Aman Bhar & Assoc.

  • Home
  • Distinctions - What Makes Us Different

Distinctions - What Makes Us Different

Open Letter from Aman Bhar to Prospective Students:

Thank you for considering my team for your information security training needs.

We have observed that many respected organizations and instructors approach the delivery of CISSP prep events as an information technology security event. The focus therefore is inevitably on the technology used in the processing of data into information. This is a shame, as technology is only one of the many components of an information system.

This is what we do that is similar to ISC2's delivery of a CISSP prep seminar:

  1. Coverage of all 10 domains of the 'Common Body of Knowledge'.

This is what we do differently:

  1. CISSP stands for 'Certified Information Systems Security Professional'. We focus on information system security, not information technology security. The fact is that many participants are technological experts in their own rights, be it network operations, storage management systems, database administration, etc. They don't need us to tell them what an MPLS network is, or the advantages of fibre over copper coaxial, etc; what they do need is a mindset change. How to think 'big-picture' instead of 'vertical silo'. How deep principles within each domain interconnect into a beautiful whole. How to view their area of responsibility through the fascinating lenses of risk management. How to perform a threat and risk analysis, derive a residual risk position for their department, enterprise or client, articulate the same as an organizational, issue-specific or system policy, with advisory, regulatory or informative goals, and implement this policy through the right mix of physical, administrative and technical controls, performing one or more of the six control services in a defence-in-depth enterprise security architecture. Light bulbs flash when the penny drops, and we know we have succeeded in effecting this mindset change when 25-years experienced IT Directors are just as excited and eager to learn as 5-year experienced systems administrators!

  2. We deliver the content within a proprietary 'Theory, Technique, Tool' delivery framework via a proprietary 'Discuss, Demonstrate, Do' action learning model. The ten domains are chock-a-bloc full of theory, which when implemented, is compromised for practical reasons. Take your relational database for example. Theoretically, a database must be normalized to at least 4 (out of 5) normal forms to qualify as a relational database, as this is the minimum level of atomicity required to yield the functional benefits of the relational model for data organization. But no vendor has ever complied with this theoretical principle as the performance overhead required to do so is too high. Understanding the differences between relational database theory, and the technique used by vendors to develop their products (tools) automatically explains 80% of the constant vulnerabilities we see in said databases. This understanding leads us to a logical choice of compensating deterrent, preventive, detective, recovery, and corrective controls to govern access to relational data repositories in adhering to a relevant residual risk position. In many cases, we are able to create learning labs where the theory is discussed, the technique demonstrated, with participants actively exploring (do) the 'vulnerabilities-within-the-gap', the natural, man-made and/or technical threats that can exploit these vulnerabilities, leading to non-disaster, disaster and/or catastrophic impact levels, and the likelihood thereof, and select the right mix of controls to mitigate the same. In other words, participants actively learn the risk management mindset!

  3. We focus on examination technique via 750 proprietary questions, complete with written and verbal explanations for why an answer option is correct or wrong, according to CISSP examiners, and 'take-back' material that covers and summarizes relevant content.

(a) The CISSP domains deal with content that is often lagging behind current accepted practices. We still talk about TCSEC and ITSEC within a certification and accreditation framework, for example, even though both models have given way to ISO's Common Criteria model. There is good reason for this, as the foundational principles for security illustrated in the history and simplicity of what is discussed would be lost if the examination kept pace with daily changes in practice. Our 'take-home' material is therefore an accurate representation of the content that will be examined via the CISSP examination. We reserve discussion of the 'latest-and-greatest' practices for in-class dialogue, exploration and debate.

(b) 300 questions from this set of 750 are covered by our instructors within the event! This has helped many a candidate understand what a CISSP question is actually exploring, and how then to respond to it.

ISC2's current partnership requirements would prohibit the three innovations above to the detriment, we believe, of our clients. This is why we have chosen to deliver our own version of the CISSP prep programme, to heartening testimony and applaud from clients within various Departments of Defence, Fortune 500 organizations, etc, in Australia, the USA, Canada, Western Europe and Eastern Europe. These testimonials and a the bio-data of the undersigned are attached.

These testimonials and a the bio-data of the undersigned are linked hereto.

With my warm regards,

Aman Bhar
Executive Director
Aman Bhar & Associates

SEE ALSO: Aman Bhar's Bio & Experience - Aman's Student Reviews

Contact us.......

  • CISSP stands for 'Certified Information Systems Security Professional'. Consequently, and in the accordance with a literal approach to the title's component words, we focus on information systems security, not information technology security.
  • When our students have a 'Eureka Moment', we know that we have succeeded in effecting a mind-set change. Suddenly, 25-year veteran IT Directors are just as excited and eager to learn as 5-year systems administrators!