GICSP Exam Today

Not feeling super confident -

Been studying since I completed the class in April (Great class by the way, if you are in the field and need to build or solidify some foundational knowledge I highly recommend it), but the more I study the stupider I am feeling.  I really think this is going to be a write off exam and I will end up retaking it in a couple months.  Hopefully not, but that's the way it is feeling

In other news -

I did up a nice little table that compares the CIS Top 20 Security Controls (actually the top 5 plus 1) to the ASD Mandatory Top 4 and the NSA IAD Top 10 (top 4) and correlated that to the NIST 800-53 controls.  I tried to put it in blogger in table format but it wont take. I am going to reformat a little bit and I will post a .jpg later today. I know this may seem pointless, but I actually do have a point with it - The Australian Security Directorate (ASD) did an analysis and found that 85% of the incidents they respond to could be prevented by implementation of their top 4 controls. SANS made similar claims about their top 5 (now controlled by CIS). Finally, the recent WannaCry ransomware epidemic could have been largely prevented by a good vulnerability/patch management program and guess what figure heavily in those sets of controls. My point being that a base level of security is relatively easy to obtain and everything after that is gravy. (Don't interpret this as "Oh, we only have to do this stuff!" I am making the point that laying a good base to build on is an achievable proposition)