Category Archives: Technology

Bruce Passed PMI-RMP Exam on 10th July

Maria Typhoon strikes Taiwan today (10th July). I am very fortunate to complete the PMI-RMP exam before the exam center is closed. In nearly four months, I finally achieved the goal of learning for this year to pass these exams, PMI-ACP, PMI-PBA, CISSP and PMI-RMP.

The PMI-RMP exam took a total of 80 hours: 50 hours for the e-learning course and extra 30 hours for study and preparation for the exam.

Basically, PMI-RMP is an advanced version of PMI-PMP, so it’s a must to review the exam contents of PMI-PMP and strengthen the knowledge area of ​​risk management.

The following is my use of the textbook:

  1. PMI-RMP Certification ExamPrep Course from Advanced Business Consulting Inc.
  2. Practice Standard for Project Risk Management (2009 edition, a bit old; but this is an important reading of the exam)
  3. PMBOK Guide – Fifth Edition
  4. PMBOK Guide – Sixth Edition
  5. PMI-RMP Exam Prep Study Guide by Belinda Fremouw

For the purpose of taking the PMI-RMP (Exam Outline for 2015), the above textbooks should be quite adequate.

Frankly, I was very hard at the beginning of the preparation of RMP. Fortunately, teacher Roger introduced Dr. David Hillson in the course, and finally I found a bright light to get started.

The following information from Dr. Hillson is very helpful to me personally. It is highly recommended to study:

  1. His conference papers published by PMI (about 25 articles)
  2. YouTube’s RiskDoctorVideo channel (especially the ones that explain the RaRa Model)
  3. The Risk Management Handbook: A Practical Guide to Managing the Multiple Dimensions of Risk (ISBN-10: 0749478829)

Bruce Passed CISSP Exam Today

CISSP Text.jpg

Special thanks to Luke Ahmed and the Facebook Group: CISSP Exam Preparation – Study Notes and Theory.

After a prolonged 2-month journey that takes 250 hours in 45 effective study days, I finally cleared the CISSP exam today. Thanks to the new CAT examination with 100 questions in 3 hours, the threshold to obtaining CISSP is lowered to a reasonable level, even though it is still quite challenging.

Now, the CISSP exam is reasonably challenging. I wish you the best to clear it ASAP.

The following resources are helpful to me:

PS. I am sorry to let you know that I’ve attended the official CISSP classroom-based training in Taipei and it’s a total waste of money and disappointing. The text for this class from ISC2 is just a bunch of slides with terribly poor quality and the instructor, from my point of view, is not prepared and qualified for this class either.

Bruce Passed PMI-PBA Exam Today

With a 60-hour exam-prep course and after 2 weeks or 20 hours of study or so, I passed the exam of PMI Professional in Business Analysis.

The primary materials:

  1. PMI-PBA Certification ExamPrep Course from Advanced Business Consulting Inc.
  2. The PMI Guide to Business Analysis
  3. Business Analysis for Practitioners: A Practice Guide
  4. PMBOK Guide – Sixth Edition
  5. RMC PMI-PBA Exam Prep: Premier Edition
  6. Pluralsight PBA Courses

And the following materials relevant to strategy execution :

  1. Organizational Project Management Maturity Model (OPM3)
  2. The Standard for Portfolio Management
  3. The Standard for Program Management

CISSP Preparation Materials

BCM: Business Continuity Management


Source: The Basics of Supply Chain Risk Management

RMF: Risk Management Framework


The six steps that comprise the RMF include:

  1. System Categorization;
  2. Security Control Selection;
  3. Security Control Implementation;
  4. Security Control Assessment;
  5. System Authorization; and
  6. Security Control Monitoring

GRC: Governance, Risk Management, and Compliance


  • Information – (1) Facts or ideas, which can be represented (encoded) as various forms of data; (2) Knowledge (e.g., data, instructions) in any medium or form that can be communicated between system entities.
  • Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
  • Security Controls – The management, operational, and technical controls (i.e.,
    safeguards or countermeasures) prescribed for a system to protect the confidentiality, availability, and integrity of the system and its information.
  • A vulnerability is a weakness in a system, system security procedure, internal controls, or implementation that could be exploited by a threat source
  • A threat event is an incident or situation that could potentially cause undesirable consequences or impacts.
  • Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
  • Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, system administrators, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.
  • Information assurance is the degree of confidence one has that security measures protect and defend information and systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.
  • Access is the ability to make use of any system resource.
  • Access control is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
  • An audit is an independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.
  • An information security contingency is an event with the potential to disrupt system operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. Particularly destructive events are often referred to as “disasters.”
  • A contingency plan is a management policy and procedure used to guide organizational response to a perceived loss of mission capability. The System Contingency Plan (SCP) is used by risk managers to determine what happened, why, and what to do. The SCP may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan (DRP) for major disruptions. Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operational in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of system support throughout an organization.
  • Incident handling is closely related to contingency planning. An incident handling capability may be viewed as a component of contingency planning because it allows for the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning specifically that responds to malicious technical threats.