free page hit counter

 


The Decidedly, Unashamedly and Proudly

Unofficial CISSPforum FAQ

Answers to Frequently Avoided Questions about CISSPforum

 

a.k.a. The Big Dummy’s Guide to CISSPforum

 

a.k.a. The CISSPforum Policy Manual (exposure draft)

 

FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects

 

Latest update one idle Friday in January 2019

 

Please bookmark and share the following case-sensitive shorty for this FAQ:

bit.ly/CISSPforum

 

or simply ask Google

 


Contents

1 INTRODUCTION

 

2 BASIC FORUM USE

3 FORUM CONTENT

 

4 ZOMBIE TOPICS

 

5 FORUM MEMBERSHIP OPERATIONS AND SETTINGS

 

6 (ISC)2 STUFF

 

7 MISCELLANY

 


1 INTRODUCTION

1.1 What is the point [of this FAQ]?

We’re not sure really. Does it need a point? How sharp must it be?

This document is the unofficial FAQ (Frequently Asked/Avoided Q uestions) for users of the CISSPforum mailing list for CISSPs. It is a collection of answers to questions that may have been repeatedly asked in the forum and (arguably) important information related to appropriate and inappropriate use of the forum.  Or not.

This FAQ inhabits a lesser-known quiet cul-de-sac just off the information superhighway, a side-turning from the roundabout behind the noisy industrial estate along a gravel track known as: http://www.noticebored.com/html/cisspforumfaq.html

We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs but we know that’s a waste of good bytes. Google has heard of it anyway. Thank Google for that!

If you’re not entirely sure what an FAQ is, permit Cragin to explain:

    FAQ on FAQs.

     

    1. What does FAQ stand for?

    Frequently Asked Questions.

     

    2. Frequently? How many times does a question have to be asked before it is added to a FAQ?

    None. The entire set of questions was written before the final fielding of the system or web site to which they refer .

     

    3. None? Just how often are these questions asked?

    Never.

     

    4. Asked? Who asked them?

    No one asked them. OK, well, actually, the implementation team wrote the questions, but they already knew the answers when they wrote them, so they were not actually ASKING the questions.

     

    5. Questions? What kind of questions are the FAQ?

    They are second and third sub-level topical headings from an unfinished (or unstarted) users' manual that have each been restructured from a statement to an interrogatory.

     

    6. Why did the implementation team write the FAQ?

    Because as they were in the final phases of fielding, they realized that the development team had either never gotten around to preparing user documentation, or had done such a shabby job that it was useless, and further that the operational interfaces of the application were so non-intuitive (or counter-intuitive) that end users would only be end, and never users, without instructional hand-holding.

     

    7. Then what is the purpose of the FAQ?

    The FAQ is used by Tier 1 Help Desk staff to avoid having to learn the application while at the same time allowing them to make callers feel simultaneously lazy and stupid: "You want to learn how to framitz the onglethard? It is clearly explained in the FAQ on our web site. Didn't you look at the FAQ before calling?"

     

    Copyright © D. Cragin Shelton 2008

1.2 What is CISSPforum anyway?

As vaguely hinted-at by its not exactly cryptic name, CISSPforum is basically a discussion forum for CISSPs (Certified Information System Security Professionals). Some among us may be SSCPs (System Security Certified Practitioners) and others such as CSSLPs (Certified Secure Software Lifecycle Professionals), CISMs and CISAs, and Cprofs (Proficient Cyclists).

Nobody much from (ISC)▓ global headquarters hangs out on the forum. Whether that is because they are too busy counting great piles of AMFs, hob -nobbin with the big nobs or simply “having a life”, we’re not sure. Anyway, the upshot is that it is a local forum for local people. It is user-led and user-trailed.

Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because (ISC)2 chooses not to promote it or participate.  As one of out members said, “The most useful thing I got from my CISSP is this community - a wealth of knowledge and experience.” Some might even agree that we should earn CPEs for actively contributing to CISSPforum.

Technically speaking, CISSPforum is a group on Groups.IO, also known as an email reflector, a virtual mirror for electronic mail messages.  Individual messages sent to the group by group members are received by Groups.IO and blatted out to all members, not unlike a reflection denial-of-service attack.

Socially-speaking, CISSPforum is a friendly and supportive community of peers i.e. qualified information risk and security pros from all parts of the globe and all sexes. Some of us are newcomers to the profession, recently qualified, while some are grey-beards with a decade or four of experience in the trenches. Our ranks are swollen by IT auditors, consultants, trainers, academics, security officers, security managers, tech authors, scholars of ancient Greek, radio amateurs and others, mostly but not entirely CISSPs. Welcome all.

As a community of professional practice, CISSPforum is a great place to discuss information security and related topics. The scope of the forum naturally includes all areas of (ISC)▓’s Common Body of K nowledge which coincides, thankfully, with the CISSP exam. From time to time, we also discuss the ISO/IEC 27000 series (ISO27k, ISMS), ISO 22301 (busines continuity management), ISO 9000 (QA), ISO/IEC 20000 (ITIL), IT governance, SOX, IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking, vulnerabilities, Windows, Windows vulnerabilities (and occasionally Mac vulnerabilities, Linux vulnerabilities ...), assorted cyberweapons and APTs, BYOD, IoT things. In fact anything hot in information security is likely to be brought up at some point, often before it hits the industry rags if slightly behind the blogosphere. It’s like an information security club, an online interactive encylopaedia with qualified, competent and experienced contributors. OK, to be honest its a few really active contributors plus a larger number of inactive lurkers but we feel their presence in a spooky sixth-sense Stephen King’s Carrie kind of way.

Some of the discussions are straightforward questions and answers, that’s it. Others develop into full-blown discussion threads, depending on the skill or good fortune with which the original poster crafted a post containing such subtle nuances or contentious language that more people felt compelled to respond. Urgent but un-lame help messages generally get answers within minutes, while more contemplative posts can trigger threads that run for days or sometimes weeks. By and large, it is all very good natured, open and safe, though there’s often the very feintest whiff of sarcasm, especially when someone purports to be an expert on some topic. The forum is a wonderful safety vent for burning information security issues that bug you, and to challenge accepted norms. You’ll find deep technical threads running alongside lighter topics. Members contribute wisdom, knowledge, opinions and more for the benefit of all. Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their participation. We’re never stuck for friendly local guides when visiting far-off foreign lands although we’re still patiently waiting for our first forum romance, or rather the first one to be publicly acknowledged.

1.3 What is CISSP?

CISSP (Certified Information Systems Security Professional ) is a certification awarded to the deserving by ANSI-accredited (ISC)▓ confirming that the holder has:

  • Passed the CISSP exam, a typical multiple-choice examination that tests the examinees’ retention of key facts and, to some extent, their understanding of the fundamental principles of information security (that well known oxymoron);
  • Work experience in information security;
  • An ongoing commitment to maintaining their education in information security (CPEs);
  • Qualified to apply to join CISSPforum!

Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security qualification. It requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth over depth of knowledge. That said, many CISSPs do have deep technical security knowledge and expertise in one or more of CBK domains, whereas some of us just wing it.

If CISSP is not right for you right now, (ISC)▓’s other certificates might be:

ISC2 certificates 2019

1.4 Is there an official CISSPforum FAQ?

Not any more.

There used to be one but, in its infinite wisdom one dark day in 2018, (ISC)▓ decided to can the original (ISC)▓-managed CISSPforum on! Yahoo! groups! While CISSPforum members collectively sighed with relief at the! end! of! Yahoo!’s nonsense!, the shutdown decision was made unilaterally without consulting CISSPforum members. In fact, we consider ourselves fortunate to have found out about it moments before the plug was pulled.  We were lucky!  We used to dream of being informed by (ISC)▓.

In the final few hours before its ultimate demise, Yahoo!’s archive! of! CISSPforum! messages! was shamelessly plundered and preserved for all eternity.  In years to come, wave after wave of new CISSPs will discover the wealth of insightful commentary and accumulated wisdom that lies therein, thanks to the historic messages having been uploaded to Groups.IO.  Simply browse or search and enjoy.

1.5 Disclaimer

The information provided in this FAQ is not guaranteed <full stop>

The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them, there may conceivably be valid opposing views. Use the information in this FAQ at your own risk. Your mileage may vary. Do not run with scissors. Do not pass Go.

This is not legal advice. The legal buck doesn’t even think about wandering through this quiet turnpike on the information souperhighway while charging its time by the second.

The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates, nor by any government, nameless government agency or religion. It is technology-neutered and sexless. This is an independent unofficial and decidedly cranky work by a tiny albeit vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified by self-acknowledged beards-of-colour who are clearly disturbed, senile or ‘under the influence’, and possibly all of the above.

GM-free. Ford-free too. No cute cuddly animals were harmed in its production, only nasty slimy ones.  A number of electrons were mildly inconvenienced, and a few photons have been seen to change direction.

This FAQ is so environmentally friendly, it is likely to slip quietly away to hug yet another tree or kiss a whale the very instant your back is turned. Please don’t print it out, especially if you have an evil printer from hell.

1.6 Other versions of this FAQ

The original plain text FAQ was available only to CISSPforum members. It was very plain and really only of value/interest to those who already knew all about CISSPforum, being members thereof.

It was extensively updated, worked over and generally roughed up a bit by Rob Slade and assorted elves in 2005/6.

The sexy HTML web version now appearing on a screen near you was conceived by Gary Hinson in October 2006 and is updated when inspiration happily coincides with a spare hour, which frankly is hardly ever. Comments, further questions, answers and jokes are always welcome, via CISSPforum if possible. See the contact details towards the end whether you’d like to contribute something deep and meaningful, chuck rotten eggs or volunteer to take it over.

Back to FAQ contents


2 BASIC FORUM USE

2.1 How do I post messages to CISSPforum?

Any member of CISSPforum can post messages to CISSPforum simply by emailing cisspforum@groups.io .  Messages can also be posted online by group members using the Groups.IO web interface.  Either way, please be reasonably succinct and professional.

CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their authentication credentials to be stolen by a spam bot (which happens occasionally - proving that CISSPS are only human). Nevertheless, this is still the most effective anti-spam system we have. Spammers who join the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).

Identify yourself, please when you post messages . Your email address is seldom sufficient to identify you, at least until you have posted often enough that others will mutter under their breaths “Oh no, not him/her/it again!”. Simply end your posting with a standard business-like salutation including your name or else a nickname or some other term that you are happy for us to call you. Otherwise we will choose our own name, and it may not be to your liking. The being who posts under the pseudonym “/bpm”, for instance, probably does not appreciate being called “Slash” but thankfully he/she/it has a sense of humour.

When asking a question or seeking advice, give us a clue about your context. Your situation is probably relevant to the advice you seek. Government practice is different from commercial, not-for-profit, finance, healthcare, SME ....

If you are posting a long hyperlink, please either create and supply a shortened URL as well as the full link or simply enclose your long URL in angle brackets < and > which allegedly tells some email clients not to break the URL into little bits.  Some of us can only afford little screens.  We are pixel -challenged, N bits short of High Definition.

Do your homework before posting to CISSPforum to avoid being soundly lampooned. This is a professional forum for qualified information security people. Some Forumites just love to show off their extensive knowledge at every available opportunity and you’ll often get a broad range of opinions from the Forum ranging from short snippets to extensive diatribes, sometimes unconventional, conflicting, of dubious value and/or sarcastic. However, we resent being used as the research mechanism of first resort. If a poster is too lazy to craft a simple Google search or two and follow up on the results before coming to us, some of us are not afraid to say so. It may help to demonstrate that you have already made an effort to answer your own question. By briefly describing your research and analysis so far, you can prove that you are not just an information leech. You will also give the experts here a chance to go directly for the deep dive without repeating the basics you already know. You might try Asking Questions The Smart Way and, whether you are a Microsofty or not, read this advice also.

Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button . If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this.  If you are pillorying someone for asking a question the wrong way or saying something dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:

It is better to be thought a fool than to open your mouth and remove all doubt

Please be tolerant of others. We are not all on your wavelength. Some of us barely even speak your language (and you’ve probably never even heard of ours). CISSPforum is a global melting pot, so please don’t post anything racist, sexist, elitist, alarmist or any other kind of mist and please don’t fan the flames.

2.2 Is it safe to post my first message?

Of course! We’re all friends here! To the CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge and experience. Don’t be shy. Even a lame “me too” is marginally better than stony silence. But please re-read the tips just above before you dive right in.

There’s a special CISSPforum rule for Those Who Have Never Posted (you know who you are - we call you the Forum Virgins). You have our full permission to make Your First Posting without fear of retribution, dissent or ridicule. The trick is to write “First posting” or similar in the subject line and include something interesting in the body of your message.

The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting. To be honest, we’re all generally nice people who don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree. Hot discussions break out from time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).

2.3 How do I get people to respond positively and helpfully to my queries?

Good question! We heartily recommend and endorse the excellent advice in How to ask questions the smart way. It’s also not bad, by the way, on how to reply smartly to questions ...

2.4 How do I reply to messages?

CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message. That’s a load of information security professionals. If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware that your peers will see your ‘private’ message. The cranky ones will give you grief to add to your misfortune, no doubt ribbing you rotten for your mistake. If you wish your reply to go to only the original poster, use that person’s email address instead of cisspforum@Groups.IO. If you insist on sending ‘private’ messages to us all, please make them juicy if not defamatory, and prepare to be savagely lampooned.

2.5 Where have my messages gone?

We have no idea.  Check under the keyboard.  If you shake it upside down, do your golden crumbs of knowledge fall out?

Assuming you sent your messages to cisspforum@groups.IO, they will hopefully now be grazing happily in one or more of Groups.IO’s server farms. The will also, hopefully, have been distributed to all members of CISSPforum. If you are asking this question because your messages have not turned up in your email inbox, take a quick peek in your spam box. Rifle through the advertisements and other social engineering attempts for anything vaguely resembling a CISSPforum message, then teach your spam-bot the error of its ways. Smack its little robotty.

2.6 How do I turn down the volume?

At times, CISSPforum can be a LOUD mailing list. Other mailing lists only go up to ten. CISSPforum sometimes reaches eleven. If it is too LOUD for you, here are seven volume-moderating techniques:

  1. Skim the subject lines and just delete anything mentioning, for example, LinkeDin or other lame topics. Don’t fret.
  2. Read CISSPforum as a daily digest with all the day’s takings in one mega email. This is a Groups.IO option.
  3. Check the senders. Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit bucket without even opening. Your email client probably has the tools to do this automagically. Look for ‘email rules’ or ‘filtering’.
  4. Set aside a certain period of time each day to peruse the latest mailings. When your time is up, delete the remaining unopened messages and get back to Real Life.
  5. Don’t bother about keeping up with the latest topics. Use Groups.IO’s browsing or cunningly-named search functions to check the archives. There is a wealth of accumulated information, and it’s surprising how often we discuss the same things over and over like a recurrent nightmare.
  6. Read the forum using Gmail or a similar email facility that automatically links postings with similar subject lines into threads. Pick out interesting threads. Ignore the rest.
  7. Ignore everything. Delete without reading. Unsubscribe. Go on, miss out on those golden nuggets that would make all the difference to your career. Go ahead - see if we care. Talk to the fingers cos the keyboard ain’t listening.
  8. (Bonus idea) Don’t send complaints about the volume of the list to the list. Don’t send complaints about LinkeDin, daft jokes and comments to the list. Don’t try to send attachments to the list. In particular, if you are catching up with emails, look through the list of emails to see if anyone else has already commented or complained about a posting that upsets you, and leave it at that. Think twice before posting fresh junk, even on Fridays. Use your delete key as it was meant to be used and move swiftly along.

2.7 What do I do if (when) a posting upsets me?

Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that offends you in some way. Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a huge and unedifying “discussion”. People telling other people to take their complaints offline will, of course, do that online, the irony escaping them.

Personal attacks are more hurtful than helpful. While you might really want to say something along the lines of “You need a good kick to the head or an enema - in your case, those may end up being one and the same”, the following fire-retardant advice, originally posted on the forum by a wrinkly diplomat, sums up how to avoid fanning the flame wars:

I’d recommend peace, love and understanding all round.

Be tolerant and respectful of others on the forum. We have many
cultures, abilities and styles here. We are not all like you.
Many of us have never even been to your country.

The forum is self-moderated. Self restraint and tolerance are the watchwords.

Count to twenty before responding to jibes. If someone has upset you,
explain to them (and only them ) what upset you, and let them respond privately, off-list.

If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line
behind the bike sheds perhaps.

If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are. We all had to start somewhere.

This is a community of peers. There is room for humour and occasional
off-topic discussion
but, please, take it easy on our <Delete> keys.

Enjoy the variety of experience. Relish the challenge of
understanding others’ points of view. Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.

If you think the emperor has no clothes, speak up. Some of the best threads start that way.

And if all else fails, hit your <delete> key, chill out and move along.

2.8 Trolling and troll-baiting

If you are a troll, or if you feel compelled to point out that someone else is trolling, or to respond to a posting allegedly by a troll, or posting about someone else responding to a troll, or are defending or criticising a troll, troll allegations, or those who have previously defended or criticised a troll, or are in any other way referring to trolling, the trollees (not trolleys) or the trolls, please add [Troll] to the subject line of your message so that those of us with automated anti-troll filters have an easier time*. Better yet, before posting your message, please reconsider whether doing so will increase or decrease the signal-to-noise level for the majority of CISSPforum members or whether your spleen might be better vented against the alleged troll directly , off-list. On behalf of us who actually do have a life, thanks very much.

* The more advanced CISSPs simply configure their systems to route all troll messages directly to Write Only Memory (WOM) devices installed at several highly redundant but totally secret locations on the intergalactic Interwebnet. It is alleged that one of these black holes has been found lurking within the (ISC)2 website but the last brave datagram we sent in there to check it out never surfaced, at least not in our galaxy.

2.9 Are there rules for the forum other than this FAQ?

Yes - the universal rules for posting stuff to newsgroups and similar online discussion fora apply to CISSPforum too. In that respect, CISSPforum is not special at all.

One simple rule trumps the lot: consider your audience.  Just as it is considered socially unacceptable to shout FIRE! in a crowded cinema, spare a thought for those who receive and may be affected by your missives.

Thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain “unwritten” rules for the forum but, of course, they are undocumented, ephemeral and virtual.  They may or may not still exist. They may or may not ever have existed. They may not, or may, come into existence at the point you post something. They are like Schroedinger’s kitty, only not quite as furry.

2.10 Can I distribute files via CISSPforum?

No, at least not directly. Any file attachments sent to the mailing list will be summarily stripped.  Members who post documents or other materials will be embarrassed at having posted, essentially, nothing. “Here it is!” they exclaim, triumphantly but here it is not. This is lame.

However, any forum member can upload a file to the Groups.IO web interface and optionally announce it on CISSPforum. Be sure you have permission from the copyright holder before publishing anything in this manner: reaching a community of peers effectively places it in the public domain and we wouldn’t like to see you marched-off by the DMCA Gestapo...

An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs and post a forum message inviting CISSforumites to collaborate on writing/completing it. The combined brain power is awesome and we have yet to see a document that cannot be improved by the wider perspective. We’d encourage you to acknowledge all those who actively contribute and ideally publish the finished item to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s the group’s choice.

2.11 Is this forum private?

What do you think? The servers are probably in America, land of the free. Do we really need to spell it out for you? Ask Edward Snowden.

Membership in the CISSPforum is allegedly restricted to those holding CISSP.  Generally speaking, a number of respected CISSPforum members take the membership restriction to imply that it’s a discreet and exclusive private gentlepersons’ club. They hold that discussions on CISSPforum should not be discussed or reproduced elsewhere, outside the forum, believing that “what happens on the forum stays on the forum”. Restricting discussions to the CISSP community will hopefully result in a freer and franker exchange of ideas, the theory goes.

That said, it is not entirely sensible for members to assume that the content of messages they post to the forum will remain restricted to the membership. Those concerned about privacy and confidentiality (and which of us isn’t?) should bear in mind the old adage that you should never send anything by plaintext email (or indeed by courier) that you would not want to see on the front page of the newspaper. Do your own risk assessment, folks.

As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is best either to rewrite the salient points in your own words (sanitizing the identities and expunging the facts as appropriate) or to contact the original author/s for explicit permission, or both. Members contacted in this way are invariably flattered to be asked. You will almost certainly get the help you need to re-publish or at least plagiarize the salient parts from original piece, and make a new friend in the process.

Back to FAQ contents


3 FORUM CONTENT

3.1 Is there an archive of CISSPforum postings?

Yes: CISSPforum messages are preserved for all eternity on CISSPforum.  Remember this if you are about to flame another member or post something private, off-topic or lame. The cream of CISSPforum postings may also be shamelessly plundered for FAQ content.

3.2 Is this the proper place to compare certifications?

Probably not. The topic has been raised before and you are free to give it another go. You’ll get replies, some thoughtful, some not.

Strangely enough, most CISSPs maintain that CISSP rocks. Many of us, having CISSP on our CVs and business cards, are curiously defensive of the certification’s integrity and value. We have something of a vested interest.  That’s not to say it’s perfect, though.

3.3 Is this a good place to ask ethical questions?

Yes if you like.  Why not? It would be rude of us to refuse.

3.4 Is it OK to ask about topics previously covered?

Everybody does it but please see the next section for information about zombie topics.

3.5 What is OT (off-topic)?

Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More Important Things To Do. It is considered rude to post off-topic messages without the “OT”, and in fact slightly naughty to post on-topic messages with subject lines that just happen to contain those two specific letters in conjunction. As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement, or rather that of the majority of people on the list, or rather that of the vocal minority who feel compelled to tell us all whether something was on- or off-topic.

To be fair, on/off-topic is not a binary choice when it comes to many discussion threads, but subjects such as US gun laws are likely to descend rapidly into the abyss of politics, religion or both, leaving information security for dust.

The issue of moderation is a long-running joke on the forum: if you post a message asking why the moderator isn’t doing something, one of the long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message claiming to be, or to nominate, the moderator of the week, and dispense moderation, in moderation.

It is traditional for the moderator not to be informed of his/her/its status. For example, Rob Slade was moderator during the early part of December, while he was out of town, only finding out upon his return. There being no moderator at that point, he had nobody to complain to.

The normal rules are relaxed slightly on Fridays but always beware going too far off-topic.

3.6 What topics are lame?

We all say dumb things from time to time but asking genuinely lame questions or offering supremely lame answers on CISSPforum can be a character-building experience, unless it is your first post anyway.

Before you ask a question, have you at least Googled it? Have you made even the slightest effort to search for the answer yourself? If so, great, go ahead and ask away. If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.

Zombie topics, out-of-office messages and off-topics are also considered more or less lame.

Responses can be lame too. It’s fair to assume, for starters, that being a member of this community means the original questioner has a modicum of intelligence and security expertise. To avoid cluelessness, take this classic response as a warning: “In order to attack your target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites I’ve found useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com). The attacker should of course know how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you can recognize since it all starts with http). One thing that is often overlooked by junior hackers (explaining many failures to achieve desired goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”

3.7 Where can I find thread summaries?

Basically, you can’t. This situation was accurately predicted by a rather boring prophet: “There shall in that time be rumors of things going astray, erm, and there shall be a great confusion as to where things really are, and nobody will really know where lieth those little things with the sort of raffia-work base, that has an attachment. At that time, a friend shall lose his friend's hammer, and the young shall not know where lieth the things possessed by their fathers that their fathers put there only just the night before, about eight o'clock.”

You may like to subscribe to the list using a Gmail account that automatically threads the responses. Or not.

3.8 When is Friday?

Being an information security professional can be a stressful existence. Some of us feel alone and isolated under pressure ... but we’re not. As members of the CISSPforum extended family, we have peers, friends, fellow pro’s, oh and that “uncle” who always turns up at weddings and funerals but nobody admits to knowing or inviting.  CISSPforum is our stress-relief valve. Sometimes, there is nothing better than a good rant.  Fridays are reserved especially for that purpose.

One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on Fridays in preparation for the weekend’s fun (the equivalent of dress-down-day, bad shirt day, or POETS day), within reason. Since “within reason” is itself part of the unwritten rules that are relaxed, even that is optional but please be sensible. This is a multicultural professional forum and we’re all pretty busy. OK perhaps not quite so frantic on Fridays.

On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness, delicacy and discernment, humour (sometimes without you) and satire, derision and hyperbole, alliteration and synecdoche turned up a notch, with the occasional deep and meaningful discussion on coffee, donuts, poutine and sushi. Have fun, just avoid turning up the heat.

It has been alleged that some members literally dress down on Fridays. Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask. It’s considered good security practice to cover your web cam lens though.

Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance when other less fortunate members to the East are still living in the past. Therefore, Fridays start on Thursdays. What’s more, when the less fortunate Easterners post their Friday messages, it is already The Future for the very same Westerners. Although certain grammatical problems are created by this particular form of time travel, the Westerners enjoy Easterners’ Friday postings on Saturdays. So, to summarize, “Friday” = Thursday + Friday + Saturday. We got used to the delays in Yahoo! groups which meant that some postings were two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and postings sent “Friday” may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.”

It has subsequently been suggested that “Friday” be celebrated only on days that begin with the letter "T" including Tuesday, Thursday, Today, Tomorrow, Thaturday and Thunday. We like Fridays on the Forum.

Mental health is a serious business but please forgive us if, at first anyway, we take things lightly. Often we’re just trying to help you defuse your ticking time bomb. Which wire to cut? If you are in serious trouble and don’t appreciate our ‘help’, say so and we’ll cut the crap. There is an immense pool of wisdom collecting dripwise under the forum. Collectively and individually, forum members have generally been there, done that, and staggered back from the brink. Let us throw you a lifeline. Simply raise your hand and call out.  We’re here for you and we care.

Back to FAQ contents


4 ZOMBIE TOPICS

4.1 What are zombie topics?

All manner of information security and other fascinating topics have been discussed on CISSPforum over the years. The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die. The forum is not moderated so you are welcome to raise these topics yet again (provided you have Something Important to say on the subject) but if you do, be prepared for a somewhat less than enthusiastic response and watch out for silver bullets, pointed wooden crosses or garlic around the door.

4.2 Zombie topic: reformed hackers

Been argued, no resolution. Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white (hats). Some hold that reformed hackers have “paid their debt to society” and have useful knowledge to contribute. The ensuing exchange is a bit like the Pope discussing religion with an atheist.

The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the likes of Messrs. Mitnick and Abagnale. Some of us will, some of us won’t. It all depends on the height of one’s horse.

4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)

This is undoubtedly an important topic but most of us are tired of seeing the same old same old. CISSPs have at various times challenged the “R” and “I” part of ROI, and the future is not so ROSI according to some. To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis thread often gets intertwined with the ROI zombie, making our lives a misery for a couple of weeks at a time.

If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach, a revolutionary investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it.

4.4 Zombie topic: cissp.txt

We are really tired of this topic. One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:

    a) “There is a list of CISSPs at [someURL].cissp.txt. This is appalling!”

    b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it! What gives?”

    c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it! Aaaiiieeee!”

Yes, it’s true. There is a list that appears at various places around the net, usually named cissp.txt. This contains some names and contact information (a few of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org way back in  circa 2003, others say early 2005 - eons ago in Internet time or web-years). At one time someone lame evidently mined the public directory, possibly for marketing purposes. Later, someone thought it would be a good joke to post the list on the web to see if they could get lots of people upset. They appear to have succeeded. Several times around.

Oh, and a special note for posters in category (c).  You have had your CISSP for a while and posted some info to the (ISC)2 public directory, so why are you so upset? Get real.

4.5 Zombie topic: terrorism

Terrorism and indeed cyberwarfare/WWIII does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat. Check out the archives and see what has already been said. Postings advocating violence against any persons or groups are DEFINITELY way off-topic.

4.6 Zombie topic: can I get CPEs with that?

Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)2 guidance but what do you think?” ... and the forum groans.

Forum members can only give unofficial and generally unreliable advice on this point. Does the material in the [course | iPod | running shoe | etc.] pertain to the CBK domains of the CISSP certification? If the material is pertinent to the CBK, Jack Holleran for one would say “yes”. One hour of relevant infosec study earns you one CPE, provided it can be validated in some way.

And that’s the crunch.

For the definitive answer on CPEs, contact (ISC)2 directly. The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free. Remember also this point from (ISC)▓: “As a professional who follows the (ISC)▓ Code of Ethics, please use your best judgment within these guidelines to select those activities which qualify for CPE credits and which will enhance your professional development.” In other words, be sensible and play nicely.

FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:

  • Attend meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 chapters etc. Better still, join the groups and actively participate. Even better, research topics, write presentations and offer to deliver them at such meetings. Best of all, join the committee or the board of directors.
  • By the way, as a CISSP, you are probably welcome to attend infosec meetings and events in the area where you work, live or stay, including work assignments that take you away from home: simply contact the organizers and ask politely. Offers to present are often well received, especially if you have something interesting and valuable to share with other infosec pros, preferably something they haven’t heard at least a million times already.
  • Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product vendors, infosec luminaries and other CISSPs. Actively participate where possible. Posing awkward questions is especially recommended in the case of vendor presentations (and really ought to qualify for special bonus CPEs). Many organizations that routinely release webcasts (such as CERT) send email notifications to their mailing lists when new ones are announced.  Most webcasts, conference presentations etc. are archived and remain available for a while, which is handy if the initial broadcast happens in a different time zone to you. It’s also a legitimate way to cut down the total time commitment thanks to the fast forward button and skimming stuff you already know (use with care - in some cases, there may be nothing of any substance left). Better still, research, prepare and deliver such presentations.
  • Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars. Some mags on (ISC)2’s recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have actually read and understood the content. The quizzes are not that hard to fake but remember why you became a CISSP, and why ‘Continuing Professional Education’ is worthwhile. No matter how devious and diligent you may be, I don’t believe “Researching and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon.
  • Write articles on information security and related topics for publication in professional journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE.
  • Read information security books and ideally write reviews of them for other prospective readers. Better still, write good infosec books.
  • Read and preferably comment on or otherwise contribute to infosec blogs.
  • Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
  • Review and comment on draft information security standards, professional practice statements and the like. Please at least try to be constructive.
  • Write new CISSP (or CISA or CISM ...) questions. This is well worthwhile but much harder than it may appear. You are unlikely to earn nearly as many CPEs as the number of hours you actually put into researching, writing and honing your questions, especially at the start of your exam-writing career.
  • Study for further qualifications. In the case of information security-related qualifications such as CISSP concentrations or CISM and CISA, don’t forget that CPEs earned for any one usually qualify for the others too. Honestly, it gets easier.
  • Volunteer to proctor CISSP (or CISA or CISM ...) exams. Several CISSPforum members say they signed up for this but never got the call so don’t bank on this one.
  • Volunteer to take over publishing and maintaining this FAQ. Please.  It probably qualifies for CPEs, Green Shield Stamps, likes, lucky fortune cookies, lottery wins and medals.  Chests laden with gold and safety deposit boxes overflowing with conflict diamonds will be
  • Last but not least, actively participate in CISSPforum. Share your security wisdom. Challenge the accepted order. You don’t earn CPEs purely for participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum postings. Remember this point when getting ready to post something. While it’s easy to dash off a quick email with little if any thought, taking a bit more time to get your thoughts in order, find, check and incorporate relevant references, and provide something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.

The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning sufficient CPEs. If you are scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for CISSPs), step back and take a cold hard look at your commitment level. Is your personal development and career advancement really of so little concern to you?  Are you in the right profession?  Would you much rather be doing Something Else with your life?

See also the notes on submitting CPEs, a lame topic.

4.7 Zombie topic: why are we still using Yahoo! Groups?

Finally, in 2018, this zombie was finally put out of its misery when (ISC)▓ summarily pulled the plug on the Yahoo! forum. In addition to the official (ISC)▓ community, a replacement for CISSPforum was launched by the CUStards  on Groups.IO.

We’re still patiently waiting for the email from (ISC)▓ about this. It appears to be one of those infamous long!-delay! Yahoo! messages! that will materialize at some random point in the future, out of the blue, lacking all context.

By the way, the official (ISC)▓ community claims to have 22,000 members, less than 10% of whom have ever posted. Even so, in terms of sheer volume, it wins hands-down over CISSPforum. It even has kudos and badges for posting stuff and giving out kudos!  Rejoice!  We’ll leave it to you to determine whether it generates sufficient interest and value to justify your involvement, or whether you’d be better off in CISSPforum or down the pub. Just remember that, sometimes, less is more, an approach the (ISC)▓ search functions take to the ultimate extreme. Whatever you seek, enjoy the pregnant pause while the inevitable “No search results found” is dragged kicking and screaming from the web server. It might as well read “Computer says no”.

4.8 Zombie topic: “We’ve been hacked - what do I do?”

Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the big red panic button and emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute. A typical question might be “I’ve just had a call from the Help Desk. They have taken a call from a user in the business who says his PC is acting strangely. The network boys and girls tell me there is loads of traffic on the user’s LAN segment and it looks as if the machine is spewing forth spam like it’s going out of fashion. HELP! What do I do?”.

The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to analyze the live system before shutting it down, and why it is so important to brew up an incident management process BEFORE not DURING an incident, but the best immediate response to date on this sort of query is: “If you believe the system is compromised, and you don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert. Don’t switch it off. Don’t even run a directory listing. Do not pass Go.  Do not collect 200 Bitcoins.”

If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, underpants worn on the outside, things are different, obviously.

Back to FAQ contents


5 FORUM MEMBERSHIP OPERATIONS & SETTINGS

5.1 How do I subscribe to CISSPforum?

  1. First, get the easy bit out of the way: get yourself certified as a CISSP by (ISC)2. The forum is for the certified only.
  2. Find the CISSPforum page at groups.IO, read the destructions and apply to join.  Supply the information the admins need to check you out, namely your CISSP certificate number and your name as shown on your certificate.
  3. After lurking and analyzing the traffic for a while, please send us a nice ‘hello’ message, ideally with something interesting about you, your job, your interests, your favorite security standards, almost anything really. Tell us what you thought of the CISSP examination maybe, or the (ISC)2 community. Say how you found out about the CISSPforum (was it through this FAQ?). Ask us about the unwritten rules.

If you get stuck, ask a fellow CISSP for help or contact the forum admins.  They are open to bribery and corruption, but please don’t tell (ISC)▓.

5.2 How do I join CISSPforum if I’m not yet a CISSP?

Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial from ardent CISSPforum member and security evangelist Clement Dupuis. Become a CISSP and you will be welcome, if not compelled, to join the CISSPforum.

For fans of the UK comedy series Little Britain, yes, CISSPforum is a local forum for local people.

5.3 Since this is “CISSP forum”, that means that everyone is a CISSP, right?

Kind of. Lapsed CISSPies have been known to hang around like a bad smell long after their certifications have expired. You can usually tell actual CISSPies and especially the CUStards by how cranky they are, but not always: some remain stealthy.

5.4 Can I access the forum and files online?

Yes, if you are a member. Be our guest.

5.5 How do I temporarily stop getting email from the forum or change to digest mode?

Well done to you if you thought of this before shooting off on that extended vacation or business trip. Please read the next answer also.

You’ll find the message delivery options in the Groups.IO web interface hidden in plain view under the Subscription tab.

5.6 How do I set up my Out-Of-Office message so I don’t spam the whole forum?

Do not turn on “reply-to-messages-not-sent-directly-to-me” or “reply-to-all”. Your best bet is to RTFM for your email system or call your IT Help Desk.

5.7 How do I change the email address with which I subscribed to CISSPforum?

I guess you’ll need to flounder around in that Groups.IO web interface thing, again. 

5.8 How do I unsubscribe?

CISSPforum is a lifelong commitment. Unsubscription is not an option: once you’re in you’re in. You can check out any time you like, but you can never leave.

Flounder around in that Groups.IO web interface thing, again.  Again.

Back to FAQ contents


6 (ISC)2 STUFF

6.1 How do I receive regular communication from (ISC)2?

Method 1: subscribe to the (ISC)2 newsletter. To do this, simply sign into the (ISC)2 website, then click on “Subscribe to (ISC)2 newsletter.” You will be taken to a bcentral.com partner site where you must provide your email address, name, city, state, country and company name, inside leg measurement, dental records and a cheek scraping - well, enough to satisfy the data entry validation routines anyway. You may also disclose your interests (very short list) and certifications (also a short list). Within a few minutes you will receive a confirmation message welcoming you to the (ISC)2 newsletter mailing list, or not if you did not supply a valid email address.

Method 2: receive (ISC)2’s Infosecurity Professional magazine either as a free electronic softcopy by email or in print if you pay the postage and packing charge and don’t mind slaying trees. The magazine is just one of many benefits for “members” of (ISC)2. The first edition was released in April 2008 - search the CISSPforum archives for informed comment on the content.

6.2 How do I submit CPEs?

Read the (ISC)2 instructions which contain lots of detail plus a helpful link to the submission form.

Most questions about CPEs on the forum are lame since the (ISC)2 guidance generally answers them all.

6.3 How many CPEs can I get for that?

The CISSPforum is just a bunch of guys and gals, you know. We are not (ISC)2. We don’t award CPEs.

Most of us really don’t care much about CPEs because we are active infosec professionals who are awash with CPEs as a result of lots of reading, research, webinars, conferences, training courses and stuff. We don need no steenkin badges. Several of us teach, present to or write stuff for other CISSPs and CISSPwannabies to consume and claim their CPEs.

(ISC)2 offers reasonable advice on how to earn CPEs, including the official CPE guidelines.

If you need to find out precisely how many CPEs to claim for something, and what Type they are, just ask (ISC)2 not us. If you insist on asking us, expect a flatulent response. You could try setting up one of those web survey things and inviting us to vote. Just make sure you include the option “42”.

6.4 Where do I find anything on ISC2.ORG?

Good question! Some have speculated that when the late Douglas Adams wrote the Hitchhikers Guide To The Galaxy, he was thinking of the (ISC)2 website ...

    Mr Prosser said: "You were quite entitled to make any suggestions or protests at the appropriate time you know."

    "Appropriate time?" hooted Arthur. "Appropriate time? The first I knew about it was when a workman arrived at my home yesterday. I asked him if he'd come to clean the windows and he said no he'd come to demolish the house. He didn't tell me straight away of course. Oh no. First he wiped a couple of windows and charged me a fiver. Then he told me."

    "But Mr Dent, the plans have been available in the local planning office for the last nine month."

    "Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything."

    "But the plans were on display ..."

    "On display? I eventually had to go down to the cellar to find them."

    "That's the display department."

    "With a torch."

    "Ah, well the lights had probably gone."

    "So had the stairs."

    "But look, you found the notice didn't you?"

    "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."

We’re still looking for the “Beware of the Leopard” sign at the (ISC)2 website. If you find it, please post a message to CISSPforum and we’ll call off the hunt. Meanwhile try Google.

6.5 What do I get for my AMFs (Annual Mugging Fees)?

Quite often the discussion about which activities do or do not qualify for CPEs and/or how difficult it is to find information on the (ISC)2 website ends up with someone asking “What does (ISC)2 do for us anyway?”. This is not unlike Monty Python’s “What have the Romans done for us?” in the Life of Brian.

Even (ISC)2 accepts that it’s perfectly reasonable for CISSPs to ask “Do we get value for money for our Annual Maintenance Fees (AMFs)?”. (ISC)2’s official response mentions obvious member benefits such as security webinars and the career center, and talks about the wider benefits through various marketing efforts to promote the security profession in general and, by implication at least, CISSP holders in particular. It’s unfortunate that they neglected to mention the biggest benefit of all, CISSPforum, though!

The bottom line is a personal value decision: will the benefits to you of CISSP qualification exceed the AMFs? If you are working for an employer who requires security qualifications, the answer should be obvious, especially if you are privileged enough to reclaim your AMFs and associated training/educational costs as legitimate business expenses. Likewise if you are searching for a new position and your qualifications will earn you a higher salary or land you a better job with a more enlightened employer/manager (not so obvious a benefit maybe but, believe me, job satisfaction is worth a lot).

Finally, there is the Zen perspective. Will the effort to achieve and maintain your qualification make you a better person? Will it satisfy your inner drive to be good at information security? Do you value being part of the global professional infosec community? Do you maintain motorcycles?

Back to FAQ contents


7 MISCELLANY

7.1 What is the 11th domain?

The 11th CBK domain is an obscure reference to any topic that the membership of the forum currently considers clueless whether off-topic, misguided or just plain lame. It includes the old favorites “Out-Of-Office”, “Unsubscribe” and “Could have found it on Google in 2 ÁS.” Occasionally, it is a genuine proposal to extend the CBK to cover additional domains such as ‘human factors’ but such proposals seldom get anywhere due to conservatism, inertia and apathy, a terminal combination.

7.2 Who are the Usual Suspects?

Never mind life, the universe, everything. Who or what are the Usual Suspects? That’s the Ultimate Question. The designation “Usual Suspects” arose in the dim and distant past from an accidental mis-posting to the CISSPforum of a private message from an (ISC)2 staffer to another regarding certain outspoken and unnamed CISSPforum members. The comment is alleged to have spawned a sinister (or is it dextral?) secret society within the inner sanctum of CISSPforum, the C ertified Usual S uspects (CUS), also known as the CUStards. Even the CUStards do not know precisely who the CUStards are nor what they have done to deserve the dubious distinction beyond being “outspoken” but rumors abound of special handshakes and blackballing, weird initiation ceremonies involving sushi and/or poutine, an unwritten but staunchly upheld code of honor, and a predilection for emitting well-aged bodily gases. There is no known method to join the CUStards, nor indeed to leave, although most members tend not to contribute quite as much volume post-mortem, though just as much value.

7.3 Who is responsible for this unofficial FAQ?

The current mug editor/maintainer of this FAQ is, allegedly: Gary Hinson Gary@isect.com

By all means chuck rotten eggs at me but be warned: the more you throw, the greater the chances you’ll be “invited” (cosa nostra style) to become the new FAQ editor/maintainer ...

7.4 Can I submit new questions and answers or corrections to the FAQ?

Absolutely! Send them directly to the current editor (pencil each one on a crisp $20 bill for the special express service) or better still post them to the CISSPforum for general discussion. All potential submissions are gratefully received. The best bits will be shamelessly plagiarized.

7.5 FAQ Credits

Thanks to the following for their invaluable contributions to this FAQ: Chris Brown, the late lamented Laurie McQuillan, John McGuire, Matt Curtin, Jack “Hollerin” Holleran, Rob “Grandpa” Slade, Pat “Spring Bunny” McGregor, Anton “Cats in Context” Aylward, Les “G’day Jimmy” Bell, Karen “Stop”ford (head of the No Department), D. “Cragin” Shelton, Mim-The-Merciless (slayer of the humor impaired), and Gary “Passionate” Hinson. Other members of CISSPforum and CUStards have contributed to the FAQ either through insightful postings to the forum or by pestering the editors privately (i.e. in a private place).

I’d like to thank my producer, the director, the investors, the NSA and of course the venerable Consortium without which this FAQ would not have been possible necessary.

7.6 What’s new here?

  • Lately: further tweaks and “improvements” may, or may not, occur.
  • December 2018: Gary finally got both the urge and the free time to update the FAQ’s original! Yahoo! references! to Groups.IO  In addition to Spring-cleaning a few broken links, Gary removed the old instructions for joining the LinkeDin CISSP group since the validation facility appears to have disappeared without trace from the (ISC)2 website. The function used to be tucked away under the profile page but if it’s still there, it must be white-on-white, perhaps one solitary pixel. You’re on your own there. Try hunting the HTML source code maybe. Good luck Jim.
  • October 2006 : Gary took up the editorial cudgel in October 2006, beating Rob’s rather quaint plain ASCII text version into a modern, sleek -looking HTML web page with go-faster stripes, giving us the luxury of actual headings, working hyperlinks and most of all, readability. If you think you might prefer the original, it’s stored for all posteriors on the CISSPforum files area on Yahoo! Groups, where it is available to current members of the CISSPforum ... which hints at the real reason this FAQ was published as a public web page: the instructions for how to sign-up for the CISSPforum used to be available only to current members of CISSPforum. Doh! That’s a bit like printing the “pull cord before passing 1,000 foot altitude” inside the parachute, or having a black button on a black panel light up black to tell you it’s on. Shades of Catch-22 and HHGTTG.
  • 2005-2006 : Rob Slade copied a ton of Chris’s stuff, modified the rest so that it made less sense and did a fabulous job of injecting the odd ray of humor. He skillfully incorporated new stuff from CISSPforum including contributions from Laurie, John, Gary, Anton, Axel and Matt. In parallel, Anton set up a wiki version, after searching in vain for the ancient Greek word for wiki.
  • 2003-2004 : The original editor of this FAQ was Chris Brown who has mysteriously vanished into the ether, if not the net. Before he passed, Chris freely admitted that much of the content was outrageously stolen from posts to CISSPforum. The FAQ was uploaded to the CISSPforum files area in October 2003 and updated a couple of times before Chris evidently gave it up as a dead loss and went back to Real Life™. We remain eternally grateful, Chris (that you started this, not that you went away)(Seriously, Chris, do get in touch. Are you OK mate?).

Back to FAQ contents


The end of the unofficial CISSPforum FAQ is nigh.
That’s it, there is no more.
Just a horizontal line (yes, yet another rule!),
and a final link back to the top for those poor unfortunates
lacking page-up keys, vertical sliders and wheely mice.