Hi Everyone, I’m pleased to share that I have provisionally passed the CISSP today. It was certainly a tough exam (perhaps tougher in my own head at times). Some of the questions were genuinely challenging, but I’m really glad to have gone through the experience and come out the other side and crossed the finish line . I wanted to take a moment to thank this community - it has been a fundamental pillar in my preparation. The support around exam technique, content, and discussions have been invaluable. A special thank you to @Vincent Primiani and the CISSP team for running the group sessions [very helpful] creating a space where we can learn, challenge ourselves, and grow together. Huge respect to everyone here, including @May Brooks - and for those still on the journey, keep pushing… it’s absolutely worth it, and you’ll get to that finish line. Thank you, again.

ISC2 published this yesterday. It maps out exactly how AI security concepts show up across the CISSP exam. This is NOT a new exam outline. The current outline (April 2024) already has AI baked in. But this document spells out the specifics so you know what to expect. The big picture: AI isn't a separate topic. It's woven into everything from risk management (Domain 1) to software development security (Domain 8). A few things that stood out to me: - You need to know about protecting training data and model weights (Domain 2) - Prompt injection and adversarial attacks are fair game (Domain 3) - AI red teaming is now part of security testing (Domain 6) - Managing identities for AI agents and service accounts - least privilege still applies (Domain 5) - Model drift and AI in the SOC are covered in operations (Domain 7) If you're studying right now, don't panic. Most of this maps to concepts you already know -- just applied to AI systems. But you should absolutely be familiar with terms like data poisoning, adversarial attacks, algorithmic bias, model drift, and prompt injection. On our end we're going to keep weaving more AI-focused questions into the https://cissp.app and bringing more of this into our study group discussions. I attached the PDF if you want to read the full thing.

A company migrates sensitive business data to a shared analytics environment used by multiple departments. Data accuracy issues emerge, but no single group can authorize correction because ownership is unclear. Leadership wants faster decisions without creating a centralized bottleneck. What is the MOST appropriate governance action to take FIRST? A. Assign a single enterprise data steward for all analytics data B. Define data ownership and decision authority at the dataset level C. Implement stricter change control over analytics transformations D. Increase audit logging for data modifications and access Come back for the answer tomorrow, or study more now!

Following a major security incident, the board asks management to demonstrate that security investments over the past two years were aligned to enterprise risk, not just technical best practices. Metrics show control maturity, but not business impact reduction. What is the MOST appropriate action to take NEXT? A. Map historical security controls to compliance framework requirements B. Reframe security reporting around risk scenarios and loss exposure C. Commission an external benchmark against industry peers D. Increase board level security training and awareness sessions Come back for the answer tomorrow, or study more now!

I felt like such a robot 🤖 posting the question this morning. I needed to say hello to all our wonderful members!! Okay, okay, the question... A company deploys a zero trust network where every request is authenticated, authorized, and encrypted. During an incident, investigators cannot reconstruct attack paths because traffic patterns are indistinguishable once inside the fabric. Security wants forensic clarity without weakening zero trust principles. What is the MOST appropriate architectural adjustment? A. Decrypt and inspect all internal traffic at centralized gateways B. Implement per request cryptographic identity and flow labeling C. Increase east west traffic logging at network choke points D. Reintroduce internal trust zones to simplify attribution Come back for the answer tomorrow, or study more now!