RE: CISSP Question

["Craig Wright" <Craig.Wright () bdo com au>]

And if you are EVER found to have cheated - you cert is revoked and you never get it back. 

Next it is fraudulent and misrepresentation and if you use it on many legal documents could even be perjury. So yes, 
possible to lie, but if you get caught you go to gaol and we can all pick on the CISSP cheat who has no real experience 
and now has to watch the soap.

Further even after you have been in the industry, if someone discovered that you cheated 20 years back it is a 
continuing fraud and thus limitations (legally) only kick in when it is discovered.

So, can you rob a bank and never be caught - yes. Is this a wise decision, no. Is it legal, no. Same for the how do we 
find ways to cheat discussion.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Simmons, James
Sent: Thursday, 3 May 2007 7:16 AM
To: Florian Rommel
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

Well I can say from experience that a lot of aspiring military computer people are using that. A 4 year enlistment. 
Standing guard duty, firefighting, and then they reset passwords all day with little else experience. But of course on 
a resume/job sheet, it is easy to make it sound like you are single handedly running the entire network of 1000+ users. 
And for $2000 you too can attend a crash course to prep you for the test.

I find it funny/sad that there is an IT certification industry, and a "help you pass <cough>cheat</cough> an IT 
certification" industry.

Regards,

J.A. Simmons V
EDS - Navy Marine Corps Intranet (NMCI)
Information Assurance Engineer
3980 Sherman St. | San Diego, CA 92110
Office: 1 + 619 817 3821 | Fax: 1 + 619 817 3780
jsimmons () eds com

-----Original Message-----
From: Florian Rommel [mailto:frommel () gmail com] 
Sent: Wednesday, May 02, 2007 1:34 PM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: Re: CISSP Question


Touché James. Well done you pointed the one thing out that I have been thinking about for a while as well. However in 
99% I would say a person that has been on Guard duty for 4 years won't have much interest in a CISSP and then , if he 
should get it, will have to do quite some catching up to do.
Most employers will find it rather weird that he or she was doing guard duty
for 4 years and got a CISSP   :)

I do think though that this is a viable loophole for anyone that wants to exploit it that way. I do think it is a 
little far fetched because you still have to show that your job included some of the actions on the list.

Good point though, I like it. Wonder what ISC2 has to say about this and how many people have used that or a similar 
loophole already.

Cheers,

//Flosse

http://blog.2blocksaway.com

On 5/2/07 10:57 PM, "Simmons, James" <jsimmons () eds com> wrote:

> So here is a thought for everyone.
>
> To qualify for CISSP, you should have at least four years of 
> experience in one of the ten domains. Of which includes Physical 
> Security. So with a bit of cramming, your gun cleaning, gate guard of 
> 4 years can be a qualified CISSP with next to minimal experience in Information security.
> And as per the ISC2 webpage, to qualify experience you need to have 
> done some of the included actions.
> (https://www.isc2.org/cgi-bin/content.cgi?category=1187)
>
> Reactions anyone?
>
> P.S. I am not saying that all gate guards are incapable of being good CISSP's.
> I am just pointing out an all too common scenario.
>
> Regards,
>
> Simmons
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel
> Sent: Wednesday, May 02, 2007 10:53 AM
> To: Nicolas villatte; krymson () gmail com; 
> security-basics () securityfocus com
> Subject: Re: CISSP Question
>
> I agree with Nicolas here. I definitely wouldn't endorse a Desktop 
> Jockey with
> 4 years of experience. I already filed once a complaint because I know 
> a guy who, because he has some certifications and has worked as a pc 
> support, thinks he is qualified to take the exam. His "boss/ partner 
> in crime" was ready to sign off on it. I know for some people a 
> certification like the CISSP doesn't mean much but that still 
> shouldn't mean anyone can get in. I had my work experience fully 
> documented by all my previous employers  before I took the exam.
>
> Security experience in any of the 10 domains for 4 years doesnt mean 
> that during those 4 years you should have done something security 
> related at some point it means that your position was directly security related.
>
> //flosse
> http://blog.2blocksaway.com
>
>
> On 5/2/07 9:47 AM, "Nicolas villatte" <Nicolas.Villatte () chello be> wrote:
>
> > Not really, because 5% of your time involved in security during 4 
> > years would give you barely 2 months of experience. I don't know any 
> > CISSP who would endorse such a candidate.
> >
> > https://www.isc2.org/cgi/content.cgi?category=1187
> >
> > "Applicants must have a minimum of four years of direct full-time 
> > security professional work experience in one or more of the ten 
> > domains of the (ISC)² CISSP® CBK®."
> >
> > Regards,
> > Nicolas.
> >
> >
> > ---------------------------------------------------------------------
> > -
> > ------
> > --------
> >
> > Nicolas VILLATTE
> >
> > CISSP, GCIA, GCIH, GCFA
> >
> > Sr. Security Management Specialist
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com
> > Sent: mardi 1 mai 2007 14:14
> > To: security-basics () securityfocus com
> > Subject: RE: CISSP Question
> >
> > Just a quick add, don't overthink the 4 years' experience requirement.
> > You need that experience in any one (or more) of the 10 domains.
> > Honestly, if you're a desktop support jockey for 4 years and you do 
> > some sort of security as part of your work (do you manage passwords 
> > and/or respond to spyware incidents?), you can still qualify. 
> > Realistically, anyone with 4 years'
> > experience in IT.