RE: CISSP

From: Adam Morey (amorey@healthydirections.com)
Date: Wed Dec 06 2006 - 13:49:09 EST


The CISSP requires that candidates have a minimum of 4 years direct
full-time security experience in one of the 10 domains, this includes
management, creative writing, technical, military MP - anything that is
related to security - the CISSP is not all about firewall rules - it's
completely academic, not technical. It also requires an officer of your
company, another CISSP or some other official to endorse the candidate
to verify. While an 11 year old could have 4 years direct security
experience, it is highly unlikely.

There's a lot of knowledge and studying required for the CISSP - as well
as a very long (about 3 hour or so) test. I took my CISSP a few years
back and I also have a Masters Degree in Information Assurance so I've
studied information security in depth. Many of the folks in my masters
program took the CISSP after graduating and passed it without studying,
but some failed too.

The CISSP is not a bad certificate to have if you want to know a little
about a lot of different IA areas. It is truly a mile-wide and an inch
deep as they say. It makes you memorize a lot about encryption methods,
understand basic criminal investigation procedures, type of locks,
different kinds of fire extinguishers, the network part is very
elementary - what's a router/switch, is goes through a sort of history
of firewalls (proxy, transitive, address translation). It goes into
policies and procedures, risk analysis, access controls, and quite a bit
about law and ethics.

I don't care who you are - if you can study the 1000 pages recommended
reading - you're probably going to learn something different each time
you read it.

If you didn't know - the CISSP also expires if you don't submit what
they call CPE credits. Basically you need to attend trade shows, read
books, go to school, watch webinars or volunteer as an exam proctor
etc... to maintain your certification. This increases the value of the
certificate, as it means those who have it continue to read and
specialize in some way.

I wouldn't let someone near my firewalls without proven work experience,
and about 1000 policy pushes under their belt, product specific certs
are more important here. I wouldn't even want to know if they had their
CISSP or not.

Adam

> -----Original Message-----
> From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
> On Behalf Of Nick Besant
> Sent: Tuesday, December 05, 2006 5:45 AM
> To: pen-test@securityfocus.com
> Cc: dfullerton@mantor.org
> Subject: Re: CISSP
>
> I think it's a worthwhile qualification to have if only from the point
> of view of structured learning. Unless you've already done a CS or
> equivalent degree, it's unlikely that you'll have covered some of the
> architectural or formal methodologies, practices, standards etc that
you
> must know to take the CISSP exam. On-the-job learning is an excellent
> (I'm biased) way to learn all things security but you only tend to
> learn the technologies etc around the environments you're working
with.
>
> I found the learning process, while covering some out-of-date material
> that I'm unlikely to use in future, did cover some additional areas
> which I've since applied to projects to my / my employer's benefit.
>
> So; in summary, I would recommend it if you're looking for a broader
> certification/career path/etc focusing on security. The breadth (not
> really the depth) of the body of knowledge has provided me with a way
to
> cement together everything I've learned through working on or personal
> research. YMMV :)
>
>
> --
> Nick Besant (lists@hwf.cc)
>
>
>
> dfullerton@mantor.org wrote:
> > Then I wonder if this certification should really have this kind of
> notoriety. Looks like it's not technical and if an 11 years old boy
can
> complete this cert ...it's not about security management experience
> either.
> >
> > Anyone can give me some good reason to acquire CISSP while not being
> related to money and the wannabe marketing-made notoriety?
> >
> > Personally I done GCIH and GHTQ, the latest is harder and really
related
> to penetration testing. I would like some GOOD reason for someone in
the
> security field for a while and having others, more in deep, technical
> certification to go on with CISSP.
> >
> > Should we glorify such things? Tell me more about the exam, the
topics
> are quite general and may not be totally in line with the exam and the
> real knowledge being certified.
> >
> > Danny Fullerton
> > ---------------
> > IT Security Specialist, GCIH GHTQ
> > http://www.mantor.org/~northox
> > Mantor Organization
> >
> >
------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
> 000008bOW
> >
------------------------------------------------------------------------
> >
> >
>
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
> 000008bOW
>
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:25 EDT