Monthly Archives: November 2018

My InfoSec Expertise Roadmap

My InfoSec Expertise Roadmap

Capabilities

  1. AI: for the year of 2019
  2. PfMP/PgMP: nice to have
  3. ITSM: nice to have
  4. Incident Response (IR) & Investigation: nice to have
  5. Infrastructure/Container: nice to have
  6. OSCP: nice to have, but long way to go

 

Goal Matters

alice-in-wonderland

Alice: Would you tell me, please, which way I ought to go from here?

The Cheshire Cat: That depends a good deal on where you want to get to.

Alice: I don’t much care where.

The Cheshire Cat: Then it doesn’t much matter which way you go.

Alice: …So long as I get somewhere.

The Cheshire Cat: Oh, you’re sure to do that, if only you walk long enough.

Lewis Carroll, Alice in Wonderland

It’s about time for me to review my performance for the year of 2018 and plan for the coming year of 2019.

  • Mission: To Inspire People to Enjoy Learning
  • Vision: To be one of the most influential share points of people and knowledge in Taiwan
  • Annual goals for 2019:
    • To publish a book of agile and/or CISSP for exam prep in memory of my father
    • Start a new business initiative with a long term goal to train 1000 CISSPs in Taiwan
    • Get insights to AI/machine learning with emphasis on Python

Bruce Passed ISC2 CISSP-ISSAP Exam on 14th November

IMAG2946

It’s a lovely afternoon and peaceful moment to enjoy the view looking out through the floor-to-ceiling window from the office.

When the ISSAP score report disclosed “Congratulations!”, my goal has been achieved pursuing the planned certifications from ISC2. I spent around 4 months in total studying intensively and finally passed the six ISC2 exams: CISSP, CCSP, CSSLP, CISSP-ISSEP, CISSP-ISSMP, and CISSP-ISSAP.

After studying for 40 hours within 8 days (from 2018/11/06 to 2018/11/13), I cleared the ISC2 CISSP-ISSAP (Information Systems Security Architecture Professional) exam today. This exam is one of the 3 CISSP concentrations. I would say the level of difficulty would be ISSAP < ISSMP < ISSEP.

The ISACA CGEIT is the last mile for me to declare success achieving my annual goal.

My plan of the year is revised as follows:

  • Milestone #1: PMI + CISSP
    • 2018/04/09 ACP
    • 2018/04/27 PBA
    • 2018/06/19 CISSP
    • 2018/07/10 RMP
  • Milestone #2: ISACA
    • 2018/07/24 CISM
    • 2018/08/13 CRISC
    • 2018/08/28 CISA
  • Milestone #3: ISC2
    • 2018/09/07 CCSP (originally scheduled on 2018/09/14)
    • 2018/09/13 CSSLP (originally scheduled on 2018/09/28)
    • 2018/09/25 CISSP-ISSEP (bonus)
  • Milestone #4: EC-Council
    • 2018/10/09 CEH (originally scheduled on 2018/10/15)
    • 2018/10/12 ECSA (originally scheduled on 2018/10/29)
  • Bonus Exams: scrum.org
    • 2018/10/21, PSM I
    • 2018/10/23, ISO 27001 LA
    • 2018/10/27, PSPO I
    • 2018/10/28, PSD
  • Final Optimization
    • 2018/11/06 CISSP-ISSMP
    • 2018/11/14 CISSP-ISSAP
    • 2018/11/30 CEGIT (projected)

 

List of Jargon

Information Security Architecture

InfoSec Requirements Integration

  • Enterprise Architecture [CNSSI 4009]
    The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.
  • Information Security Architecture
    An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security
    systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic
    plans.
  • Enterprise architecture also promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations more effectively manage risk.
  • The Federal Enterprise Architecture (FEA) defines a collection of interrelated reference models including Performance, Business, Service Component, Data, and Technical as well as more detailed segment and solution architectures that are derived from the enterprise architecture.
    • Organizational assets (including programs, processes, information, applications, technology, investments, personnel, and facilities) are mapped to the enterprise-level reference models to create a segment-oriented view of organizations.
    • Segments are elements of organizations describing mission areas, common/shared business services, and organization-wide services. From an investment perspective, segment architecture drives decisions for a business case or group of business cases supporting specific mission areas or common/shared services. The primary stakeholders for segment architecture are mission/business owners.
    • Following closely from segment architecture, solution architecture defines the information technology assets within organizations used to automate and improve mission/business processes. The scope of solution architecture is typically used to develop and implement all or parts of information systems or business solutions, including information security solutions. The primary stakeholders for solution architectures are information system developers and integrators, information system owners, information system/security engineers, and end users.

Source: NIST SP800-39

Links:

Bruce Passed ISC2 CISSP-ISSMP Exam on 6th November

ISSMP-Study

After studying for 40 hours within 8 days (from 2018/10/29 to 2018/11/05), I cleared the ISC2 CISSP-ISSMP (Information Systems Security Management Professional) exam today. This exam is one of the 3 CISSP concentrations. As its name denotes, this exam is all about basic management concepts and the difficulty level is not that high as far as an experienced CISSP is concerned.

My original plan of the year for learning and growth is scheduled to be completed by the end of October with one month buffer (November as the worst case). Since my goals are achieved ahead of the schedule, I decide to do more as final optimization using the one-month buffer, that is, the month of November.

My plan of the year is revised as follows:

  • Milestone #1: PMI + CISSP
    • 2018/04/09 ACP
    • 2018/04/27 PBA
    • 2018/06/19 CISSP
    • 2018/07/10 RMP
  • Milestone #2: ISACA
    • 2018/07/24 CISM
    • 2018/08/13 CRISC
    • 2018/08/28 CISA
  • Milestone #3: ISC2
    • 2018/09/07 CCSP (originally scheduled on 2018/09/14)
    • 2018/09/13 CSSLP (originally scheduled on 2018/09/28)
    • 2018/09/25 CISSP-ISSEP (bonus)
  • Milestone #4: EC-Council
    • 2018/10/09 CEH (originally scheduled on 2018/10/15)
    • 2018/10/12 ECSA (originally scheduled on 2018/10/29)
  • Bonus Exams: scrum.org
    • 2018/10/21, PSM I
    • 2018/10/23, ISO 27001 LA
    • 2018/10/27, PSPO I
    • 2018/10/28, PSD
  • Final Optimization
    • 2018/11/06 CISSP-ISSMP

Risk Management