individual address as an option if you are using using the Yahoo! web interface.  If you insist on sending ‘private’ messages to us all, please make them juicy if not defamatory.

2.5  Where have my messages gone?

Sometimes, for no obvious reason, messages sent to the forum get delayed. It happens unpredictably, with differing delays.  The forum is run by Yahoo! which, we are led to believe, is a fairly popular interwebpipes thingummy that gets overloaded and backlogged at times, presumably because it is running on a steam-powered Acorn Atom, a PDP-11 or perhaps a much more modern machine ... running Windows 8.  It might be interesting to check whether your message was listed on the Yahoo! Groups web interface at about the time you sent it (implying a delay on the Yahoo! output) or the time it finally arrived (an input delay) ... but either way, there’s not much (a classic understatement!) we can do about it.  It’s annoying, especially when messages finally get distributed sequence out of.  Yahoo! presumably has a technical/admin contact, someone who occasionally stokes the chicken poo in the boiler maybe.  Alternatively, (ISC)2’s Wilf Camilleri or Blaise Kengoum might be able to help (email forum@isc2.org).  Ask them to ask Yahoo! to poke the boilerman.

2.6  How do I turn down the volume?

At times, CISSPforum can be a LOUD mailing list with up to 3,000 messages per month.  Other mailing lists only go up to ten.  CISSPforum sometimes reaches eleven

CISSPforum messages per month

Over the past decade, the message volume has declined gradually and is now running at about 13 messages per day. If you don’t have the stomach or the free time to read 13-odd (sometimes very odd) messages per day, here are seven vital survival techniques:

  1. Skim the subject lines and just delete anything mentioning, for example, LinkeDin or other lame topics.  Don’t fret.
  2. Read CISSPforum as a daily digest with all the day’s takings in one mega email.  This is a Yahoo! option.
  3. Check the senders.  Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit bucket without even opening.  Your email client probably has the tools to do this automagically.  Look for ‘email rules’ or ‘filtering’.
  4. Set aside a certain period of time each day to peruse the latest mailings.  When your time is up, delete the remaining unopened messages and go back to Real Life.
  5. Don’t bother about keeping up with the latest topics.  Use Yahoo!’s search routines to check the archives.  There is a wealth of accumulated information, and it’s surprising how often we discuss the same things again.
  6. Read the forum using Gmail or a similar email facility that automatically links postings with similar subject lines into threads.  Pick out interesting threads.  Ignore the rest.
  7. Ignore everything.  Delete without reading.  Unsubscribe.  Miss out on those golden nuggets that would make all the difference to your career .  Go ahead - see if we care.  Talk to the fingers cos the keyboard ain’t listening.
  8. (Bonus idea)  Don’t send complaints about the volume of the list to the list.  Don’t send complaints about LinkeDin, daft jokes and comments to the list.  Don’t try to send attachments to the list.  In particular, if you are catching up with emails, look through the list of emails to see if anyone else has already commented or complained about a posting that upsets you, and leave it at that.  Think twice before posting fresh junk, even on Fridays.  Use your delete key as it was meant to be used and move along - in other words Get A Life.

2.7 What do I do if (when) a posting upsets me?

Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that offends you in some way.  Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a huge and unedifying “discussion”.  People telling other people to take their complaints offline will, of course, do this online.

Personal attacks are more hurtful than helpful.  While you might really want to say something along the lines of “You need a good kick to the head or an enema  - in your case, those may end up being one and the same”, the following fire-retardant advice, originally posted on the forum by a wrinkly diplomat, sums up how to avoid fanning the flame wars:

I’d recommend peace, love and understanding all round.

Be tolerant and respectful of others on the forum.  We have many
cultures, abilities and styles here.  We are not all like you.
Many of us have never even been to your country.

The forum is self-moderated.  Self restraint and tolerance are the watchwords.

Count to twenty before responding to jibes.  If someone has upset you,
explain to them (and only them ) what upset you, and let them respond privately, off-list.

If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line
behind the bike sheds perhaps.

If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are.  We all had to start somewhere.

This is a community of peers.  There is room for humour and occasional
off-topic discussion
but, please, take it easy on our <Delete> keys.

Enjoy the variety of experience.  Relish the challenge of
understanding others’ points of view.  Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.

If you think the emperor has no clothes, speak up.  Some of the best threads start that way.

And if all else fails, hit your <delete> key, chill out and move along.

If having done all that you’re still steaming gently, try the CISSPforum serenity prayer:

    Lord*, give me the capacity and resources to implement the controls
    that truly will protect my organization;
    the fortitude to ignore those “best practices” which will not;
    and kill files properly formatted for certain individuals,
    all OoO replies, and most of all LinkeDin membership requests.

    Amen.

* Appeals to similar deities, magnanimous all-seeing beings and/or email system administrators will be equally efficacious. 

2.8  Trolling and troll-baiting

 

                                ____________________

                     /|  /|    |                    |

                     ||__||    |  DO NOT FEED THE   |

                    /   * *\__ |  TROLL. Thank you. |

                   /          \|    CISSPforum      |

                  /      \     \____________________|

                 /        \     \       ||

                /    |\____\     \      ||

               /     | | | |\____/      ||

              /       \|_|_|/   |      _||

             /  /  \            |_____| ||

            /   |   |           |       --|

            |   |   |           |______ --|

            |  |_|_|_|          |       \_/

            \        |/         /

     /\    / \       |        /

    /  \__/  |       |       |

  __________ c_c_c_C/ \C_c_c_c______________________

 

If you are a troll, or if you feel compelled to point out that someone else is trolling, or are responding to a posting by a troll, or posting about someone else responding to a troll, or are defending or criticising a troll or those who have previously defended or criticised a troll, or are in any other way referring to trolling, please add [Troll] to the subject line of your message so that those of us with automated anti-troll filters have an easier time*.  Better yet, before posting your message, please reconsider whether doing so will increase or decrease the signal-to-noise level for the majority of Forum members or whether your spleen might be better vented against the alleged troll directly, off-list.  On behalf of us who actually do have a life, thanks very much.

* The more advanced CISSPs simply configure their systems to route all troll messages directly to Write Only Memory (WOM) devices installed at several highly redundant but totally secret locations on the intergalactic Interwebnet.  It is alleged that one of these black holes has been found lurking within the (ISC)2 website but the last brave datagram we sent in there to check it out never surfaced, at least not in our galaxy.

2.9 Are there rules for the forum other than this FAQ?

Yes - go to the back of the class and re-read section 1.4 above.  Remember, this is the unofficial FAQ.

The universal rules for posting stuff to newsgroups and similar online discussion fora, neatly summed up in a short video, apply here too.  In this sense alone, CISSPforum is not special at all.

Furthermore, thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain “unwritten” rules for the forum .  Look under Yahoo! Groups > CISSPforum > files for the file “cisspforum-faq-unwritten.txt”.

2.10 Can I distribute files via CISSPforum?

No, at least not directly.  Any file attachments sent to the mailing list will be summarily stripped off by Yahoo!.   Members who post documents or other materials will be embarrassed at having posted, essentially, nothing.  “Here it is!” they exclaim, triumphantly but here it is not.  This is lame.

However, any forum member can upload a file to the Yahoo! Groups files area and optionally announce it on CISSPforum.  Be sure you have permission from the copyright holder before publishing anything in this manner: reaching thousands of peers effectively places it in the public domain and we wouldn’t like to see you marched-off by the DMCA Gestapo...

An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs and post a forum message inviting CISSforumites to collaborate on writing/completing it.  The combined brain power is awesome and we have yet to see a document that cannot be improved by the wider perspective.  We’d encourage you to acknowledge all those who actively contribute and ideally publish the finished item to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s your choice.

2.11 Is this forum private?

What do you think?  (ISC)2 and Yahoo! are both American organizations.  The servers are probably in America, land of the free.  Do we really need to spell it out for you?  Ask Edward Snowden.

Membership in the CISSPforum is restricted by (ISC)2 to those holding CISSP and SSCP (well possibly: see section 5).   Generally speaking, a number of respected CISSPforum members take the membership restriction to imply that it’s a discreet and exclusive private gentlepersons’ club.  They hold that discussions on CISSPforum should not be discussed or reproduced elsewhere, outside the forum, believing that “what happens on the forum stays on the forum”.  Restricting discussions to the CISSP community will hopefully result in a freer and franker exchange of ideas, the theory goes.  And we should all wear suits and ties, smoke ridiculously large cigars and drink copious quantities of the very finest brandy and port while twiddling our handlebar moustaches.

That said, given the membership of thousands, it is not entirely sensible for members to assume that the content of messages they post to the forum will remain restricted to the membership.  Those concerned about privacy and confidentiality (and which of us isn’t?) should bear in mind the old adage that you should never send anything by email (or indeed by courier) that you would not want to see on the front page of the newspaper.  Do your own risk assessment, folks.

Some members have evidently taken things into their own hands.  They write such cryptic and convoluted messages that one might be forgiven for thinking they are speaking in tongues, whereas in fact they are merely trying to disclose certain alleged facts in a plausibly deniable manner.  Others have tried brute-force attacks but rarely find the key.  [There are less charitable explanations but, hey, it’s Friday.]

As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is best either to rewrite the salient points in your own words (sanitizing the identities and facts as necessary) or to contact the original author/s for explicit permission, or both.  Members contacted in this way are invariably flattered to be asked.  You will almost certainly get the help you need to re-publish or at least plagiarize the salient parts from original piece, and make a new friend in the process.

Back to contents


3 FORUM CONTENT

3.1 Is there an archive of CISSPforum postings?

Yes, postings to CISSPforum are automatically archived for all posterity on Yahoo! Groups.  Remember this if you are about to flame another member or post something private, off-topic or lame.  The cream of CISSPforum postings may also be shamelessly plundered for FAQ content.

3.2 Is this the proper place to compare certifications?

Probably not.  The topic has been raised before and you are free to give it another go.  You’ll get replies, some thoughtful, some not. 

Strangely enough, most CISSPs maintain that CISSP rocks.  Many of us, having CISSP on our CVs and business cards, are curiously defensive of the certification’s integrity and value.  We have something of a vested interest.

3.3 Is this a good place to ask ethical questions?

Yes if you like but try cissp-ethics@yahoogroups.com instead for a more reasoned discussion.

3.4 Is it OK to ask about topics previously covered?

Everybody does it but if you do not normally monitor the forum, it would be appreciated if you would first check the archives.  Please see the next section too for information about zombie topics.

3.5 What is OT (off-topic)?

Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More Important Things To Do.  It is considered rude to post off-topic messages without the “OT”, and in fact slightly naughty to post on-topic messages with subject lines that just happen to contain those two specific letters in conjunction.  As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement, or rather that of the majority of people on the list, or rather that of the vocal minority who feel compelled to tell us all whether something was on- or off-topic. 

To be fair, on/off-topic is not a binary choice when it comes to many discussion threads, but subjects such as US gun laws are likely to descend rapidly into the abyss of politics, religion or both, leaving information security for dust. 

There is some guidance on this point in the (ISC)2 policies:

  • “(ISC)2 forums are not moderated.  Note that this is prime: you might see anything here.  Don’t complain about it.”
  • Actually, membership in the forum is strictly moderated, as you know.  Postings are not specifically moderated.  However, if you say something really annoying, somebody from (ISC)2, usually that nice man Dorsey Morrow, (ISC)2’s corporate counsel, will send you a nasty note and if you persist, you’ll be unceremoniously booted-off.

    The issue of moderation is another running joke on the forum: if you post a message asking why the moderator isn’t doing something, one of the long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message claiming to be, or to nominate, the moderator of the week, and dispense moderation, in moderation.

    It is traditional for the moderator not to be informed of his/her/its status. For example, Rob Slade was moderator during the early part of December, while he was out of town, only finding out upon his return.  There being no moderator at that point, he had nobody to complain to.

Some of the subsequent (ISC)2 guidelines contradict the issue of non-moderation a little by laying down explicit rules:

  • “Advertising of products and services or posting of ‘junk mail’ (spam) messages is strictly prohibited.
  • Use of a forum to post messages that are not related to security topics is strictly prohibited.”

Others are a little more helpful:

  • “Use of a forum to advertise conferences, seminars and training related to the list topics is permitted.
  • When replying to postings, please include the original posting but only include the relevant parts of the message.”

... with which last point we in the forum heartily concur.

The normal rules are relaxed slightly on Fridays but always beware going too far off-topic, or stretching a topic a bit (or indeed a byte) too far.  Just because there are a number of people who are dolts doesn't detract from those few with wit.  Of course, the target rich environment does make the wit easier.  Occasional tongue-in-cheek asides are tolerated, enjoyed even.  However, flame wars may erupt if someone objects to wading through more OT than on-topic posts, and hasn’t read or ignores the earlier suggestion about complaining directly to the original poster/s rather than spamming the whole CISSPforum community.  As with sex, alcohol and tipping, moderation is key.  We’re not talking teetotal celibate monks here, rather a middle-aged person who enjoys the odd tipple and a long-term partner.

3.6 What topics are lame?

We all say dumb things from time to time but asking genuinely lame questions or offering supremely lame answers on CISSPforum can be a character-building experience, unless it is your first post anyway.

Before you ask a question, have you at least Googled it?  Have you made even the slightest effort to search for the answer yourself?  If so, great, go ahead and ask away.  If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.

You can apparently construct anything using the base URL of www.justfuckinggoogleit.com/search?q= and then adding the terms separated by a +, such as: www.justfuckinggoogleit.com/search?q=security+glossary.  If the olde English word in that URL is too offensive, try www.LetMeGoogleThatForYou.com/q= followed by the search term for a more polite version.  If you don’t think any of this is funny, you might benefit from a subscription to cissp -humour-impaired.

Zombie topics, out-of-office messages and off-topics are also considered more or less lame.

Responses can be lame too. It’s fair to assume, for starters, that the original questioner has a modicum of intelligence and security expertise. To avoid self-nominating for membership of cissp-clueless, take this classic response as a warning: “In order to attack your target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites I’ve found useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com). The attacker should of course know how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you can recognize since it all starts with the characters http://). One thing that is often overlooked by junior hackers (explaining many failures to achieve desired goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”

3.7 Where can I find thread summaries?

Basically, you can’t, but you can search the archives.  The upgraded Yahoo! search facility is not too bad, compared to say pulling your own teeth out with a rusty farm implement.  Don’t worry, though, because this situation was accurately predicted by a rather boring prophet:  “There shall in that time be rumors of things going astray, erm, and there shall be a great confusion as to where things really are, and nobody will really know where lieth those little things with the sort of raffia-work base, that has an attachment. At that time, a friend shall lose his friend's hammer, and the young shall not know where lieth the things possessed by their fathers that their fathers put there only just the night before, about eight O'clock.”

You may like to subscribe to the list using a Gmail account that automatically threads the responses.

3.8 When is Friday?

One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on Fridays in preparation for the weekend’s fun (the equivalent of dress-down-day, bad shirt day, or POETS day), within reason.  Since “within reason” is itself part of the unwritten rules that are relaxed, even that is optional but please be sensible.  This is a multicultural professional forum and we’re all pretty busy.  OK perhaps not quite so busy on Fridays.

On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness, delicacy and discernment, humour (sometimes without you) and satire, derision and hyperbole, alliteration and synecdoche turned up a notch, with the occasional deep and meaningful discussion on coffee, donuts, poutine and sushi.  Have fun, just avoid turning up the heat.

It has been alleged that some members literally dress down on Fridays.  Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask.

Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance when other less fortunate members to the East are still living in the past.  Therefore, Fridays start on Thursdays.  What’s more, when the less fortunate Easterners post their Friday messages, it is already The Future for the very same Westerners.  Although certain grammatical problems are created by this particular form of time travel, the Westerners enjoy Easterners’  Friday postings on Saturdays.  So, to summarize, “Friday” = Thursday + Friday + Saturday.  With the ever-worsening delays in Yahoo! Groups, postings can now come two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and postings sent “Friday” may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.”

It has subsequently been suggested that “Friday” be celebrated only on days that begin with  the letter "T" including Tuesday, Thursday, Today, Tomorrow , Thaturday and Thunday.  We like Fridays on the Forum.

3.9  Announcing the CISSPforum Loyalty Scheme

Communications engineers use a metric called “signal to noise ratio” (SNR) to describe the quality of a communications mechanism or link.  The SNR, and hence the rate at which useful information is imparted, is improved by higher relative signal levels and degraded by increased noise.  SNR is also an important metric for email forums such as CISSPforum since we all have a limited communications bandwidth - we just can’t afford to spend all day sifting through chaff to find the wheat.  Life’s too short.

In recognition of this, the CUStards have, allegedly, instituted the CISSPforum Loyalty Scheme to reward forumites who move the SNR towards the green zone.  CISSPforum Loyalty Points are awarded for posts that:

  • Contain genuine, useful content and don’t top-post or “me too”
  • Are factually accurate, ideally with short URLs or references for those who want the full 8.2 metres
  • Are good to read - well written and clearly thought-out, preferably insightful (vaguely correct spelling and grammar earn special bonus points, especially from those for whom English is not their mother tongue)
  • Are amusing (and not just on Fridays)
  • Avoid noisy lame topics or off-topics
  • Don’t flame like a blazing oil rig (contentious is OK, nasty, sharp and viciously pointed is definitely not)

Remember, CISSPforum Loyalty Points are about SNR - the CUStards are looking for quality not volume.

As anyone who watches TV surely knows, points make prizes.  Accumulated CISSforum Loyalty Points can be exchanged for benefits such as:

  • Latitude to sound-off, expressing strongly-held opinions and beliefs on CISSPforum
  • Leeway and forgiveness in case of occasional CISSPforum indiscretions
  • Job offers, higher pay and tax concessions (allegedly)
  • A rice steamer.  That only works once.  And not very well at that.

Most of all, though, loyal CISSPforumites earn the respect of their peers in the profession.  Respek!

The CUStards are hoping to persuade (ISC)2 to exchange CISSPforum loyalty points for CPEs.  Hopefully this issue will make it on to the agenda for the next round of (ISC)2 management board elections.  Start lobbying now.

Back to contents


4 ZOMBIE TOPICS

4.1 What are zombie topics?

All manner of information security and other fascinating topics have been discussed on CISSPforum over the years.  It is a fairly high-volume list with a large and active membership.  The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die.  Please check the archives for the full nine yards on any of these topics.  The forum is not moderated so you are welcome to raise these topics yet again (provided you have Something Important to say on the subject) but if you do, be prepared for a somewhat less than enthusiastic response and watch out for silver bullets, pointed wooden crosses or garlic around the door. 

4.2 Zombie topic: reformed hackers

Been argued, no resolution.  Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white (hats).  Some hold that reformed hackers have “paid their debt to society” and have useful knowledge to contribute.  The ensuing exchange is a bit like the Pope discussing religion  with an atheist. 

The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the likes of Messrs. Mitnick and Abagnale.  Some of us will, some of us won’t.  It all depends on the height of one’s horse.

4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)

This is undoubtedly an important topic but most of us are tired of seeing the same old same old.  CISSPs have at various times challenged the “R” and “I” part of ROI, and the future is not so ROSI according to some.  To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis thread often gets intertwined with the ROI zombie, making our lives a misery for a couple of weeks at a time.

If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach, a revolutionary investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it. 

4.4 Zombie topic: standards and resources

This is not really a dead topic, so much as a hint to check out the following resource collections before you make a fool of yourself with “Hey I’ve just discovered site X, it’s cool!” or “Where can I read about topic Y?”:

  • General information security knowledge is stored in Anton Aylward’s infosec wiki, a collaborative project to which all CISSPs are invited to contribute
  • For security terminology, check this hyperlinked glossary or Rob Slade’s dictionary
  • For security books, read Rob Slade’s no-holds-barred book reviews or search online bookshops such as Amazon and Barnes&Noble
  • For web resources, browse Rob Slade’s collected resources
  • For CISSP study resources visit  Clement Dupuis’ Cccure.org
  • For information on the ISO/IEC 27000-series Information Security Management System standards plus links to many other information security standards, NIST Special Publications etc., visit ISO27001security.com
  • To meet your fellow CISSPs in Real Life™, consider joining ISSA, the Information Systems Security Association.  ISSA is a global community and traveling members are welcomed with open arms by overseas chapters.  ISSA created (ISC)2 so many moons ago that it has almost forgotten who’s the daddy.  Other ways of meeting CISSPs include volunteering to teach classes or proctor CISSP exams, pulling strings in LinkeDin or  hanging out or speaking at security conferences, and specifying “CISSP essential” in infosec job vacancies.

If you come across something new (including information security pieces you wrote yourself and published on the web), by all means add them to the infosec wiki and, if you are willing to take the risk of them being savagely criticized by your peers, share the links through the CISSPforum.  You can even save them to the forum files area.

4.5 Zombie topic: cissp.txt

We are really tired of this topic.  One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:

    a) “There is a list of CISSPs at [someURL].cissp.txt.  This is appalling!”

    b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it!  What gives?”

    c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it!  Aaaiiieeee!”

Yes, it’s true.  There is a list that appears at various places around the net, usually named cissp.txt.  This contains some names and contact information (some of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org (some people say circa 2003, others say early 2005).  At one time someone lame evidently mined the public directory, possibly for marketing purposes.  Later, someone thought it would be a good joke to post the list on the web to see if they could get lots of people upset.  They appear to have succeeded.  Several times around.

Oh, and a special note for posters in category (c).   You have had your CISSP for a while and posted some info to the (ISC)2 public directory, so why are you so upset?  Get real.

4.6 Zombie topic: terrorism

Terrorism does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat.  Check out the archives and see what has already been said.

Those who want to blame terrorism on various religions should probably try cissp-religious-wars@yahoogroups.com instead.  Postings advocating violence against any persons or groups are DEFINITELY way off-topic.

Those wanting to discuss terrorism in more depth than CISSPforum can stomach might try cissp-terrors@yahoogroups.com.

4.7 Zombie topic: can I get CPEs with that?

Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)2 guidance but what do you think?” ... and the forum groans.

Forum members can only give unofficial and generally unreliable advice on this point.  Does the material in the [course | iPod | film | etc.] pertain to the 10 CBK domains of the CISSP certification?  If the material is pertinent in one or more of the magic 10, Jack Holleran for one would say “yes”.  One hour of relevant infosec study earns you one CPE, provided it can be validated in some way.

For the definitive answer on CPEs, (re-)check the official (ISC)2 CPE guidance, download and read the official CPE guidelines or contact (ISC)2 directly.  The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free.  Remember also this helpful point from (ISC)▓: “As a professional who follows the (ISC)▓ Code of Ethics, please use your best judgment within these guidelines to select those activities which qualify for CPE credits and which will enhance your professional development.”  In other words, be sensible and play nicely.

FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:

  • Attend local chapter meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 etc.  Better still, join the groups and actively participate.  Even better, research topics, write presentations and offer to deliver them at such meetings.  Best of all, join the committee and serve on the board of directors.
  • Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product vendors, infosec luminaries and other CISSPs.  Actively participate where possible.  Posing awkward questions is especially recommended in the case of vendor presentations (and really ought to qualify for special bonus CPEs).  Many organizations that routinely release webcasts (such as CERT) send email notifications to their mailing lists when new ones are announced.   Most webcasts, conference presentations etc. are archived and remain available for a while, which is handy if the initial broadcast happens in a different time zone to you and thus interferes with “having a life”.  It’s also a legitimate way to cut down the total time commitment thanks to the fast forward button and skimming stuff you already know (use with care - in some cases, there may be nothing of any substance left).  Better still, research, prepare and deliver such presentations.
  • Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars.  Some mags on (ISC)2’s recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have actually read and understood the content.  The quizzes are not that hard to fake but remember why you became a CISSP, and why ‘Continuing Professional Education’ is worthwhile.  No matter how devious and diligent you may be, I don’t believe “Researching and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon.
  • Write articles on information security and related topics for publication in professional journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE.
  • Read information security books and ideally write reviews of them for other prospective readers.  Better still, write good infosec books.
  • Read and preferably comment on or otherwise contribute to infosec blogs.
  • Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
  • Review and comment on draft information security standards, professional practice statements and the like.  Please at least try to be constructive.
  • Write new CISSP (or CISA or CISM) questions.  This is well worthwhile but much harder than it may appear.  You are unlikely to earn as many CPEs as the number of hours you actually put into researching, writing and honing your questions.
  • Study for further qualifications.  In the case of information security-related qualifications such as CISSP concentrations or CISM and CISA, don’t forget that CPEs earned for any one probably qualify for the others too.  Honestly, it gets easier.
  • Volunteer to proctor CISSP (or CISA or CISM) exams.  Several CISSPforum members say they signed up but never got the call so don’t bank on this one.
  • Volunteer to take over publishing and maintaining this FAQ.  Please.
  • Last but not least, actively participate in CISSPforum.  Share your security wisdom.  Challenge the accepted order.  You don’t earn CPEs purely for participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum postings.  Remember this point when getting ready to post something.  While it’s easy to dash off a quick email with little if any thought, taking a bit more time to get your thoughts in order, find, check and incorporate relevant references, and provide something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.

The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning sufficient CPEs.  If you are scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for CISSPs), step back and take a look at your commitment level.  Are you in the right profession?  Is your personal development and career advancement really of so little concern to you?  Gosh.

See also the notes on submitting CPEs, a lame topic.

4.8 Zombie topic: why are we still using Yahoo! Groups?

Every so often, someone asks indignantly why we are still using Yahoo! Groups because it is plainly horrible and there are many much better alternatives Out There.  If you check back through the archives you will see numerous and expansive discussions of alternatives.  This issue has been discussed ad nauseum, with the consensus being that there are distinct benefits to this forum being maintained on a non-(ISC)2 system.

(ISC)2 has tried alternatives in the past and even got as far as announcing the imminent closure of the Yahoo! Groups forum in January 2005 “within 3 months” but all previous attempts fizzled out without seeing the light of day.

Of course we could declare independence and hoist the flag on our own breakaway CISSPforum ... except for two little caveats:

  1. (ISC)2 owns and for good reason jealously guards the CISSP trademark to prevent confusion with other - lesser - products.  This means we probably could not use “CISSP” in the name or web pages promoting the breakaway forum.
  2. Only the all-seeing (ISC)2 knows who is currently certified so, unless we simply trust everyone who applied to join the breakaway forum (and trust doesn’t come easily to paranoid security types like us), we have no way to limit the membership to CISSPs.  There is of course a plethora of non-CISSP information security forums already in existence and we would simply be adding to Web entropy. 

Now if only someone could persuade (ISC)2 to issue digital certificates to CISSP holders, certificates that could be validated by anyone, then we’d all be deliriously happy and the world would be a nicer place.  Job candidates could prove their CISSPness.  Forum moderators could check the CISSPness of applicants.  Global warming (allegedly) would reverse (or not).  Unfortunately, since (ISC)2 evidently finds it difficult even to structure its own website, there’s about as much chance of this happening as <insert your choice of something really not very likely at all>.

4.9 Zombie topic: how should we word our email disclaimers and/or system banners?

When someone asks our opinion on how best to word a standardized email disclaimer or website/FTP/telnet “login banner” or similar, there inevitably follows a tussle between the “We don’t need no steenkin’ banners” brigade, the “Ask your lawyers” camp and those who start with “Here’s ours”.  The arguments generally boil down to these salient points:

  1. Some claim that disclaimers and banners are not worth the electrons they are written in because they have no legal standing.  They argue that it is not possible for the sender to enforce legal or contractual conditions imposed unilaterally on the recipient in this manner.  The pseudo-legal language so often used (“This message may or may not contain legally privileged information ...”) typically makes things worse by being so vague as to be totally ambiguous and laughable in court.  The argument is supported by sites such as this.  Arguers of this persuasion typically point out that the welcome mat outside your front door is not an invitation to breaking-and-entering.
  2. Lawyers appear somewhat divided on the value of banners and disclaimers.  There are some cases in some jurisdictions which appear to support their use, and others which apparently don’t.  All lawyers, however, are universally agreed that clients should seek their highly-paid professional advice on matters of this nature.
  3. If one accepts that there may be some value in them, and the costs are negligible (aside from those arising from the previous point), then we’re back where we started: what is the “best” way to word them?

Way back in 1992, a CERT advisory (quoted on RISKS-List) advised the use of something like this for a banner:

    This system is for the use of authorized users only.  Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

    In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.

    Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

CERT further noted that “each site using this suggested banner should tailor it to their precise needs.  Any questions should be directed to your organization’s legal counsel.”  The fact that this issue was discussed well over a decade ago surely qualifies this thread for zombie status.

According to the security compliance tool Secutor Prime, the US Gummt's Security Content Automation Protocol (SCAP) recommends the following:

    This computer system is for official use only.  This computer system, including all related equipment, networks and network devices (specifically including Internet access), are provided only for authorized use.  This computer system may be monitored for all lawful purposes, including to ensure that its use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security.  Monitoring includes authorized active attacks to test or verify the security of the system.  During monitoring, information may be examined, recorded, copied and used for authorized purposes.  All information, including personal information, placed on or sent over this system may be monitored.  Use of this computer system, authorized or unauthorized, constitutes consent to monitoring of this system.  Unauthorized use may subject you to criminal prosecution.  Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action.  Use of this system constitutes consent to monitoring for these purposes.

The US Gummt, having assigned a crack team of top-notch disclaimer experts to the job, came up with a universal disclaimer for all USG systems but then , allegedly, pulled it prior to implementation for as-yet unstated reasons.  Perhaps someone read this FAQ and noted the above?  Anyway, watch this space for the next thrilling episode.  Chickens at eleven.

Meanwhile, if you find creating a single, succinct general purpose banner/disclaimer too difficult or if you laugh at the very idea of a universal disclaimer, you may prefer a selection, a soupcon, a veritable smorgasbord  of different banner/disclaimers:

  1. One for your website with a privacy statement/policy plus terms and condition of use, especially for eCommerce sites (e.g. at what point is a sales transaction considered final and binding? What if there are genuine errors or omissions in the prices, descriptions etc.?).
  2. One for internal network domains, displayed to employees before they logon, warning against unauthorized use and that use is logged (and perhaps displaying security awareness messages or further dire warnings after they logon).
  3. One for network devices (routers, switches, application servers etc.), warning that all use which is not specifically authorized by the organization is considered unauthorized (circular though that is) and that use is routinely monitored (is it?! Golly!  Well done!).
  4. One for emails mentioning that the sender does not represent the organization and is not authorized to enter into contractual commitments on behalf of the organization (or whatever).

If you are still searching for The Answer, Attrition offers a characteristically entertaining disclaimer.  The Commonwealth of PA says “Login banners provide a definitive warning that network intrusion is illegal and also to advise authorized users of their obligations relating to acceptable use of the network.”  They go on to suggest the following examples:

  1. This is an actively monitored system. Unauthorized access is prohibited.
  2. WARNING! THIS SYSTEM CONTAINS GOVERNMENT DATA. UNAUTHORIZED ACCESS IS PROHIBITED. Use of this system constitutes CONSENT TO MONITORING AT ALL TIMES and no expectation of privacy exists.
  3. Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored.
  4. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access is prohibited. System personnel may give to law enforcement officials any potential evidence of crime found on this system. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES EXPRESS CONSENT TO MONITORING, INTERCEPTION, RECORDING. READING, COPYING, or CAPTURING and DISCLOSURE of use. IF YOU DO NOT CONSENT, LOG OFF NOW.
  5. Space aliens will eat your head. P*SS OFF AND DIE EVIL HAX0R5!

(Possibly, one of the above is a spoof.  I’m not saying which, if any, it is.)

Google of course lists many more resources for ‘legal login banner’.  There is even an FAQ entirely devoted to the subject of email disclaimers.  You can probably get a certificate in it too, complete with CPEs.

Don’t forget to ask a tame lawyer.  This is not legal advice.  The heretofore abovementioned information under sections one (1) through seven (7) subsection seven (7) may, or may not, be illegal, allegedly and is totally and utterly DISCLAIMED. 

4.10  Zombie topic: “We’ve been hacked - what do I do?”

Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the big red panic button and emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute.  A typical question might be “I’ve just had a call from the Help Desk.  They have taken a call from a user in the business who says his PC is acting strangely.  The network boys and girls tell me there is loads of traffic on the user’s LAN segment and it looks as if the machine is spewing out spam like it’s going out of fashion.  HELP!  What do I do?”.

The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to analyze the live system before shutting it down, and why it is so important to brew up an incident management process BEFORE not DURING an incident, but the best immediate response to date on this sort of query is: “If you believe the system is compromised, and you don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert.  Don’t switch it off.  Don’t even run a directory listing.”

If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, things are different, obviously.

Back to contents


5 FORUM MEMBERSHIP OPERATIONS & SETTINGS

5.1 How do I subscribe to CISSPforum?

  1. First, get the easy bit out of the way: get yourself certified as a CISSP or SSCP by (ISC)2.  The forum is allegedly for the certified only - or at least we thought so: according to some, you may be admitted if you merely apply for the qualifications and consider yourself certifiable.  (ISC)▓ owns the group and can do what they jolly well like.
  2. Go to Yahoo! and create yourself a profile if you don’t already have one.  Use the email account you will want to use on the CISSPforum.  (This step is not strictly necessary, but comes in handy at times later on, and is easy to do while waiting for glacially slow results from (ISC)2.  This step doesn’t even have to be done first, either, hence the reason it is conveniently numbered ‘2’.
  3. Visit the (ISC)2 website and request an account there if you haven’t already got one.  An account on the (ISC)2 website will let you access the private CISSP area on the site.  You’ll need it anyway to submit your CPE credits online to maintain your certification.  It’s also handy for getting onto the jobs board there which is notable for its lack of results but why not give it a try, eh?  Warning: ISC2.org has won the World’s Least Intuitive Website Interface Award for at least four years running.)
  4. When you have your (ISC)2 account, login to (ISC)2 website  using  your CISSP number/exam candidate number as your login ID and your secret password.
  5. Go to the CISSP member site (it’s a private area, only accessible if you are logged in).
  6. Browse around fruitlessly until you eventually stumble across the link for (ISC)2 forums ... or just click hereREMEMBER THIS PAGE AND HOW YOU GOT TO IT!  YOU WILL NEED IT TO UNSUBSCRIBE, IF YOU WANT TO.  TWEET IT!  BOOKMARK IT!  WRITE IT ON A POST-IT NOTE NEXT TO YOUR PASSWORD!  TELL YOUR FRIENDS ABOUT IT!
  7. Starting part way down the page are a bunch of forum sign-up forms, one of which casually mentions CISSP Forum.  Fill out the form using the email account that you want/you used in creating the Yahoo profile.  Make sure that you choose the correct CISSP Forum, currently listed as “Yahoo!Groups” since (ISC)2 has been experimenting with alternatives since 2004 (!).
  8. Wait a few hours.  Wait a few days.  Wait a week or two longer.  Eventually you will either get an invite or start getting email from CISSPforum.
  9. After lurking and watching for a while, please send us a nice ‘hello’ message, ideally with something interesting about you, your job, your interests, your favorite security standards, almost anything really.  Tell us what you thought of the CISSP examination maybe.  Say how you found out about the CISSPforum (was it through this FAQ?).  Once you have successfully posted to the CISSPforum, you will be able search the archive.  If you never post, you won’t.

If you get stuck, you might contact Wilf Camilleri or Blaise Kengoum using forum@isc2.org but try to find and complete the (ISC)2 forum sign-up form first. You could always ask a fellow CISSP for help or ask them to post your question on CISSPforum.  Good coffee or alcohol usually helps.

5.2 How do I join CISSPforum if I’m not yet a CISSP?

Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial from ardent CISSPforum member and security evangelist Clement Dupuis.  Become a CISSP or SSCP and you will be welcome, if not compelled, to join the CISSPforum.

For fans of the UK comedy series, Little Britain, yes, CISSPforum is a local forum for local people.

Alternatively, try appealing to (ISC)▓. 

5.3  Since this is “CISSP Forum”, that means that all participants have their CISSP, right?

Kind of.  Lapsed CISSPies have been known to hang around like a bad smell long after their certifications have expired.  (ISC)▓ also allows wet-behind-the -ears candidates to become members so long as they are exam candidates, thus the members of this forum may or may not have anything to do with the CISSP certification.  (ISC)▓ claims to have it all under control but whether you trust them depends on your paranoia quotient.  Regardless, you can usually tell the actual CISSPies and especially the CUStards by how cranky they are, but not always: some remain stealthy.

5.4 Can I access the forum and files on Yahoo!?

Errrr.  When you sign up for CISSPforum at the (ISC)2 site, you are subscribed to the mailing list.  You can’t access the forum with any method other than email until you either create a new Yahoo! Groups ID or associate an existing Yahoo! Groups ID with the CISSPforum.  Here are explicit instructions for both options:

a) Create a new Yahoo! Groups ID (if you don’t already have one):

  1. Go to Yahoo! and click the blue “Register” link on the left or right hand side near the top. In alternate email address, enter the address that is currently receiving the CISSPforum. If you fake the demographic information on this page, it will come back and bite you when you need to recover the password you forgot. Be sure to clear the “send me special offers ...” checkbox unless you really want to fill your inbox and make sure your birthdate makes you at least 18 or Yahoo! will ask for your mommy or daddy ;-)
  2. Once you have registered, be sure to set your “marketing preferences” which Yahoo! will promptly honor within a week (says so on the screen).

b) Add CISSPforum to your existing Yahoo! Groups:

  1. Log in to Yahoo! Groups then click “My Groups” in the upper right hand portion of the page.
  2. Click ‘Edit my groups’
  3. Link your login ID to the CISSPforum by searching for groups with your email address on their list.

5.5  Why is the forum so lame that it makes me want to spew/leave?

Create your own space

Meaningful content only

Comes to those who post.

 

Silence calls silence

Lurkers don't disturb quiet

Sleep beckons as well.

 

The posts are boring?

Raise topic of interest

Thread starter lauded.

 

Forum like sewer:

What you get out of forum

Depends on input.

 

Being creative

Is much better than being

Tagged as complainer.

 

These are your colleagues.

Why are you so much better

That they must start first?

 

The forum that is

Is not what must always be.

Build a better world.

5.6 How do I temporarily stop getting email from the forum or change to digest mode?

Well done to you if you thought of this before shooting off on that extended vacation or business trip.  Please read the next answer also.

  1. First, you must have a Yahoo! ID and password and that account must be associated with this list.  See above for how to do this.
  2. Next, log in to Yahoo! Groups with your Yahoo! ID and password.
  3. Once logged in click on ‘My Groups’,  find the link for the group ‘cisspforum’ and click on it.
  4. Then click on ‘Edit My Membership’ near the upper right part of the page. You will see a list of options.
  5. DO NOT UNSUBSCRIBE FROM THE GROUP!  It’s a pain to have to sign-up again later.  Rather, look for the section ‘Message Delivery’. In this section select ‘No Email’ and click on the ‘Save Changes’ button at the bottom of the page.
  6. To start receiving email again, get back to the options page but select ‘Individual emails’ instead.  Don’t forget to click on the ‘Save Changes’ button.

5.7 How do I set up my Out-Of-Office message so I don’t spam the whole forum?

Do not turn on “reply-to-messages-not-sent-directly-to-me” or “reply-to-all”. Your best bet is to read the manual for your email system or call your IT Help/Service Desk.

The opinions of your fellow CISSPs in regard to those who fail to take appropriate actions on this score can be found in cissp-ooo-replies@yahoogroups.com and cissp-clueless@yahoogroups.com.  Basically, it is assumed that CISSPforum members should have more than just a vague clue about how to make the technology work properly without gratuitously annoying thousands of their peers.  In addition, remember that the group is composed of security professionals who should be aware that randomly announcing their absence from the office is an open invitation to mischief and social engineering (not from forum members, of course, oh no.  We are all certified professionals who vehemently uphold the fine ethical principles of CISSPdom. I’m talking about other, lesser recipients of your OOO message, including any lucky spammers who succeed in breaching your wonderful anti-spam defenses).  The good humored ribbing you will inevitably receive through the forum is the least of your worries.  If this tip is the one thing you learn from this FAQ, we consider it to be a roaring success.

5.8 How do I change the email address with which I subscribed to CISSPforum?

The following process has been found to be generally reliable:

  1. Go to Yahoo! and create yourself a Yahoo! profile if you don’t already have one.
  2. On the “Manage My Groups” -> “My Email Preferences” page, associate the currently-subscribed email account with the Yahoo! account. Confirm it.
  3. On the “Manage My Groups” -> “My Email Preferences” page, associate your new email account with the Yahoo! account. Confirm it.
  4. On the “Manage My Groups” -> “Edit My Groups” page select from the “Email Address” drop-down the email address which you wish each Yahoo! Groups list you’re on to use.
  5. If desired, you can then delete the old email account.

CISSPforumite Benjamin Tomhave says “I’ve used this method a few times over the years to alter email delivery preferences, particularly when spam gets to be too much of a problem.” 

5.9 How do I unsubscribe?

CISSPforum is a lifelong commitment.  Unsubscription is not an option: once you’re in you’re in.  You can check out any time you like, but you can never leave.

First, do not unsubscribe using the Yahoo! Groups subscription maintenance features for fear of renting asunder the very fabric of the known universe.  To subscribe and unsubscribe, always use the (ISC)2 website.  Log in from the main page with your User ID and password.  The same page you used to subscribe is the one you use to unsubscribe (it’s a different form, lower down the page).  (Told you you’d need it) (Bet you wished you’d saved it to your favorites now, huh?)

More vituperative, if less helpful, suggestions can be found in cissp-clueless@yahoogroups.com

If you are absolutely desperate to leave CISSPforum, there are still further alternatives:

  • Follow the instructions towards the bottom of every CISSPforum email (you know, that big load of nonsense you always skim), where you will find “To UNSUBSCRIBE, visit the CISSP Services Page, https://www.isc2.org/cgi-bin/cissp_forum.cgi  Do not send unsubscribe messages to the CISSP Forum!”.
  • Send unsubscribe messages to the CISSPforum, several if you like.  Be rude back when forum members complain.  If you are outrageously obnoxious, you will be unceremonially booted-off the forum although if you take this too far there’s a distinct chance you may end up in court and/or be de-certified on ethical grounds.
  • Configure a spam rule in your email software to route every message with [cisspforum] in the subject line to the bit-bucket.
  • Send a nice pleading email to Wilf at forum@isc2.org.
  • Sign in to Yahoo! Groups, access the CISSPforum list settings page and set it to ‘no email’.  This won’t actually unsubscribe you but will stop the pain.

5.10 How do I join LinkeDin for CISSPs?

Both CISSPforum and LinkeDin are business-related social networking services, allowing you to leverage your professional network to gain access to a broader range of professional colleagues and their contacts.  They are both good for staying in touch or getting back in touch with long lost colleagues. 

The CISSP group on LinkeDin is simply a subset of LinkeDin members, all of whom are CISSPs and have been verified as such by (ISC)2

Short instructions:

Sign-in to the (ISC)2 website, opt-in to the LinkeDin group under the communication preference tab on your profile, request to join the CISSP group on LinkeDin ... and wait patiently.

Long instructions:

  1. LinkeDin allows you to have different email addresses associated with your profile.  Ensure your (ISC)▓ primary email address is one of those associated and confirmed with your LinkedIn profile. Your (ISC)▓ primary email does not need to be your primary LinkedIn email address, but must be associated with it.
  2. Go to ‘My Profile’ then ‘My Contact Preferences’.
  3. Under the section headed “LinkedIn for CISSPs”, select the ‘Yes’ option, then at the bottom of the page click the SAVE button.
  4. Request to join the CISSP LinkeDin Group on LinkeDin if you have not done so already, using this link.
  5. Wait patiently.
  6. If you are ‘declined’ from the group and have faithfully followed all the steps shown here, email your information to linkedin@isc2.org   including the magic word ‘declined’ in the message subject.

Please DO NOT post LinkeDin validation messages, requests or complaints to CISSPforum

Woe unto thee shouldst thou attempt to join, or disjoin, LinkeDin by posting a message to the CISSPforum.  The CUStards shall smite thee on thy left shift key, and on thy right.  Newbies shall rise up and call thee accursed.  Thy name shall be a hissing and a byword, as in the name of Him Who Cannot Be Spelt.  Thou shalt be reviled as if thou hast set thy Out-of-Office reply and it had been seen by Axel.  Thou shalt join those cast into the outer darkness of cissp-clueless@egroups.com and cissp-linked-indiots@egroups.com, and if this is done in error thou shalt only get a membership in cissp-insincere-apologies@egroups.com.

Having the CISSP logo on your LinkeDin profile confers no special mojo or magic and will not guarantee your fame and fortune.  Joining the group is NOT like winning the lottery.  It will not revolutionize your job searching or make you a better person.  To be perfectly frank, active participation in the CISSPforum is likely to be far more beneficial to your career prospects than joining the LinkeDin group but, for whatever reason, there is no end in sight to the long line of LinkeDin lemmings.

PS  Before you are overwhelmed with the burning desire to share every last detail of your career and private life with the world via LinkeDin, or indeed any other social networking sites, read this brief warning about the risks and if that wakes you up, read this longer one too.  Remember your CISSP training.  Do not run with scissors.

Back to contents


6 (ISC)2 STUFF

6.1 How do I receive regular communication from (ISC)2?

Method 1: subscribe to the (ISC)2 newsletter. To do this, simply sign into the (ISC)2 website, then click on “Subscribe to (ISC)2 newsletter.” You will be taken to a bcentral.com partner site where you must provide your email address, name, city, state, country and company name, or at least you need to supply entries that satisfy the data entry validation routines.  You may also disclose your interests (very short list) and certifications (also a short list).  Within a few minutes you will receive a confirmation message welcoming you to the (ISC)2 newsletter mailing list, or not if you did not supply a valid email address.

Method 2: receive (ISC)2’s Infosecurity Professional magazine either as a free electronic softcopy by email or in print if you pay the postage and packing charge and don’t mind slaying trees.  The magazine is just one of many benefits for “members” of (ISC)2.  The first edition was released in April 2008 - search the CISSPforum archives for informed comment on the content.

6.2 How do I submit CPEs?

Read the (ISC)2 instructions which contain lots of detail plus a helpful link to the submission form.

Most questions about CPEs on the forum are lame since the (ISC)2 guidance generally answers them all.

6.3  How many CPEs can I get for that?

The CISSPforum is just a bunch of guys and gals, you know.  We are not (ISC)2We don’t award CPEs. 

Most of us really don’t care much about CPEs because we are active infosec professionals who are awash with CPEs as a result of lots of reading, research, webinars, conferences, training courses and stuff.  We don need no steenkin CPEs.  Several of us teach, present to or write stuff for other CISSPs and CISSPwannabies to consume and claim their CPEs. 

If you need to find out precisely how many CPEs to claim for something, and what Type they are, just ask (ISC)2 not us .  If you insist on asking us, expect a flatulent response.  You could try setting up one of those web survey things and inviting us to vote.  Just make sure you include the option “322 Type C’s”.

6.4 Where do I find anything on ISC2.ORG?

Good question!  Some have speculated that when the late Douglas Adams wrote the Hitchhikers Guide To The Galaxy, he was thinking of the (ISC)2 website ...

    Mr Prosser said: "You were quite entitled to make any suggestions or protests at the appropriate time you know."

    "Appropriate time?" hooted Arthur. "Appropriate time? The first I knew about it was when a workman arrived at my home yesterday. I asked him if he'd come to clean the windows and he said no he'd come to demolish the house. He didn't tell me straight away of course. Oh no. First he wiped a couple of windows and charged me a fiver. Then he told me."

    "But Mr Dent, the plans have been available in the local planning office for the last nine month."

    "Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything."

    "But the plans were on display ..."

    "On display? I eventually had to go down to the cellar to find them."

    "That's the display department."

    "With a torch."

    "Ah, well the lights had probably gone."

    "So had the stairs."

    "But look, you found the notice didn't you?"

    "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."

We’re still looking for the “Beware of the Leopard” sign at the (ISC)2 website.  If you find it, please post a message to CISSPforum and we’ll call off the hunt.  Meanwhile try Google.

6.5  What do I get for my AMFs (Annual Mugging Fees)?

Quite often the discussion about which activities do or do not qualify for CPEs and/or how difficult it is to find information on the (ISC)2 website ends up with someone asking “What does (ISC)2 do for us anyway?”.  This is not unlike Monty Python’s “What have the Romans done for us?” in the Life of Brian.

Even (ISC)2 accepts that it’s perfectly reasonable for CISSPs and SSCPs to ask “Do we get value for money for our Annual Maintenance Fees (AMFs)?”.  (ISC)2’s official response mentions obvious member benefits such as security webinars and the career center, and talks about the wider benefits through various marketing efforts to promote the security profession in general and, by implication at least, CISSP and SSCP holders in particular.  It’s unfortunate that they neglected to mention the biggest benefit of all, CISSPforum, though!

The bottom line is a personal value decision: will the benefits to you of CISSP/SSCP qualification exceed the AMFs?  If you are working for an employer who requires security qualifications, the answer should be obvious, especially if you are privileged enough to reclaim your AMFs and associated training/educational costs as legitimate business expenses.  Likewise if you are searching for a new position and your qualifications will earn you a higher salary or land you a better job with a more enlightened employer/manager (not so obvious a benefit maybe but, believe me, job satisfaction is worth a lot).

Finally, there is the Zen perspective.  Will the effort to achieve and maintain your qualification make you a better person?  Will it satisfy your inner drive to be good at information security?  Do you value being part of the global professional infosec community?  Do you maintain motorcycles?

Back to contents


7 MISCELLANY

7.1 What is the 11th domain?

The 11th CBK domain is an obscure reference to any topic that the membership of the forum currently considers clueless whether off-topic, misguided or just plain lame.  It includes the old favorites “Out-Of-Office”, “Unsubscribe” and “Could have found it on Google in 2 ÁS.”  Occasionally, it is a genuine proposal to extend the CBK to cover additional domains such as ‘human factors’ but such proposals seldom get anywhere due to conservatism, inertia and apathy, a killer combination.

7.2 What other CISSP-related mailing forums are there?

Please note that none of the following are official, (ISC)2 sponsored or endorsed mailing lists:

There is an inactive, archived group at http://groups.yahoo.com/group/cissp/

Regional/area CISSP study groups include:

* SOME MAILING LISTS EVIDENTLY OPERATE IN COUNTRIES WHERE EITHER LOWER CASE IS TAXED OR SHOUTING IS SOCIALLY ACCEPTABLE

Some might be a little questionable:

The former groups are all deadly serious but the remainder are just for fun. In particular, note that none of these last are in any way sponsored or endorsed by (ISC)2.  Their very existence would probably be denied by (ISC)2:

7.3 Who are the Usual Suspects?

Never mind life, the universe, everything.  Who or what are the Usual Suspects?  That’s the Ultimate Question.  The designation “Usual Suspects” arose in the dim and distant past from an accidental mis-posting to the CISSPforum of a private message from an (ISC)2 staffer to another regarding certain outspoken and unnamed CISSPforum members.  The comment is alleged to have spawned a sinister (or is it dextral?) secret society within the inner sanctum of CISSPforum, the Certified Usual Suspects (CUS), also known as the CUStards.  Even the CUStards do not know precisely who the CUStards are nor what they have done to deserve the dubious distinction beyond being “outspoken” but rumors abound of special handshakes and blackballing, weird initiation ceremonies involving sushi and/or poutine, an unwritten but staunchly upheld code of honor, and a predilection for emitting well-aged bodily gases.  There is no known method to join the CUStards, nor indeed to leave, although most members tend not to contribute quite as much volume post-mortem, though just as much value.

7.4 Who is responsible for this unofficial FAQ?

The current mug editor/maintainer of this FAQ is, allegedly: Gary Hinson  Gary@isect.com

By all means chuck rotten eggs at me but be warned: the more you throw, the greater the chances you’ll be “invited” (cosa nostra style) to become the new FAQ editor/maintainer ...

7.5 Can I submit new questions and answers or corrections to the FAQ?

Absolutely!  Send them directly to the current editor (write each one on a $10 bill for the special express service) or better still post them to the CISSPforum for general discussion.  All potential submissions are gratefully received. The best bits will be shamelessly plagiarized.  Alternatively, you can edit Anton’s wiki version directly yourself.  Have a go: it’s an information security geek’s version of Having a Good Time.

7.6  FAQ Credits

Thanks to the following for their invaluable contributions to this FAQ: Chris Brown, the late lamented Laurie McQuillan, John McGuire, Matt Curtin, Jack “Hollerin” Holleran, Rob “Grandpa” Slade, Pat “Spring Bunny” McGregor, Anton “Cats in Context” Aylward, Les “G’day Jimmy” Bell, Karen “Stop”ford (head of the No Department), D. “Cragin” Shelton, Mim The Merciless (slayer of the humor impaired), and Gary “Passionate” Hinson.  Other members of CISSPforum and CUStards have contributed to the FAQ either through insightful postings to the forum or by pestering the editors privately (i.e. in a private place).

I’d like to thank my producer, the director, the investors, the NSA and of course the venerable Consortium without which this FAQ would not have been possible necessary.

7.7 What’s new here?

  • August 2013: yet another morning goes West as I update the message rate graph (still steadily declining, now about 13 per day), the number of members (now back below 6,000) and assorted other metrics.  I don’t have the mental capacity to check all the URLs again.  Maybe next decade.
  • August 2012: wasted another hour or three of my miserable existence purging broken URLs.  Naturally I have left a few for next time.  That really gives me something to look forward to.  It wouldn’t be so bad if it weren’t for this pain in the diodes down my left side.
  • June 2012: after a mysterious year-long lull in proceedings, the FAQ was updated by answering How do I get people to respond to my queries?  Thanks to Cragin for pointing out the gem of an FAQ on asking questions the smart way.
  • April 2011: seems ejecting the troll wasn’t enough for some esteemed members who don’t contribute to the discussions but simply complain about them and ‘threaten’ to leave.  Go ahead, make my day (haiku contributed by Rob Slade).
  • January 2011: although (ISC)2 hasn’t actually confirmed this, they also haven’t denied that an annoyingly persistent and persistently annoying troll has finally been ejected from CISSPforum.  6,199 members rejoice!  We hope the return to normal professional discourse and friendly banter , mostly on information security matters, will once again make CISSPforum by far the coolest place for CISSPs to hang out.
  • August 2010: added a cute ASCII art “Don’t Feed the Troll” sign.  Feel free to add it to your email sigs, but don’t bother sending them to the CISSPforum as Yahoo! unilaterally and silently removes the ‘extra’ spaces that make it work as a picture.
  • January 2010: referred, again, to lame questions about how many CPEs one can earn.  6,200 members can’t all be wrong, surely?
  • September 2009: quoted (ISC)2’s description of CISSPforum.  Noted that some members speak in tongues.  Quoted some gratuitous Python.  We’re up to 6,200 members!
  • June 2009: added a new definition of Friday (thanks Mim the Merciless).
  • May 2009: it seems not all member of the Forum are CISSP or SSCP qualified.  Some are only thinking about it.  “We used to dream of joining CISSPforum ...”  Thanks to Walt, added a new Q&A.  Mentioned sending troll-messages to WOM.  Added a graph of the message volume, which does sometimes go to eleven.
  • April 2009: added advice on dealing with trolls.
  • March 2009: explained the free health benefits associated with membership of CISSPforum (thank you Dr Richard).
  • February 2009: updated the advice on how best to seek advice from CISSPforum (thanks Cragin).
  • January 2009: referred the clueless to LetMeGoogleThatForYou.  Corrected the Forum sign-up link (cheers Michael).  Forum membership just passed 6,000!
  • August 2008: secretly rearranged a few of the words in the covert section on forum privacy (or rather the lack thereof).
  • June 2008: new LinkeDin CISSP group sign-up process announced by (ISC)2.  THIS IS FURTHER NOTICEAdded another suggestion on turning down the volume following a complaint about Rob’s book reviews which triggered a mail storm between detractors and supporters.
  • May 2008: expanded the advice on earning CPEs.  Added the FAQ on FAQs thanks to the generosity of one D. Cragin Shelton CISSP of this parish.  Referenced a neat little video on what-not-to-do-at-the-forum THIS IS STILL NOT FURTHER NOTICE.
  • April 2008: linked to the top 45 oxymorons.  Linked to a helpful FAQ on how to ask smarter questions.  Invited clueless cissp-wannabe’s to sign up for a new LinkeDin group.   THIS IS NOT FURTHER NOTICE.
  • March 2008: spent a merry hour patiently reminding NetObjects Fusion, yet again, where its internal links should go (you’d think it would know, but oh no, not NoF, that would be too easy, too customer-friendly) and exorcising dead external links.  Added a note about posting long URLs.  Corrected a an entire IBM Golfball of typos (thanks Graciela).  LINKEDIN FOR CISSPs VALIDATION IS SUSPENDED UNTIL FURTHER NOTICE.
  • February 2008: noted (ISC)2’s new Infosecurity Professional rag, due out in April.  Oooh, can’t wait.  Increased page width to make better use of that lovely LCD screen real-estate in which most of our employers have invested, with our apologies to any pixel-challenged visitors (please complain to 127.0.0.1).  Fixed a bunch of broken links (Net Objects Fusion must be going senile since it forgets, ah, what it was , um ...).  Announced the CISSPforum Loyalty Scheme.
  • January 2008: wrote down what someone wanted to say to a troll on the forum, but thankfully was too polite to voice.  Added a witty comment about wit on the forum (thanks Rob).  Added a US Gummt disclaimer (two in fact) and a Q&A about AMFs.  Adam Nunn will soon be joining Clement Dupuis and Lee Imrey in the arduous task of validating applications to join the LinkeDin CISSP group.  Go boys, go!  Explained what CISSP, SSCP and CAP are (thanks CUStards).  Published the CISSPforum serenity prayer (thanks be to Rob).  Added a section on volume control (top o’ the mornin’ Irish).
  • December 2007: added suggestions re validation posts by LinkeDin wannabes and a new mailing list for discussion with the (ISC)2 Board.  Also noted cissp-apathy@OhIcantBeBothered.com
  • Novembre 2007: Clement has kindly volunteered to help Lee with the LinkeDin validations (merci bcp Clement).  Added a reminder not to use CISSPforum for electioneering, but to use the cissp-elections group instead.  Added a section about finding stuff on ISC2.ORG (thanks for the HHGTTG quotation, Anton).  Added a few choice words about on-off-topicality.
  • October 2007: noted the curious cisspjobforum mailing list (thanks Bubba and Rob). 
  • September 2007: further explained the nature of Friday postings (thanks Anton).
  • August 2007: added a suggestion to link to your LinkeDin profile when posting a “me too” message to the forum (thanks Andrew) and a link to a paper on LinkeDin risks posted to the forum by someone who evidently listened when we asked CISSP LinkeDin wannabes to post something interesting (thanks Michael).
  • July 2007: Lee disclosed the magic incantation for joining LinkeDin.
  • June 2007: Lee Imrey says applications to join the CISSP LinkeDin group are taking 4-6 weeks to process, largely because people don’t follow the proper procedures (tut tut). 
  • May 2007: added an example to the ROI zombie (thanks Anton) and a new zombie topic on We’ve been hacked (thanks Les).
  • April 2007: added more content on the disclaimer/banner zombie.  Removed reference to Javed’s zSquad archives since the Yahoo! Groups search is OK now and Javed’s server has popped a fuse due to the number of people hunting zombies.
  • March 2007: explained about Friday postings (thanks Rob).  Added a new CISSPforum rule about virgin posters.  Added a zombie topic on disclaimers and banners (thanks Spring Bunny).
  • January 2007: added a note about lame responses and the sad news about Laurie.  Added instructions for changing subscribed email addresses (thanks Ben) and for joining LinkedIn for CISSPs (thanks Lee) plus another mailing list (another Rob classic).  Added yet another zombie topic on why we are still using Yahoo! Groups.
  • November 2006: added the section for CISSPwannabes referring to Clement’s CISSP tutorial.
  • October 2006: Gary took up the editorial cudgel in October 2006, beating Rob’s rather quaint plain ASCII text version into a modern, sleek -looking HTML web page with go-faster stripes, giving us the luxury of actual headings, working hyperlinks and most of all, readability.  If you think you might prefer the original, it’s stored for all posteriors on the CISSPforum files area on Yahoo! Groups, where it is available to current members of the CISSPforum ... which hints at the real reason this FAQ was published as a public web page: the instructions for how to sign-up for the CISSPforum used to be available only to current members of CISSPforum.  Doh!  That’s a bit like printing the “pull cord before passing 1 ,000 foot altitude” inside the parachute, or having a black button on a black panel light up black to tell you it’s on.  Shades of Catch-22 and HHGTTG.
  • 2005-2006: Rob Slade copied a ton of Chris’s stuff, modified the rest so that it made less sense and did a fabulous job of injecting the odd ray of humor.  He skillfully incorporated new stuff from CISSPforum including contributions from Laurie, John, Gary, Anton, Axel and Matt.  In parallel, Anton set up the wiki version, after searching in vain for the ancient Greek word for wiki.
  • 2003-2004: The original editor of this FAQ was Chris Brown who has mysteriously vanished into the ether, if not the net.  Before he left us, Chris freely admitted that much of the content was outrageously stolen from posts to CISSPforum.  The FAQ was uploaded to the CISSPforum files area in October 2003 and updated a couple of times before Chris evidently gave it up as a dead loss and went back to Real Life™.  We remain eternally grateful, Chris (that you started this, not that you went away).


The end of the unofficial CISSPforum FAQ is nigh.
That’s it, there is no more.
Just a horizontal line (yes, yet another rule!),
and a link back to the top for those poor unfortunates
lacking page-up keys, vertical sliders and wheely mice.