RE: CISSP Continuing Education

["David Harley" <david.a.harley () gmail com>]

>  ISC2 does not have in place a requirement that spreads the continuing 
> education across the 10 ten domain. 
 
I don't actually think that's a weakness for this type of cert. It isn't
like a Juniper or Cisco cert: it's about knowing general principles, not
current product knowledge.
 
> "Does ISC2 have in place a system to ensure that certified people continue

> their education across all 10 domains?"

I don't think the verification process is anything like that fine-grained.
The question is whether it should be. (Even apart from the extra
administrative load it would impose.)
 
>  But for your continuing education, you can focus on strictly one domain
and lose familiarity 
> with the other 9 domain. 
 
That depends on what you mean by familiarity. Very few people work
consistently across all ten domains, and I certainly wouldn't expect anyone
to give me a high-flying specialist job purely on the basis of my current
knowledge of cryptography or physical security. 
 
CISSP doesn't say that you're an expert in all ten domains and fully
up-to-date in those areas. If it did, your previous criticisms would be
justified, or at any rate justifiable. It says that you have a basic
understanding of all those areas which gives you a good overall feel for
general principles, the way in which different areas interconnect, and a
solid basis on which to augment your basic knowledge if and when required to
(a change of job focus, for instance.)
 
Actually, what CISSP says to me is this (and yes, it's a subjective view):
"I am an information security professional with a minimum of x years
experience in security management, awareness and knowledge of the
fundamentals of the ten domains, and I'm committed to certain professional
and ethical standards. One aspect of those ethical standards is that I don't
claim knowledge and expertise that I don't actually have."
 
I think you're expecting too much of the cert. It doesn't stretch those with
technical expertise in particular domains: the only stretch is that it
requires you to be fairly conversant with all the domains.  (Don't be misled
by the fact that I've used the term "basic knowledge": the test isn't -that-
easy. But it doesn't require specialist knowledge.) 
 
I'd be mad to say "Look, I''m an expert in malware management, and I've got
the CISSP to prove it." If I needed that sort of endorsement, I'd be looking
at a different range of certs, say GIAC. 
 
> But this does seem counter productive to the purpose of the cert, 
 
Not necessarily. The cert doesn't target people who need to be expert
practitioners in all ten domains (how many people do need to be?) It targets
people who can work more effectively with a fundamental understanding of all
ten domains. On the other hand, a CISSP holder isn't necessarily "expert" in
any single domain. In those circumstances, there might be an argument for
requiring them to reaffirm their competence across all domains from time to
time. But for that, a re-test might actually be more appropriate. In fact,
(ISC)2 may have that scenario in mind by offering re-testing as an
alternative to CPE credits.
 
> and a relatively easy fix. Of course there would be more man 
> hours spent during audits and the sort, 
 
Not easy at all. It's not just auditing: it's sorting through all the
different types of activity that can be seen as qualifying to weight them
according to domain, then tracking an individual's record across all
domains. Not impossible, but more work (and expense!) than you may think.
 
> and I am sure a lot of CISSP certified people really do not 
> want to sit through classes on cryptography, or physical security. 

I look at all sorts of things that aren't strictly related to my main work
(not all of them particularly security or IT-related). Of course, classes
aren't the only way to stay current, and I'd resent having to spend large
amounts of my own time and money on keeping up-to-date with areas of
marginal relevance to my own field.

--
David Harley CISSP, Small Blue-Green World
Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html



 

         

         

         

         

        Regards, 

        Simmons