Reminders for CISSP Aspirants

Reminders for CISSP Aspirants

Why is CISSP so challenging? Its comprehensiveness that we all agree with is just the exposed tip of the CISSP iceberg; The general management concepts as the hidden part of it under the sea is the substantial stumbling block.

CISSP is an experience-based exam. It requires at least 5 years of security-related work experience for CISSP aspirants to sit for the exam. Why is the 5-year experience one of the prerequisites? One should develop general management concepts and fundamental project management capabilities that are required in almost every business setting before or during your CISSP journey.

IMHO, The following are some of the key concepts or skills:

  • Focus on effectiveness and understand the difference between effectiveness and efficiency.
  • Understand leadership and management. Lead and/or follow people passionately and strategically; manage things or projects effectively and efficiently.
  • Management by objectives; Plan-Do-Check-Act.
  • Be curious and learn how the business works.
  • Think strategically and integrate projects, programs, and portfolios.

Security is a business issue and by far beyond the scope of IT. CISSP aspirants have to be acquainted with specific technical and business areas, eg. operations, governance, and risk management.

CISSP Perspectives

CISSP Perspectives

CISSP is one of the most challenging exams ever because of its comprehensive perspectives and requirements of solid conceptual level understanding and in-depth insights into managerial and technical issues.

The following is my two cents for CISSP aspirants to get started his or her CISSP journey:


System Security Engineering

System Security Engineering

  • System Security Engineering, or Security Engineering, is the process of applying knowledge to build systems from its inception to retirement or throughout the life cycle while considering security.
  • The “systems” means information systems.
    • An information system is built based on an architecture that is well-designed by principles.
    • An information system comprises a variety of components that can be built in-house or bought from vendors.




Information Security

What Is Information Security?
What Is Information Security?

The Onion diagram is updated to emphasize that Information Security is a business issue. Security people should protect assets while always keeping business in mind, that is enabling business and delivering values. The tunnel vision and function boundary should be broken and removed.

Information Security is a discipline to protect information and information systems from threats through security controls to:

  1. achieve the objectives of confidentiality, integrity, and availability, or CIA for short,
  2. support the organizational mission and processes, and
  3. create and deliver values.

The definition of Information Security is revised as Information Security is a business issue and should be aligned with the business mission, goals, and strategies, enable and streamline business processes, and create and deliver values ultimately.

The Peacock as a Metaphor for Information System
The Peacock as a Metaphor for Information System
Wentz’s Information Risk Model
Wentz’s Information Risk Model

Case Study – AmyPro Consultant


  • AmyPro Consultant is headquartered in Taipei with a branch in New York, US.
  • An offshore software partner in Bengaluru, India develops and maintains the proprietary CRM system.
  • Staff is working on-site in Taipei, on the road, and from home.
  • How do you implement and support the secure network?

Intonation Patterns

  • Different Patterns of Intonation
    • Rising: sentence not finished
    • Failing: end of a sentence
    • Rising-falling
    • Falling-rising
    • Flat
    • High
    • Low
  • New Information vs. Old Information
    • Rising: old information
    • Failing: new information
  • Intonation in Questions
    • Rising: you think you know the answer
    • Failing: you already have some idea of the answer but don’t know it. You just ask to check or confirm that your idea is right.
  • More Ways to Use Intonation in Questions
    • Rising: criticizing someone
    • Falling: make a comment
    • Rising(indirect,hesitant)/Falling(direct,confident): make a suggestion
    • Surprise, Doubt, Excitement, Sarcasm, and Annoyance
  • Practice Sentences
    • Do you need some help?