Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CISSP Continuing Education

From: "David Harley" <david.a.harley () gmail com>
Date: Sun, 20 May 2007 19:14:41 +0100
I see what you are getting at, but there is a possible flaw I see. 
You get the CISSP to say that you have general knowledge 
across the 10 domains. Regardless of the difficultly of the 
test, you are right in that it is, as someone else put it "a 
mile wide and an inch deep." It is a good cert for those who 
need the basic idea of stuff but don't need to know the 
technical details. 


That's not actually what I said. Given the length of the exam and the
experience requirement, it means a bit more than an ability to answer
questions like "what does AIC stand for?" There are other generalist certs
that are much easier to obtain. 


But then what is the continuing education requirement for? It 
was my understanding to keep yourself up-to-date, if not just 
familiar with the ten domains.


What you're pointing to is an apparent inconsistency in the requirement to
maintain professional development. 

Re-examination doesn't actually suggest professional development. It
suggests staying in one place. (Of course, someone who doesn't meet the CPE
credit requirement might still be progressing, but not in ways that
translate easily to credits.) So you could turn your argument on its head
and say "what is the recertification testing for?" You should already know
what a Vigenere cipher is, and the chances are you won't ever need to use
one. :) You can argue, though, that re-certifying is continuing development,
in that it involves refreshing knowledge across the whole ten domains. 


So why not have a requirement 
saying spread out your education to include x (for x>1) 
different domains?


Does that mean that more specialized personal development is invalid? I
wouldn't have said so. After all, anyone who manages 120 credits over three
years, at least 80 of them directly related to the 10 domains, is not likely
to have managed to do that solely in one domain. Security simply isn't that
neat and partitioned.


They already have an idea of what counts as credit for 
continuing education. They just need to add it to the policy 
from what I can see. 


Adding it as an explicit requirement isn't hard. Verifying it in each
individual case would be interesting. OK, you could go on checking at
random: you'd just be looking in more detail. But is it desirable, let alone
necessary? (I.e. are we going to deny the value of development because it's
vocational rather than across-the-board? That's just going back to the
fallacy that CISSP = passing the test.) 

-- 
David Harley CISSP, Small Blue-Green World
Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Previous By Date Next
Previous By Thread Next

Current thread: