The Wall of Hard Working, CISSP!

Students share their CISSP credentials to cheer peers.
Their success stories in Chinese:
https://wentzwu.com/stories


Wentz’s CISSP QOTD

Strategic and critical thinking are essential skills for security professionals. In my opinion, strategic thinking means thinking from a long-term and high-level perspective; critical thinking aims to render effectiveness by exercising analytical and logical reasoning to determine necessity and sufficiency.

I have been writing CISSP questions of the day (QOTDs) for around two years to promote strategic and critical thinking and in-depth learning. It’s not my intention to simulate the actual exam or encourage shortcuts, cramming, or rote memorization. That’s why I write one and only one question a day and postpone sharing my suggested answer and justification. I hope…


Image Credit: CSA

The Cloud Security Alliance (CSA) divides the Security, Trust & Assurance Registry (STAR) program into three levels:

  1. CSA STAR Level 1: Self-assessment
  2. CSA STAR Level 2: Third-Party Certification
  3. CSA STAR Level 3: Full Cloud Assurance and Transparency

There are two primary options for CSA STAR Level 2:

  • CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.
  • The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud…

The Effective CISSP: Security and Risk Management

The Effective CISSP: Security and Risk Management

“This book should be part of your study plan for the CISSP.” -J. Stapp

As the author, I wrote this book to help you build a solid conceptual foundation that applies to both the CISSP and CISM exam. If you come from the IT or technical field, this book is for you!

Purchase right away on Amazon: https://www.amazon.com/dp/9574376478
Both Kindle eBook and paperback are available.


After working in the IT industry for 26 years or so, I successfully achieved my annual goals in 2018, passing 19 exams in 9 months, which resumed my instructor career.

Wentz QOTD is the essence of my experience and knowledge across business, IT, security, engineering, and management domains. I do my best and spend much time writing each question and justification and controlling quality. They can be hard, but the real value is on my justification and explanation. However, to err is human. My suggested answers won’t always be correct, and that’s why I “suggest” my answer.

Please be patient…


安全是品質的一部分

在過去的二十多年中,提供IT解決方案幫客戶解決問題一直是我的使命。一路走來,經營及參與過的業務範圍相當廣泛,從提供數據機撥接和網站及電子郵件等託管服務、到佈線和建立電腦機房、建置企業網路基礎架構、建立企業電話服務和客服中心、開發業務軟體解決方案,到提供培訓課程等,重要的IT領域大致都包含在內了。

當時,雖然知道資安的重要性,但並沒有太多實質的投入。換句話說,我只是盡最大努力來強化安全性,而不是有一套系統化的方法。2018年,我決定為客戶提供更高的軟體保證以建立可持續的競爭優勢,因此決定考取相關認證來證明有能力可以交付符合內部品質要求的高品質軟體,也就是U PASS ME!這再次啟動了我的認證考試之旅。

準備考試需要專案管理

準備考試本身就是一個專案,必須妥善管理它們才能成功。目標管理、有效的學習方法和決心是我在這些考試中取得成功的關鍵。當時,我的待辦事項清單只有考取ACP,CISSP和CEH三張證照。但後來決定由軟體轉向資安,並以成為國際知名資安講師為目標,因此全面考取相關資安證照便成為基本要求。到最後,我真不敢相信我輕鬆地就取得了全方位的專業認證。


Software Engineering Institute (SEI), 1984

Software Engineering Institute (SEI) was established in 1984 at Carnegie Mellon University as a federally funded research and development center (FFRDC) dedicated to advancing the practice of software engineering and improving the quality of systems that depend on software. (JUNE 21, 2000 • SEI PRESS RELEASE)

Capability Maturity Model (CMM), 1986~1995

The Capability Maturity Model (CMM) is a development model created in 1986 after a study of data collected from organizations that contracted with the U.S. Department of Defense, who funded the research.

Active development of the model by the US Department of Defense Software Engineering Institute (SEI) began in 1986 when Humphrey joined the…


The CISSP exam tests not only your technical foundation but also your management concepts. Many CISSP aspirants fail in Domain 1, 2, 6, or 7. It can be an indicator that they may not have connected the dots, e.g., information security governance, risk management, strategic management, project/program management, business continuity, etc.

My book, The Effective CISSP: Security and Risk Management, introduces those concepts that can help you build a solid foundation of information security from the perspective of information systems, business processes, and the organization.

If you have just started your CISSP or CISM (yes, CISM) journey, lost in the jungle of knowledge, or even failed in any of the domains mentioned above, The Effective CISSP: Security and Risk Management will make it straight.

Amazon: https://www.amazon.com/dp/9574376478


Security Modes

“Security Modes” is a shorthand for Security Operating Modes or Security Modes of Operations. DoD Directive 5200.28 on Security Requirements for Automated Information Systems (AISs), published on March 21, 1988, defines Security Mode as follows:

E2.1.41. Security Mode. A mode of operation in which the DAA accredits an
AIS to operate. Inherent with each of the four security modes (dedicated, system high, multilevel, and partitioned) are restrictions on the user clearance levels, formal access requirements, need-to-know requirements, and the range of sensitive information permitted on the AIS.

However, the “Rainbow Series” is obsolete. Moreover, the term, system high mode, is…


CISSP CBK

很多人考過CISSP後,不但沒有升官、也沒有加薪;甚至沒有得到公司應有的重視,反而平白增加不少資安相關的工作負擔,因此感嘆CISSP在台灣不被重視。想要換工作,卻發現雇主都是猴園主人,只拿得出香蕉。更傷人的是,沒有人知道什麼是CISSP! 回過頭,才驚覺CISSP只是自己跟資安圈內人自high的一場遊戲…

事實是這樣嗎? 其實不然。CISSP在台灣受重視的程度雖然跟國外相比差異甚遠,但會有這種落差的根本原因,我認為是企業對CISSP的認知不足,以及證照持有者對CISSP的定位錯誤

CISSP的認知不足

由於過去企業普遍不重視資安,即使稍有資安概念的企業也大多由IT部門來主導資安事務,導致資安被視為技術議題。當資安缺乏業務或商業思維(business mindset),就無法得到經營高層的重視,資安人員在企業自然無法取得足夠的資源及展現應有的績效。再加上資安理論未臻完善,資安依賴從實務來累積經驗,從而披上一門神秘的色彩。尤其是媒體對於駭客的誇張詮釋,讓一般大眾對資安產生刻版印象,一談到資安就想到網路、技術、釣魚、駭客、入侵、暱名者、網軍等。

除了一般大眾的認知不足,即使資訊人員或資安的從業人員,對於資安的認知也相當局限。何謂資安? 何謂風險? 何謂威脅? 光是溝通的基本用語都定義不清,如何能有效地跟雇主及一般大眾溝通,了解他們的安全需求,進而提出解決方案,甚至將資安發展成一門專業呢?

以上認知不足的現象充分的反應在台灣CISSP人數遠遠落後於亞洲其它國家的冰冷的統計數字上! 因為企業不重視資安,以及CISSP考試的成本及門檻較高,導致投資CISSP證照的實質效益不足,所以只有少數追求自我成就的資安人員願意投資在CISSP這張證照。

解決CISSP認知不足的問題,最積極的作法就是建立強大的CISSP社群強大是指實力強數量大! 取得CISSP資格雖不一定代表實力一定強,但卻是一個讓資安人員整體實力變強的好起點!然而,實力強,人數少也是功虧一簣!台灣至少需要1500位以上的CISSP,才能實質滿足台灣的資安需求;CISSP人數夠多,才能讓CISSP資格成為基本門檻,也才能防止讓廠商大玩借牌標案/綁標的遊戲。讓CISSP實質參與每個專案,才能真正提升台灣資安水準及建立資安專業。

此外,目前ISC2台北分會已在籌設階段,明年可望成為ISC2的正式分會。台北分會的成立,將讓CISSP在資安領域有更多貢獻所學的空間,以及更大的影響力及話語權。

CISSP數大便是美、團結力量大!

CISSP的定位錯誤

CISSP題目不難!但準備CISSP很難!CISSP題目的難度,其實只是各專業領域的基本觀念,甚至是常識。因此,對於資深人員而言,CISSP並不難,真正困難的是準備考試的專案管理及執行力。但對於剛好滿足CISSP考試資格(相關工作經驗滿五年)的朋友,可能就是一個不小的挑戰,因為它的考試範圍相當廣,必須要準備一段相當的時間才能考過。當時間拉愈長,讀後面忘前面,若沒有超強的意志力及有效的讀書方法,事實上是相當困難的。

專業是指賴以為生的專門職業;對於資安專業人員,CISSP是基本要求。因此,從事資安的專業人員第一個要認清的無情現實是,CISSP”不是“黃金證照!它只是資安專業的基準(baseline)證照。說白了,CISSP是資安人員的基本門檻。當你把資安當作專業,為雇主提供專業服務,取得CISSP證照是最基本要求。在國外,CISSP就是這麼一回事;沒有CISSP,你的資安工作將會不保,而不是你取得CISSP可以加薪多少。以美國為例,這個門檻直接寫在美國國防部的DoD 8570.1政策指示中。

CISSP證照只是創造價值(value)的必要條件,而不是充分條件。你費盡千辛萬苦考到的CISSP證照,不會馬上讓你從工程師或基層人員,搖身一變成為CISO資安長,也不會讓你的薪資翻好幾翻。你一開始能獲得的,只有爆表的自信心與成就感,但這也是CISSP最可貴的價值。你的薪資及升遷,還是取決於你能對企業貢獻的價值

資深的資安人員,可以透過CISSP證明自己的專業,以節省說服客戶的口舌時間。尋求學習更多的資安人員,CISSP則是一個建立資安專業的好起點!

結論

有的雇主只有香蕉,CISSP要先找對雇主,才不用反證自己不是猴子。
CISSP只有讓台灣的社群夠強大,市場才不會出現香蕉。
資安是一門專業,資安人員要有商業思維,才能幫公司創造價值、為自己加薪。
成敗論英雄。

Wentz Wu

CISSP-ISSMP,ISSAP,ISSEP, CISM, PMP, CBAP, PSM

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store