|
The Unofficial CISSPforum FAQ
Unofficial Answers to Frequently Avoided Questions
about the CISSPforum, unofficially
a.k.a. The Big Dummy’s Guide to CISSPforum
FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects
Latest update one Friday in May 2008
Please use the following URL to link to or reference this FAQ:
http://www.noticebored.com/html/cisspforumfaq.html
Contents
1 INTRODUCTION
2 BASIC FORUM USE
3 FORUM CONTENT
4 ZOMBIE TOPICS
5 FORUM MEMBERSHIP OPERATIONS AND SETTINGS
6 INTERACTING WITH (ISC)2
7 MISCELLANY
1 INTRODUCTION
1.1 What is the point of this FAQ?
This document is the unofficial FAQ (Frequently Asked/Avoided Questions) for users of the CISSPforum mailing run by (ISC)² for all CISSPs and SSCPs. It is a collection of answers to questions that mostly are or have been repeatedly asked in the forum and
(arguably) important information related to appropriate and inappropriate use of the forum.
This FAQ inhabits: http://www.noticebored.com/html/cisspforumfaq.html
We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs and SSCPs but we know that’s a waste of good bytes. Google has heard of it anyway.
1.2 What is CISSPforum anyway?
As its name ably suggests, CISSPforum is a discussion forum for CISSPs, that is Certified Information System Security Professionals who have been certified by (ISC)².
Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because it takes such skill and perseverance to locate the forum sign-up page hidden deep within the (ISC)2 website. As
one of the members said, “The most useful thing I got from my CISSP is this Yahoo! forum community - a wealth of knowledge
and experience. The CISSP has impressed some people at interviews, much more so than any other designation I hold, but it’s
very minimal. They are much more interested in what I can do.” Some might even agree that we should earn CPEs for actively contributing to CISSPforum.
Although the forum is run as a Yahoo! group, DO NOT WASTE YOUR VALUABLE TIME TRYING TO SIGN UP DIRECTLY ON YAHOO!
. Your application to join the forum has to be checked and verified directly by (ISC)² to confirm that you really are
qualified. Unless you are an IT forensics specialist who enjoys a bizarre challenge, instructions for signing-up are given below.
CISSPs who successfully navigate the virtual obstacle course to sign-up to CISSPforum join a friendly community of over 4,500
peers - qualified information security professionals from all parts of the globe and all sexes. Some of us are newcomers to the
profession, recently qualified, while some are grey-beards with a decade or two of experience in the trenches. Our ranks are
swelled by IT auditors, consultants, trainers, security officers, security managers and others, all CISSP or SSCP-qualified. Welcome all.
As a community of professional practice, CISSPforum is a great place to discuss information security and closely related topics.
The scope of the forum naturally includes the ten areas of (ISC)²’s Common Body of Knowledge (the CBK) which coincides,
thankfully, with the CISSP exam. We also discuss ISO/IEC 27000 series (ISMS), ISO 9000 (QA), ISO 20000 (ITIL), IT governance,
SOX (and/or socks), IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking ... in fact
anything that’s hot in information security is likely to be brought up at some point, often before it hits the industry rags. It’s like
an information security club, blog or online interactive encylopaedia with over 5,500 qualified contributors. OK, to be
honest its more like 500 active contributors with 5,000 lurkers but we “feel their presence” in a spooky sixth sense kind of way.
Some of the discussions are straightforward questions and answers, that’s it. Others develop into full-blown discussion threads,
depending on the skill (or good fortune) with which the original poster crafted a post containing such subtle nuances or contentious
language that more people felt compelled to respond. Urgent help messages generally get answers within minutes, while more
contemplative posts can trigger threads that run for days or sometimes weeks. By and large, it is all very good natured, open and
“safe”, though there’s often the very feintest whiff of sarcasm, especially when someone purports to be an expert on some topic.
The forum is a wonderful safety vent for burning information security issues that bug you, and to challenge accepted norms. You’ll
find deep technical threads running alongside lighter topics. Members contribute wisdom, knowledge, opinions and more for the
benefit of all. Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their
participation. We’re never stuck for contacts when visiting far off foreign lands although we’re still waiting for our first forum romance, or rather the first one to be publicly acknowledged.
1.3 What are CISSP and SSCP?
CISSP is an acronym standing for one of the following:
Certified Information Systems Security Professional - the premier security qualification from (ISC)² and a registered trade mark to boot Can Indeed Shoot/See/Slight/Snub/Scorn/Smear/Slur Stupid People - first suggested after a discussion thread on US gun law (another candidate for zombie status)
’Cos I Said So Pal - explains why people have to listen to every word a CISSP says Canadian (or Canukistani) Information Systems Security Professional - reflecting the disproportionate number of
active contributors to the forum who live in or come from the frozen wastelands North of some of the remaining active contributors Cohorts Implementing Stealthy Secret Practices - goes with the funny handshake Curmudgeons Irreverently Satirizing Sloppy Processes - pull up your keyboard to be ruthlessly ridiculed Cautiously Investigating Suspicious Satanic Publications - that’s part of the job spec Callously Ignoring Stylishly Sentimental Politics - both company and real politics Cats Insistently Striking Silly Poses - my furry ones made me put that in Cat Intelligence Security Services and Patrolling - uncovering cats' secret names (don’t ask me, I only cut-n-paste this stuff).
CISSP is an ANSI ISO accredited certification confirming that the holder has:
Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security
qualification. It requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth not depth of knowledge. That said, many CISSPs do have deep technical security knowledge and expertise in
one or more of the ten domains defined by (ISC)² in the Common Body of Knowledge (CBK). Some don’t.
The CISSP CBK covers these ten fields (shown with their approximate ISO/IEC 27002:2005 equivalents):
Access control (’27002 section 11) Application security (’27002 section 12, some) Business continuity and disaster recovery planning (’27002 section 14) Cryptography (’27002 section 12.3++) Information security and risk management (’27002 sections 4, 5, 6, 7 & 8!) Legal, regulations, compliance and investigations (’27002 sections 13 & 15) Operations security (’27002 section 10, some) Physical (environmental) security (’27002 section 9) Security architecture and design (’27002 section 12, more) Telecommunications and network security (’27002 section 10, rest)
The “CISSP concentrations” are nothing to do with furrowed brows but emphasize specific domains of expertise. Currently these are:
Security engineering using US Gummt standards for CISSP-ISSEP
The concentrations build on exactly the same broad base as CISSP - in fact, candidates for the concentrations must pass their
CISSP first, and have extra-wide business cards. ISSAP and ISSMP candidates must also have at least 2 years work experience in
their chosen concentration but there is no such requirement for ISSEP, so candidates who cannot concentrate for 2 years on
security engineering are still suitable to be considered for US Gummt infosec work, evidently.
SSCP stands for one of the following:
Systems Security Certified Practitioner - a qualification demonstrating some practical experience of working in the infosec trenches (e.g. security administration). Solid Security Currently Practicing - it’s a pragmatist’s qualification Should Soon Certify Properly - emphasizing the view of SSCP as a stepping stone to CISSP International Respect for Tacticians - according to the heading on (ISC)²’s SSCP page anyway.
SSCP is seen by some as a foot in the infosec career door, a means to show commitment to the field prior to gaining much work
experience and a ticket to join CISSPforum. It is also suitable for those infidels who have not yet fully signed their lives over to
infosec, those who in other words “have a life”. The pre-qualification criteria reflect pretty much any professional/junior management job, with just the barest hint, the merest smidgeon of infosec.
For the sake of completeness, we’d better mention (ISC)²’s Certification and Accreditation Professional (CAP) credential, “an
objective measure of the knowledge, skills and abilities required for personnel involved in the process of certifying and accrediting
the security of information systems. Specifically, the credential applies to professionals responsible for formalizing processes used
to assess risk and establish security requirements, as well as ensure information systems possess security commensurate with the
level of exposure to potential risk.” The ‘accreditation’ mentioned relates to the process of reviewing and certifying system security
configurations against official system security configuration standards such as NISTs, much beloved of the military and those
sheltering under FISMA’s umbrella. Federal managers have to review their systems every 3 years or after a major change,
whichever comes first (for unspecified values of “major”). They use the process to identify needs and then translate those into
budgetary needs so that Congress won’t shut down their system (a.k.a. legislative denial of service). Despite the name, CAP is in fact nothing to do with headgear.
1.4 Is there an official CISSPforum FAQ?
Yes, well kind of. (ISC)² published the (ISC)² forum guidelines independently of and prior to first publication of this FAQ. Their
summary reads thus:
“Membership to (ISC)² forums is restricted and must be approved by the forum administrator. To access an (ISC)² forum, members must enter a password. Messages posted to the forum can be seen by all members of the forum, but are not made available to anyone outside the forum. (ISC)² forums are not moderated. Advertising of products and services or posting of “junk mail” messages is strictly prohibited. However, discussion regarding products and services is allowed. Use of a forum to advertise conferences, seminars and training related to the list topics is permitted. Members are encouraged to keep postings brief. When replying to postings, please include the original posting but only include the relevant parts of the message. Use of a forum to post messages that are not related to security topics is strictly prohibited. Any disregard of these policies and guidelines, or abuse of forum access privileges, may result in revocation of membership to the forum.”
The following topics are covered in the (ISC)² forum guidelines:
What is a forum? Who can become a member of an (ISC)² forum? Who hosts (ISC)² forums? Who should I contact if I’m having any difficulties with my subscription? How do I subscribe to or unsubscribe from a forum? How do forums work? I’m receiving too many messages. Should I unsubscribe? What is unacceptable content? How do I reply to postings? How do I report abuse of a forum? What if my email program has an “Out of the Office” option? Who do I contact if I need help with a forum?
Dorsey Morrow, (ISC)²’s helpful legal counsel, reminded us that CISSPforum must not be used for campaigning by those seeking
election to the Board of Directors, although it can be used to garner popular support for those seeking to become candidates (a single posting only - see the official official guidelines for the official rules, officially). A separate forum (cissp-elections) has been
created by and for CISSPs to discuss the Board elections, the candidates and their manifestos, the elections process, governance accountability of ISC2 management as a whole and related matters.
In case of conflict between the (ISC)² forum guidelines and this unofficial FAQ, expect weird things to happen as the space-time
continuum is torn asunder.
1.5 Disclaimer
The information provided in this FAQ is not guaranteed <full stop>
The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them,
there may conceivably be valid opposing views. Use the information in this FAQ at your own risk. Your mileage may vary. Do not run with scissors.
This is not legal advice. The legal buck doesn’t even slow down here to charge its time.
The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates. This is an independent unofficial work by a tiny albeit vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified
by self-acknowledged beards-of-colour who are clearly disturbed, senile or ‘under the influence’, and possibly all of the above.
GM-free. Ford-free too. No cute cuddly animals were harmed in its production, only nasty slimy ones.
1.6 Other versions of this FAQ
The original plain text FAQ was and remains available only to CISSPforum members. It was extensively updated by Rob Slade and assorted elves in 2005/6. To take a look, logon to Yahoo! Groups, open the “cisspforum” group, go to “files” and scroll down to find “cisspforum-faq.txt”.
A cool wiki version was created by Anton Aylward, Les Bell and other CISSPforumites during 2005. You are invited, nay
encouraged to edit and contribute directly to the CISSPforum wiki FAQ. Go for it. Knock yourself out.
The web version on your screen/printout was conceived by Gary Hinson in October 2006 and is updated when inspiration coincides
with a spare hour. Comments, further questions and answers are always welcome. See the contact details towards the end if you’d like to contribute something or throw rotten eggs.
Back to contents
2 BASIC FORUM USE
2.1 How do I post messages to CISSPforum?
Any member of CISSPforum can post messages to CISSPforum simply by sending email to the list email address which is: cisspforum@yahoogroups.com Please use plain text and be reasonably succinct. Please refrain from “top posting” i.e. adding
your own comments to the top of a previous posting without any attempt to trim the original response and the ludicrous Yahoo!
spam from the end. By all means select the relevant bits of the original post, add the ‘greater than’ characters and re-send them, along with your comments but, please, not the whole thing.
Messages can also be posted online by members who have tied their membership address to a Yahoo! identity, using the Yahoo! web interface.
CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their login credentials to
be stolen by a spam bot (which happens). Nevertheless, this is still the most effective anti-spam system we have. Spammers
who join the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).
Please sign your postings with your name, ideally, else a nickname or some other term that you are happy for us to call you.
Otherwise we will choose a name to call you, and it may not be to your liking. The person who posts under the pseudonym
“/bpm”, for instance, probably does not appreciate being called “Slash” but at least he/she has a sense of humour.
If you are posting a long hyperlink, please either create and supply a TinyURL as well as the full link, or simply enclose
your long URL in angle brackets < and > which allegedly tells most email clients not to break the URL over more than one line.
Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button
. If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this. If you are asking something and expect a sensible/helpful answer, consider How to Ask Questions The Smart Way  . Or just
send anyway and risk being pilloried. You choose. If you are pillorying someone for asking a question the wrong way or saying
something dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:
It is better to be thought a fool than to open your mouth and remove all doubt.
Please be tolerant of others. We are not all on your wavelength. Some of us barely even speak your language (and you’ve
probably never even heard of ours). CISSPforum is a global melting pot. Please don’t fan the flames underneath.
2.2 Is it safe to post my first message?
Of course! We’re all friends here! To the ~4,000 CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge
and experience. Don’t be shy. Even “me too” is marginally better than stony silence.
There’s a special CISSPforum rule for Those Who Have Never Posted (you know who you are) and LinkeDin wannabes alike. You
have full permission to make Your First Posting without fear of retribution, dissent or ridicule. The trick is to write “First posting” or
similar in the subject line and include something interesting in the body of an email message to cisspforum@yahoogroups.com.
‘Something interesting’ in this context may be:
Where did you first hear about CISSPforum? Was it this FAQ maybe, or another? A link to a novel security risk, vulnerability, control or concept, with a word or three of explanation Comments or queries about any other posting or discussion thread How many other people you have invited to join CISSPforum this month :-) Questions about information security, risk, control, poutine etc. Your favourite security theory/model ... or the worst Something That Gets You Going, preferably but not necessarily relating to information security. What’s your passion in life?
Tell us something about you, as deep and meaningful or superficial and glossy as you choose. Contentious postings often get a good response but don’t be surprised if some are rather rude. Other interesting stuff - essentially anything other than “Me too”. Go ahead, surprise us with your creativity and genius. Failing that, just surprise us.
The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting. To be honest, we’re all
generally nice people who don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree. Hot discussions break out
from time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).
2.3 How do I reply to messages?
CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message.
That’s over 4,500 of your fellow security professionals. If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware that around 4,500 peers will see your ‘private’ message. The cranky ones will give
you grief to add to your misfortune, no doubt ribbing you rotten for your mistake. If you wish your reply to go to only the
originator, copy that person’s address into a new message or choose the individual address as an option if you are using using the Yahoo! web interface. If you insist on sending ‘private’ messages to us all, please make them juicy if not defamatory.
2.4 Where have my messages gone?
Sometimes, for no obvious reason, messages sent to the forum get delayed. It happens unpredictably, with differing delays. The
forum is run by Yahoo! which, we are led to believe, is a fairly popular interweb thingummy that gets overloaded and backlogged at
times, presumably because it is running on a steam-powered 286 with 128 megs of RAM or perhaps a more modern machine running Windows. It might be interesting to check whether your message was listed on the Yahoo! Groups web interface at about
the time you sent it (implying a delay on the Yahoo! output) or the time it finally arrived (an input delay) ... but either way, there’s
not much (a classic understatement!) we can do about it. It’s annoying, especially when messages finally get distributed sequence
out of. Yahoo! presumably has a technical/admin contact, someone who occasionally stokes the chicken poo in the boiler maybe. Alternatively, (ISC)2’s Wilf Camilleri or Blaise Kengoum might be able to help (email forum@isc2.org). Ask them to ask Yahoo! to poke the boilerman.
2.5 How do I turn down the volume?
CISSPforum is a LOUD mailing list, with loads of messages posted daily. Other mailing lists only go up to ten. CISSPforum sometimes reaches eleven. If you don’t have the stomach or the free time to read loads of messages per day, here are seven vital survival techniques:
Skim the subject lines and just delete anything mentioning, for example, LinkeDin or other lame topics. Don’t fret. Read CISSPforum as a daily digest with all the say’s takings in one mega email. This is a Yahoo! option. Check the senders. Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit
bucket without even opening. Your email client probably has the tools to do this automagically. Look for ‘email rules’. Set aside a certain period of time each day to peruse the latest mailings. When your time is up, delete the remaining unopened messages and go back to Real Life. Don’t bother about keeping up with the latest topics. Use Yahoo!’s search routines to check the archives. Read the forum using Gmail or a similar email facility that automatically links postings into threads. Pick out interesting threads. Ignore the rest. Ignore everything. Delete without reading. Unsubscribe. Miss out on those golden nuggets that would make all the difference to your career. See if we care. (Bonus idea) Configure your email client to dump most LinkeDin verification messages unceremoniously and cut the volume in half.
2.6 What do I do if (when) a posting upsets me?
Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that
offends you in some way. Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a huge and unedifying “discussion”.
Personal attacks are more hurtful than helpful. While you might really want to say something along the lines of “You need a good
kick to the head or an enema - in your case, those may end up being one and the same”, the following fire retardant advice,
originally posted on the forum by a diplomat, sums up how to avoid fanning the flame wars:
I’d recommend peace, love and understanding all round.
Be tolerant and respectful of others on the forum. We have many
cultures, abilities and styles here. We are not all like you.
Many of us have never even been to your country.
The forum is self-moderated. Self restraint and tolerance are the watchwords.
Count to twenty before responding to jibes. If someone has upset you,
explain to them (and only them
) what upset you, and let them respond privately, off-list.
If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line.
If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are. We all had to start somewhere.
This is a community of peers. There is room for humour and occasional
off-topic discussion but, please, take it easy on our <Delete> keys.
Enjoy the variety of experience. Relish the challenge of
understanding others’ points of view. Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.
If you think the emperor has no clothes, speak up. Some of the best threads start that way.
And if all else fails, hit your <delete> key, chill out and move along.
If having done all that you’re still steaming gently, try the CISSPforum serenity prayer:
Lord*, give me the capacity and resources to implement the controls
that truly will protect my organization;
the fortitude to ignore those "best practices" which will not;
and kill files properly formatted for certain individuals,
all OoO replies, and almost all LinkeDin requests.
Amen.
* I suspect appeals to similar deities, magnanimous all-seeing beings and/or email system administrators will be equally efficacious.
2.7 Are there rules for the forum other than this FAQ?
Yes - go to the back of the class and re-read section 1.4 above. Remember, this is the unofficial FAQ.
Furthermore, thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain
“unwritten” rules for the forum. Look under Yahoo! Groups > CISSPforum > files for the file “cisspforum-faq-unwritten.txt”.
2.8 Can I distribute files via CISSPforum?
No, at least not directly. Any file attachments sent to the mailing list will be summarily stripped off by Yahoo!. Members who post
documents or other materials will be embarrassed at having posted, essentially, nothing. “Here it is!” they exclaim, triumphantly but here it is not. This is lame.
However, any forum member can upload a file to the Yahoo! Groups files area and optionally announce it on CISSPforum. Be sure
you have permission from the copyright holder before publishing anything in this manner: reaching more than 4,500 peers effectively places it ‘in the public domain’ ...
An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs
and post a forum message inviting CISSforumites to collaborate on writing/completing it. The combined brain power is awesome
and we have yet to see a document that cannot be improved by the wider perspective. We’d encourage you to acknowledge all
those who actively contribute and ideally publish the finished item to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s your choice.
2.9 Is this forum private?
Membership in the CISSPforum is restricted by (ISC)2 to those holding CISSP and SSCP (see section 5). Generally speaking, a
number of respected CISSPforum members take the membership restriction to imply that it’s a discreet private club. They hold
that discussions on CISSPforum should not be discussed or reproduced elsewhere, outside the forum. It is an oft-expressed
opinion that restriction of the discussions to the CISSP community will result in a freer and franker exchange of ideas.
That said, given the membership of more than 4,500, it may not be sensible for members to assume that the content of messages
they post to the forum will remain restricted to the membership. Those concerned about privacy and confidentiality (and which of
us isn’t?) should bear in mind the old adage that you should never send anything by email (or indeed by courier) that you would not want to see on the front page of the newspaper.
As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is probably best either to rewrite the
salient points in your own words (sanitizing the identities and facts as necessary) or to contact the original author/s for explicit
permission, or both. Members contacted in this way are invariably flattered to be asked. You will almost certainly get the help you
need to re-publish or at least plagiarize the salient parts from original piece and make a new friend in the process.
Back to contents
3 FORUM CONTENT
3.1 Is there an archive of CISSPforum postings?
Yes, postings to CISSPforum are automatically archived for all posterity on Yahoo! Groups. Remember this if you are about to flame another member or post something private, off-topic or lame. The cream of CISSPforum postings may also be shamelessly
plundered for FAQ content.
3.2 Is this the proper place to compare certifications?
Probably not. The topic has been raised before and you are free to give it another go. You’ll get replies, some thoughtful, some
not. Strangely enough, most CISSPs maintain that CISSP rocks.
3.3 Is this a good place to ask ethical questions?
Yes if you like but try cissp-ethics@yahoogroups.com instead for a more reasoned discussion.
3.4 Is it OK to ask about topics previously covered?
Everybody does it but if you do not normally monitor the forum, it would be appreciated if you would first check the archives. Please see the next section too for information about zombie topics.
3.5 What is OT (off-topic)?
Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More
Important Things To Do. It is considered rude to post off-topic messages without the “OT”. As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement. On/off-topic is
not a binary choice when it comes to discussion threads, but subjects such as US gun laws are likely to descend into politics, religion or both.
There is some guidance on this point in the (ISC)2 policies:
“(ISC)2 forums are not moderated. Note that this is prime: you might see anything here. Don’t complain about it.”
Actually, membership in the forum is strictly moderated, as you know. Postings are not specifically moderated. However, if you say something really
annoying, somebody from (ISC)2, usually Dorsey Morrow, (ISC)2’s corporate counsel, will send
you a nasty note and if you persist, you’ll be unceremoniously booted-off.
The issue of moderation is another running joke on the forum: if you post a message asking why the moderator isn’t doing
something, one of the long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message claiming to be the moderator of the week.
Some of the subsequent guidelines contradict the issue of non-moderation a little:
Others are a little more helpful:
“Use of a forum to advertise conferences, seminars and training related to the list topics is permitted. When replying to postings, please include the original posting but only include the relevant parts of the message.”
... with which last point we in the forum heartily concur.
The normal rules are relaxed slightly on Fridays but always beware going too far off-topic, or stretching a topic a bit (or a byte) too
far. Just because there are a number of people who are dolts doesn't detract from those few with wit. Of course, the target rich
environment does make the wit easier. Occasional tongue-in-cheek asides are tolerated, enjoyed even. However, flame wars
may erupt if someone objects to wading through more OT than on-topic posts, and hasn’t read or ignores the earlier suggestion
about complaining directly to the original poster/s rather than spamming the whole CISSPforum community. As with sex and
alcohol, moderation is key. We’re not talking teetotal celibate monks here, rather a middle-aged person who enjoys the odd tipple and a long-term partner.
PS Not all topics containing the string “ot” in the subjects are necessarily Off Topic, so be careful if crafting automated email
filtering rules to bin them. Strictly speaking, it’s probably safest to avoid using “ot” in the subject line for on-topic postings, so if this
remote possibility worries you, words like hot, got, cot, lot, spot and shot are no-no’s. Alternatively, get a life.
3.6 What topics are lame?
We all say dumb things from time to time but asking genuinely lame questions on CISSPforum can be a character-building experience, unless it is your first post.
Before you ask a question, have you at least Googled it? Have you made even the slightest effort to search for the answer
yourself? If so, great, go ahead and ask away. If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.
You can apparently construct anything using the base URL of http://www.justfuckinggoogleit.com/search?q= and then adding the
terms separated by a +, such as: http://www.justfuckinggoogleit.com/search?q=security+glossary. If you don’t think this is funny
, you might benefit from a subscription to cissp-humour-impaired.
Zombie topics, out-of-office messages and off-topics are also considered more or less lame.
Responses can be lame too. It’s fair to assume, for starters, that the original questioner has a modicum of intelligence and security
expertise. To avoid self-nominating for membership of cissp-clueless, take this classic response as a warning: “In order to attack
your target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites
I’ve found useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com). The attacker should of
course know how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you
can recognize since it all starts with the characters http://). One thing that is often overlooked by junior hackers (explaining many
failures to achieve desired goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”
3.7 Where can I find thread summaries?
Basically, you can’t but you can search the archives. The upgraded Yahoo! search facility is not too bad.
3.8 When is Friday?
One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on
Fridays in preparation for the weekend’s fun (the equivalent of dress-down-day or POETS day), within reason. Since “within
reason” is itself part of the unwritten rules that are relaxed, even that is optional but please be sensible. This is a multicultural
professional forum and we’re all pretty busy. OK perhaps not quite so busy on Fridays.
On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness,
delicacy and discernment, humour (sometimes without u) and satire, derision and hyperbole, alliteration and synecdoche turned up
a notch, with the occasional deep and meaningful discussion on coffee, donuts, poutine and sushi. Have fun, just avoid turning up the heat.
It has been alleged that some members literally dress down on Fridays. Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask.
Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance
when other less fortunate members to the East are still living in the past. Therefore, Fridays start on Thursdays. What’s more,
when the less fortunate Easterners post their Friday messages, it is already The Future for the very same Westerners. Although certain grammatical problems are created by this particular form of time travel, the Westerners enjoy Easterners’ Friday postings
on Saturdays. So, to summarize, “Friday” = Thursday + Friday + Saturday. With the ever worsening delays in Yahoo! Groups,
postings can now come two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and postings sent
“Friday” may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.” QED.
3.9 Announcing the CISSPforum Loyalty Scheme
Communications engineers use a metric called “signal to noise ratio” (SNR) to describe the quality of a communications mechanism
or link. The SNR, and hence the rate at which useful information is imparted, is improved by higher relative signal levels and
degraded by increased noise. SNR is also an important metric for email forums such as CISSPforum since we all have a limited
communications bandwidth - we just can’t afford to spend all day sifting through chaff to find the wheat. Life’s too short.
In recognition of this, the CUStards have, allegedly, instituted the CISSPforum Loyalty Scheme to reward forumites who move
the SNR in a positive direction. CISSPforum Loyalty Points are awarded for posts that:
Contain genuine, useful content and don’t top-post or “me too” Are factually accurate, ideally with short URLs or references for those who want the full 8.2 metres
Are good to read - well written and clearly thought-out, preferably insightful (vaguely correct spelling and grammar earn
special bonus points, especially for those for whom English is not their mother tongue) Are amusing (and not just on Fridays) Don’t flame like a blazing oil rig (contentious is OK, nasty and pointed is not)
Remember, CISSPforum Loyalty Points are about SNR - the CUStards are looking for quality not volume.
As anyone who watches TV surely knows, points make prizes. Accumulated CISSforum Loyalty Points can be exchanged for benefits such as:
Latitude to sound-off, expressing strongly-held opinions and beliefs on CISSPforum Leeway and forgiveness in case of occasional CISSPforum indiscretions Job offers, higher pay and tax concessions (allegedly) A rice steamer. That only works once. And not very well at that.
Most of all, though, loyal CISSPforumites earn the respect of their peers in the profession. Respek!
The CUStards are hoping to persuade (ISC)2 to exchange CISSPforum loyalty points for CPEs. Hopefully this issue will make it on
to the agenda for the next round of (ISC)2 management board elections. Start lobbying now.
Back to contents
4 ZOMBIE TOPICS
4.1 What are zombie topics?
All manner of information security and other fascinating topics have been discussed on CISSPforum over the years. It is a fairly
high-volume list with a large and active membership. The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die. Please check the archives for the full nine yards on any of these topics. The forum is not moderated so you are welcome to raise these topics yet again (provided you have Something Important to say on the
subject) but if you do, be prepared for a somewhat less than enthusiastic response and watch out for silver bullets, pointed wooden crosses or garlic around the door.
4.2 Zombie topic: reformed hackers
Been argued, no resolution. Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white
(hats). Some hold that reformed hackers have “paid their debt to society” and have useful knowledge to contribute. The ensuing
exchange is a bit like the Pope discussing religion with an atheist.
The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the
likes of Messrs. Mitnick and Abagnale. Some of us will, some of us won’t. It all depends on the height of one’s horse.
4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)
This is undoubtedly an important topic but most of us are tired of seeing the same old same old. CISSPs have at various times
challenged the “R” and “I” part of ROI, and the future is not so ROSI according to some. To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis thread often gets intertwined with the ROI zombie, making our lives a
misery for a couple of weeks at a time.
If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach,
a revolutionary investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it.
4.4 Zombie topic: standards and resources
This is not really a dead topic, so much as a hint to check out the following resource collections before you make a fool of yourself
with “Hey I’ve just discovered site X, it’s cool!” or “Where can I read about topic Y?”:
General information security knowledge is stored in Anton Aylward’s infosec wiki, a collaborative project to which all CISSPs
are invited to contribute For information on the ISO/IEC 27000-series Information Security Management System standards plus links to many other
information security standards, NIST Special Publications etc., visit ISO27001security.com To meet your fellow CISSPs in Real Life™, consider joining ISSA, the Information Systems Security Association. ISSA is a
global community and traveling members are welcomed with open arms by overseas chapters. ISSA created (ISC)2 so many
moons ago that it has almost forgotten who’s the daddy. Other ways of meeting CISSPs include volunteering to teach classes or proctor CISSP exams, pulling strings in LinkeDin or hanging out or speaking at security conferences, and specifying
“CISSP essential” in infosec job vacancies.
If you come across something new (including information security pieces you wrote yourself and published on the web), by all means add them to the infosec wiki and, if you are willing to take the risk of them being savagely criticized by your peers, share the
links through the CISSPforum. You can even save them to the forum files area.
4.5 Zombie topic: cissp.txt
We are really tired of this topic. One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:
a) “There is a list of CISSPs at [someURL].cissp.txt. This is appalling!”
b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it! What gives?”
c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it! Aaaiiieeee!”
Yes, it’s true. There is a list that appears at various places around the net, usually named cissp.txt. This contains some names and
contact information (some of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org (some people say circa 2003, others say early 2005). At one time someone lame evidently mined the public directory,
possibly for marketing purposes. Later, someone thought it would be a good joke to post the list on the web to see if they could
get lots of people upset. They appear to have succeeded. Several times around.
Oh, and a special note for posters in category (c). You have had your CISSP for a while and posted some info to the (ISC)2 public
directory, so why are you so upset? Get real.
4.6 Zombie topic: terrorism
Terrorism does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat. Check out the archives and see what has already been said.
Those who want to blame terrorism on various religions should probably try cissp-religious-wars@yahoogroups.com instead.
Postings advocating violence against any persons or groups are DEFINITELY way off-topic.
Those wanting to discuss terrorism in more depth than CISSPforum can stomach might try cissp-terrors@yahoogroups.com.
4.7 Zombie topic: can I get CPEs with that?
Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)2 guidance but what do you think?” ... and the forum groans.
Forum members can only give unofficial and generally unreliable advice on this point. Does the material in the [course | iPod | film | etc.] pertain to the 10 CBK domains of the CISSP certification? If the material is pertinent in one or more of the magic 10, Jack
Holleran for one would say “yes”. One hour of relevant infosec study earns you one CPE, provided it can be validated in some way.
For the definitive answer on CPEs, (re-)check the official (ISC)2 CPE guidance, download and read the official CPE guidelines or contact (ISC)2 directly. The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free. Remember also this helpful point from (ISC)²: “As a professional who follows the (ISC)² Code of Ethics, please
use your best judgment within these guidelines to select those activities which qualify for CPE credits and which will enhance your professional development.” In other words, be sensible and play nicely.
FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:
Attend local chapter meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 etc. Better still, join the groups and actively participate. Even better, research topics, write
presentations and offer to deliver them at such meetings. Best of all, join the committee and serve on the board of directors. Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product
vendors, infosec luminaries and other CISSPs. Actively participate where possible. Posing awkward questions is especially
recommended in the case of vendor presentations (and really ought to qualify for special bonus CPEs). Many organizations
that routinely release webcasts (such as CERT) send email notifications to their mailing lists when new ones are announced. Most webcasts, conference presentations etc. are archived and remain available for a while, which is handy if the initial
broadcast happens in a different time zone to you and thus interferes with “having a life”. It’s also a legitimate way to cut
down the total time commitment thanks to the fast forward button and skimming stuff you already know (use with care - in
some cases, there may be nothing of any substance left). Better still, research, prepare and deliver such presentations. Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars. Some mags on (ISC)2’s recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have
actually read and understood the content. The quizzes are not that hard to fake but remember why you became a CISSP,
and why ‘Continuing Professional Education’ is worthwhile. No matter how devious and diligent you may be, I don’t believe
“Researching and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon. Write articles on information security and related topics for publication in journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE. Read information security books and ideally write reviews of them for other prospective readers. Better still, write good infosec books. Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
Review and comment on draft information security standards, professional practice statements and the like. Please at least try to be constructive.
Write new CISSP (or CISA or CISM) questions. This is well worthwhile but much harder than it may appear. You are unlikely
to earn as many CPEs as the number of hours you actually put into researching, writing and honing your questions. Study for further qualifications. In the case of information security-related qualifications such as CISSP concentrations or
CISM and CISA, don’t forget that CPEs earned for any one probably qualify for the others too. Honestly, it gets easier. Volunteer to proctor CISSP (or CISA or CISM) exams. Several CISSPforum members say they signed up but never got the call so don’t bank on this one.
Volunteer to edit and maintain this FAQ. Please. Last but not least, actively participate in CISSPforum. Share security wisdom. Challenge the accepted order. You don’t earn
CPEs purely for participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum
postings. Remember this point when getting ready to post something. While it’s easy to dash off a quick email with little if
any thought, taking a bit more time to get your thoughts in order, find, check and incorporate relevant references, and
provide something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.
The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning
sufficient CPEs. If you are scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for
CISSPs), step back and take a look at your commitment level. Are you in the right profession? Is your personal development and career advancement really of so little concern to you? Gosh.
See also the notes on submitting CPEs, a lame topic.
4.8 Zombie topic: why are we still using Yahoo! Groups?
Every so often, someone asks indignantly why we are still using Yahoo! Groups because it is plainly horrible and there are many
much better alternatives Out There. If you check back through the archives you will see numerous and expansive discussions of alternatives. This issue has been discussed ad nauseum, with the consensus being that there are distinct benefits to this forum
being maintained on a non-(ISC)2 system.
(ISC)2 has tried alternatives in the past and even got as far as announcing the imminent closure of the Yahoo! Groups forum in January 2005 “within 3 months” but all previous attempts fizzled out without seeing the light of day.
Of course we could declare independence and hoist the flag on our own breakaway CISSPforum ... except for two little caveats:
(ISC)2 owns and for good reason jealously guards the CISSP trademark to prevent confusion with other - lesser - products.
This means we probably could not use “CISSP” in the name or web pages promoting the breakaway forum. Only the all-seeing (ISC)2 knows who is currently certified so, unless we simply trust everyone who applied to join the
breakaway forum (and trust doesn’t come easily to paranoid security types like us), we have no way to limit the membership
to CISSPs. There is of course a plethora of non-CISSP information security forums already in existence and we would simply be adding to Web entropy.
Now if only someone could persuade (ISC)2 to issue digital certificates to CISSP holders, certificates that could be validated by
anyone, then we’d all be deliriously happy and the world would be a nicer place. Job candidates could prove their CISSPness.
Forum moderators could check the CISSPness of applicants. Global warming (allegedly) would reverse (or not). Unfortunately, since (ISC)2 evidently finds it difficult even to structure its own website, there’s about as much chance of this happening as <insert your choice of something really not very likely at all>.
4.9 Zombie topic: how should we word our email disclaimers and/or system banners?
When someone asks our opinion on how best to word a standardized email disclaimer or website/FTP/telnet “login banner” or
similar, there inevitably follows a tussle between the “We don’t need no steenkin’ banners” brigade, the “Ask your lawyers” camp
and those who start with “Here’s ours”. The arguments generally boil down to these salient points:
Some claim that disclaimers and banners are not worth the electrons they are written in because they have no legal standing.
They argue that it is not possible for the sender to enforce legal or contractual conditions imposed unilaterally on the recipient
in this manner. The pseudo-legal language so often used (“This message may or may not contain legally privileged
information ...”) typically makes things worse by being so vague as to be totally ambiguous and laughable in court. The argument is supported by sites such as this. Arguers of this persuasion typically point out that the welcome mat outside your
front door is not an invitation to breaking-and-entering. Lawyers appear somewhat divided on the value of banners and disclaimers. There are some cases in some jurisdictions which
appear to support their use, and others which apparently don’t. All lawyers, however, are universally agreed that clients
should seek their highly-paid professional advice on matters of this nature. If one accepts that there may be some value in them, and the costs are negligible (aside from those arising from the previous
point), then we’re back where we started: what is the “best” way to word them?
Way back in 1992, a CERT advisory (quoted on RISKS-List) advised the use of something like this for a banner:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of
their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
CERT further noted that “each site using this suggested banner should tailor it to their precise needs. Any questions should be
directed to your organization’s legal counsel.” The fact that this issue was discussed well over a decade ago surely qualifies this thread for zombie status.
According to the security compliance tool Secutor Prime, the US Gummt's Security Content Automation Protocol (SCAP)
recommends the following:
This computer system is for official use only. This computer system, including all related equipment, networks and network
devices (specifically including Internet access), are provided only for authorized use. This computer system may be
monitored for all lawful purposes, including to ensure that its use is authorized, for management of the system, to facilitate
protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring
includes authorized active attacks to test or verify the security of the system. During monitoring, information may be
examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or
sent over this system may be monitored. Use of this computer system, authorized or unauthorized, constitutes consent to
monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use
collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
The US Gummt, having assigned a crack team of top-notch disclaimer experts to the job, came up with a universal disclaimer for all USG systems but then, allegedly, pulled it prior to implementation for as-yet unstated reasons. Perhaps someone read this FAQ
and noted the above? Anyway, watch this space for the next thrilling episode. Chickens at eleven.
Meanwhile, if you find creating a single, succinct general purpose banner/disclaimer too difficult or if you laugh at the very idea of a
universal disclaimer, you may prefer a selection, a soupcon, a veritable smorgasbord of different banner/disclaimers:
One for your website with a privacy statement/policy plus terms and condition of use, especially for eCommerce sites (e.g. at
what point is a sales transaction considered final and binding? What if there are genuine errors or omissions in the prices, descriptions etc.?). One for internal network domains, displayed to employees before they logon, warning against unauthorized use and that use
is logged (and perhaps displaying security awareness messages or further dire warnings after they logon). One for network devices (routers, switches, application servers etc.), warning that all use which is not specifically authorized
by the organization is considered unauthorized (circular though that is) and that use is routinely monitored (is it?! Golly! Well done!). One for emails mentioning that the sender does not represent the organization and is not authorized to enter into contractual
commitments on behalf of the organization (or whatever). A very short one for the pixel-challenged. SMS TXTSPEAK = YOR BST FREND
If you are still searching for The Answer, the HP Resource Center offers a selection of banners of varying lengths. For further
inspiration, Attrition offers a characteristically entertaining disclaimer. The Commonwealth of PA says “Login banners provide a
definitive warning that network intrusion is illegal and also to advise authorized users of their obligations relating to acceptable use of the network.” They go on to suggest the following examples:
This is an actively monitored system. Unauthorized access is prohibited. WARNING! THIS SYSTEM CONTAINS GOVERNMENT DATA. UNAUTHORIZED ACCESS IS PROHIBITED. Use of this system
constitutes CONSENT TO MONITORING AT ALL TIMES and no expectation of privacy exists. Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored.
THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access is prohibited. System personnel may give to law
enforcement officials any potential evidence of crime found on this system. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES EXPRESS CONSENT TO MONITORING, INTERCEPTION, RECORDING.
READING, COPYING, or CAPTURING and DISCLOSURE of use. IF YOU DO NOT CONSENT, LOG OFF NOW. Space aliens will eat your head. P*SS OFF AND DIE EVIL HAX0R5!
(Possibly, one of the above is a spoof. I’m not saying which, if any, it is.)
Google of course lists many more resources for ‘legal login banner’. There is even an FAQ entirely devoted to the subject of email
disclaimers. You can probably get a certificate in it too, complete with CPEs.
Don’t forget to ask a tame lawyer. This is not legal advice. The heretofore abovementioned information under sections one (1)
through seven (7) subsection seven (7) may, or may not, be illegal, allegedly and is fully and utterly disclaimed.
4.10 Zombie topic: “We’ve been hacked - what do I do?”
Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the
big red panic button and emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute. A typical
question might be “I’ve just had a call from the Help Desk. They have taken a call from a user in the business who says his PC is
acting strangely. The network boys and girls tell me there is loads of traffic on the user’s LAN segment and it looks as if the
machine is spewing out spam like it’s going out of fashion. HELP! What do I do?”.
The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to
analyze the live system before shutting it down, and why it is so important to brew up an incident management process BEFORE
not DURING an incident, but the best immediate response to date on this sort of query is: “If you believe the system is
compromised, and you don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert
. Don’t switch it off. Don’t even run a directory listing.”
If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, things are different, obviously.
Back to contents
5 FORUM MEMBERSHIP OPERATIONS & SETTINGS
5.1 How do I subscribe to CISSPforum?
First, get yourself certified as a CISSP or SSCP by (ISC)2. The forum is for the certified only. Go to Yahoo! and create yourself a profile if you don’t already have one. Use the email account you will want to use on the
CISSPforum. (This step is not strictly necessary, but comes in handy at times later on, and is easy to do while waiting for glacially slow results from (ISC) 2. This step doesn’t even have to be done first, either, hence the reason it is numbered ‘2’.
Visit the (ISC)2 website and request an account there if you haven’t already got one. An account on the (ISC) 2 website will let you access the private CISSP area on the site. You’ll need it anyway to submit your CPE credits online to maintain your
certification. It’s also handy for getting onto the jobs board there which is notable for its lack of results but why not give it a try, eh? Warning: ISC2.org has won the World’s Least Intuitive Website Interface Award for at least four years running.) When you have your (ISC) 2 account, login to (ISC)2 website using your CISSP number/exam candidate number as your login ID and your secret password. Browse around fruitlessly until you eventually stumble across the link for (ISC) 2 forums ... or just click here. REMEMBER THIS PAGE AND HOW YOU GOT TO IT! YOU WILL NEED IT TO UNSUBSCRIBE, IF YOU WANT TO. BOOKMARK IT!
WRITE IT ON A POST-IT NOTE NEXT TO YOUR PASSWORD! TELL YOUR FRIENDS ABOUT IT!Starting part way down the page are a bunch of forum sign-up forms, one of which mentions CISSP Forum. Fill out the form
using the email account that you want/you used in creating the Yahoo profile. Make sure that you choose the correct CISSP Forum, currently listed as “Yahoo!Groups” since (ISC)2 has been experimenting with alternatives since 2004 (!). Wait a few hours. Wait a few days. Wait a week or two longer. Eventually you will either get an invite or start getting email from CISSPforum.
After lurking and watching for a while, please send us a nice ‘hello’ message, ideally with something interesting about you,
your job, your interests, your favorite security standards, almost anything really. Tell us what you thought of the CISSP
exam maybe. Say how you found out about the CISSPforum (was it through this FAQ?). Once you have successfully posted to the CISSPforum, you will be able search the archive. If you never post, you won’t.
If you get stuck, you might contact Wilf Camilleri or Blaise Kengoum using forum@isc2.org but try to find and complete the (ISC)2 forum sign-up form first. You could always ask a fellow CISSP for help or ask them to post your question on CISSPforum. Gin usually helps.
5.2 How do I join CISSPforum if I’m not yet a CISSP?
Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial from ardent CISSPforum member and security evangelist Clement Dupuis. Become a CISSP or SSCP and
you will be welcome, if not compelled, to join the CISSPforum.
For fans of the UK comedy series, Little Britain, yes, CISSPforum is a local forum for local people.
5.3 Can I access the forum and files on Yahoo!?
Errrr. When you sign up for CISSPforum at the (ISC)2 site, you are subscribed to the mailing list. You can’t access the forum with
any method other than email until you either create a new Yahoo! Groups ID or associate an existing Yahoo! Groups ID with the
CISSPforum. Here are explicit instructions for both options:
a) Create a new Yahoo! Groups ID (if you don’t already have one):
Go to Yahoo! and click the blue “Register” link on the left or right hand side near the top. In alternate email address, enter the
address that is currently receiving the CISSPforum. If you fake the demographic information on this page, it will come back
and bite you when you need to recover the password you forgot. Be sure to clear the “send me special offers ...” checkbox
unless you really want to fill your inbox and make sure your birthdate makes you at least 18 or Yahoo! will ask for your mommy or daddy ;-) Once you have registered, be sure to set your “marketing preferences” which Yahoo! will promptly honor within a week (says so on the screen).
b) Add CISSPforum to your existing Yahoo! Groups:
Log in to Yahoo! Groups then click “My Groups” in the upper right hand portion of the page.
Click ‘Edit my groups’ Link your login ID to the CISSPforum by searching for groups with your email address on their list.
5.4 How do I temporarily stop getting email from the forum or change to digest mode?
Well done to you if you thought of this before shooting off on that extended vacation or business trip. Please read the next answer also.
First, you must have a Yahoo! ID and password and that account must be associated with this list. See above for how to do this.
| 