Maybe you've noticed the slower pace of blogs lately (OK, maybe you haven't). I've been traveling and cramming for a shot at some real prestige...the coveted title of Certified Information Systems Security Professional, or C.I.S.S.P.
Maybe you happened to notice that the title seems to be one word too long. Generally, organizations spend a lot of time to create short, snappy acronyms. Obviously, the International Information Systems Security Certification Consortium (ISC)2 (again!) choose just to tell it like it is, damn the marketing.
There's a lot of information included in the curriculum, several 7-800 page books worth. Much of it is good. Some of it is, well, filler. Being a product of an older generation, I find it amazing that some seemingly simple tasks can be segmented into so many parts. A lot of the required information is about management processes and there’s a lot of them. Most seem to start with “Get management’s buy in”. Always a good idea. Then there’s several steps involving “assemble”, “empower”, “enlist” and “document”. Followed by “meet”, “survey”, “poll”, “meet”, “query”, “meet”, and “meet”. Then we get to the “report”, “executive summary for management”, “obtain approval”, “train” and, let’s see, “meet”. Moving on, there’s “meet”, “revise”, “list”, “document” and, um, “meet”.
There’s usually a catch-all section called “meet”. Not very often do we see “resolve”, finalize” or “decide”.
Don’t get me wrong, there’s a lot of pertinent, valuable information here and I’m a better IS manager for having reviewed it, whether I passed the test or not. There are good explanations of many processes and programs that are seldom used, but good to know. There are technical terms described, facts given and methods documented. So, overall, it’s a good thing. But, like an all-you-can-eat buffet, there’s a whole lot of it and you can get easily sidetracked by the fillers.