Monday, October 22, 2007

Community SANS Boston 2007 day 1

Community SANS Boston 2007 began today; I thought day 1 went very well.

Mike, a gentleman who attended my Incident Handling/Hacker Techniques class last year, decided to pursue the CISSP® certification and attended this class. After earning his GCIH last year, he was promoted and now heads up a security team at his company. He decided it was time to round out his information security management knowledge. It's always great to see repeat students!

We have a great cross-section of industries represented in class, including some military and financial folks.

We covered the Access Control Systems & Methodology today. A universal point that came up today: access control is hard, and often thankless. We often see a litany of access requests, with many folks clearly requesting more access than is required. Users can be quite vocal when access is denied or limited, and we never hear "Great job on access control today! You really nailed it!!"

A few questions from today:

Q: Are the questions on the CISSP® in domain order, or randomized?
A: The questions are in random order.

Q: What are the new CISSP® experience requirements as of Oct 1st, 2007?
A: (ISC)2 now requires 5 years of experience in two or more domains in the Common Body of Knowledge (and you may subtract 1 year with a 4-year degree). This is a change from the old rules, which required 4 years of experience in one of the domains in the Common Body of Knowledge. See the new CISSP® experience requirements.

As an FYI, the next CISSP® @Home starts in January.