Security Basics mailing list archives
RE: CISSP Continuing Education
From: "David Harley" <david.a.harley () gmail com>
Date: Sun, 20 May 2007 19:14:41 +0100
I see what you are getting at, but there is a possible flaw I see. You get the CISSP to say that you have general knowledge across the 10 domains. Regardless of the difficultly of the test, you are right in that it is, as someone else put it "a mile wide and an inch deep." It is a good cert for those who need the basic idea of stuff but don't need to know the technical details.
That's not actually what I said. Given the length of the exam and the experience requirement, it means a bit more than an ability to answer questions like "what does AIC stand for?" There are other generalist certs that are much easier to obtain.
But then what is the continuing education requirement for? It was my understanding to keep yourself up-to-date, if not just familiar with the ten domains.
What you're pointing to is an apparent inconsistency in the requirement to maintain professional development. Re-examination doesn't actually suggest professional development. It suggests staying in one place. (Of course, someone who doesn't meet the CPE credit requirement might still be progressing, but not in ways that translate easily to credits.) So you could turn your argument on its head and say "what is the recertification testing for?" You should already know what a Vigenere cipher is, and the chances are you won't ever need to use one. :) You can argue, though, that re-certifying is continuing development, in that it involves refreshing knowledge across the whole ten domains.
So why not have a requirement saying spread out your education to include x (for x>1) different domains?
Does that mean that more specialized personal development is invalid? I wouldn't have said so. After all, anyone who manages 120 credits over three years, at least 80 of them directly related to the 10 domains, is not likely to have managed to do that solely in one domain. Security simply isn't that neat and partitioned.
They already have an idea of what counts as credit for continuing education. They just need to add it to the policy from what I can see.
Adding it as an explicit requirement isn't hard. Verifying it in each individual case would be interesting. OK, you could go on checking at random: you'd just be looking in more detail. But is it desirable, let alone necessary? (I.e. are we going to deny the value of development because it's vocational rather than across-the-board? That's just going back to the fallacy that CISSP = passing the test.) -- David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Current thread:
- RE: CISSP Continuing Education David Harley (May 18)
- RE: CISSP Continuing Education Simmons, James (May 18)
- RE: CISSP Continuing Education David Harley (May 22)
- RE: CISSP Continuing Education Simmons, James (May 18)