Security Basics mailing list archives
RE: CISSP Question
From: Elizabeth Tolson <etolson () gibralter net>
Date: Thu, 3 May 2007 17:15:45 -0400 (GMT-04:00)
There are many things that I would like to do. I really would like to teach at our Community College. Besides getting my Master's Degree in ISS, I am attending the Forensics Boot Camp at KSU (on-line). I like the thought of Data Recovery. I like the thought assisting with our Police Department or District Attorney. I live in a small town and all of this is possible. Regarding being in a dead-end job --- I am underpaid, unappreciated, and basically unhappy. Computer Security and Computer Forensics are something that I really really enjoy and want to pursue. I know it will not happen overnight...but it will happen. Elizabeth -----Original Message-----
From: Craig Wright <Craig.Wright () bdo com au> Sent: May 3, 2007 4:05 PM To: Elizabeth Tolson <etolson () gibralter net>, Florian Rommel <frommel () gmail com>, "Simmons,James" <jsimmons () eds com> Cc: security-basics () securityfocus com Subject: RE: CISSP Question Elizabeth, Discussions often diverge from the originating question. The splits in the thread are in no manner aimed at you. The biggest issue is for you to have an idea of what you want long term. You state that you are in a dead end job. As such I would ask if why you are doing this is for the money or if this is something you enjoy. The latter is the better option as you are more likely to have a passion for the work and this will carry you further than any number of certs. Don;'t think short term - even 5 years. You can reframe as time rolls on, but you need to have some idea of what you want in the longer term. That is 10-20 years. This need not be clear ans as stated it will change, but a moving target is far supeior to no target. CCE is an aid in forensics and digital capture work. It has little if any use or meaning outside these areas. Is this what you are looking at? You mention dead-end - which I would assume to have the meaning of no career progression. To this end there are two real long term paths. 1 Technical expert. This may be a senior consultant in an outsource firm as a principle or it may be in a large commercial firm (such as a bank). 2 Management. CIO, CISO etc. This requires extra skills and a different path than the prior. Asking based on what pays the most or similar as some prople do is not a good decider. The rates are variable and need to be correlated to other endeavors of similar level to have this formulated and in contradiction to the belief of many on the list, there are far higher wages outside Information Security. If you want to progress in either path (such that they are not dead-end and have a clear progression), you need to spend time in constant learning and study. IT is becoming more professionalised over time and this trend will not be abated. So this means that the MISS is only the first stage, but a good one. It again all depends on what you are aiming at. Regards, Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: Elizabeth Tolson [mailto:etolson () gibralter net] Sent: Fri 4/05/2007 12:40 AM To: Craig Wright; Florian Rommel; Simmons,James Cc: security-basics () securityfocus com Subject: RE: CISSP Question Hi All: I started this thread as a simple question and want to clarify one thing. I, in NO way, want to cheat, cut corners, etc. to get this or any other Certification. I am working VERY hard now to get my Masters in Information Systems Security as I am in a dead-end job as a Paralegal. I did not know if a Masters Degree and CCE Certification could help in any way. That is why I asked. Elizabeth -----Original Message-----From: Craig Wright <Craig.Wright () bdo com au> Sent: May 2, 2007 5:36 PM To: Florian Rommel <frommel () gmail com>, "Simmons, James" <jsimmons () eds com> Cc: security-basics () securityfocus com Subject: RE: CISSP Question Experience as a "meer operator" is specifically excluded. A gate guard is not involved in the design of security systems. If you read the requirements you should see that this is not a loophole and is not a valid set of experience. Next it involves professional experience. Sorry for those on the list who believe otherwise, but a security guard is not considered as a professional. There are codes of conduct and legistlation for security guards, but they are not in any way professional. In this - the legal taxonomy of professional is all that counts. How a court will read the term is defined in case law dating to the 12th century and is valid (though updated by state statute) in the US as well most (if not all) common law countries. "Professional responsibility. A paradigm case of the moral responsibility that arises from the special knowledge that one possesses. It is mastery of a special body of advanced knowledge, particularly knowledge which bears directly on the well-being of others, that demarcates a profession. As custodians of special knowledge which bears on human well-being, professionals are constrained by special moral responsibilities; that is, moral requirements to apply their knowledge in ways that benefit the rest of the society." Security Gauards are not professionals. They do not act as professionals. How well they do their job has nothing to do with the term. Regards, Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel Sent: Thursday, 3 May 2007 6:34 AM To: Simmons, James Cc: security-basics () securityfocus com Subject: Re: CISSP Question Touché James. Well done you pointed the one thing out that I have been thinking about for a while as well. However in 99% I would say a person that has been on Guard duty for 4 years won't have much interest in a CISSP and then , if he should get it, will have to do quite some catching up to do. Most employers will find it rather weird that he or she was doing guard duty for 4 years and got a CISSP :) I do think though that this is a viable loophole for anyone that wants to exploit it that way. I do think it is a little far fetched because you still have to show that your job included some of the actions on the list. Good point though, I like it. Wonder what ISC2 has to say about this and how many people have used that or a similar loophole already. Cheers, //Flosse http://blog.2blocksaway.com On 5/2/07 10:57 PM, "Simmons, James" <jsimmons () eds com> wrote:So here is a thought for everyone. To qualify for CISSP, you should have at least four years of experience in one of the ten domains. Of which includes Physical Security. So with a bit of cramming, your gun cleaning, gate guard of 4 years can be a qualified CISSP with next to minimal experience in Information security. And as per the ISC2 webpage, to qualify experience you need to have done some of the included actions. (https://www.isc2.org/cgi-bin/content.cgi?category=1187) Reactions anyone? P.S. I am not saying that all gate guards are incapable of being good CISSP's. I am just pointing out an all too common scenario. Regards, Simmons -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel Sent: Wednesday, May 02, 2007 10:53 AM To: Nicolas villatte; krymson () gmail com; security-basics () securityfocus com Subject: Re: CISSP Question I agree with Nicolas here. I definitely wouldn't endorse a Desktop Jockey with 4 years of experience. I already filed once a complaint because I know a guy who, because he has some certifications and has worked as a pc support, thinks he is qualified to take the exam. His "boss/ partner in crime" was ready to sign off on it. I know for some people a certification like the CISSP doesn't mean much but that still shouldn't mean anyone can get in. I had my work experience fully documented by all my previous employers before I took the exam. Security experience in any of the 10 domains for 4 years doesnt mean that during those 4 years you should have done something security related at some point it means that your position was directly security related. //flosse http://blog.2blocksaway.com On 5/2/07 9:47 AM, "Nicolas villatte" <Nicolas.Villatte () chello be> wrote:Not really, because 5% of your time involved in security during 4 years would give you barely 2 months of experience. I don't know any CISSP who would endorse such a candidate. https://www.isc2.org/cgi/content.cgi?category=1187 "Applicants must have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK®." Regards, Nicolas. ---------------------------------------------------------------------- ------ -------- Nicolas VILLATTE CISSP, GCIA, GCIH, GCFA Sr. Security Management Specialist -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com Sent: mardi 1 mai 2007 14:14 To: security-basics () securityfocus com Subject: RE: CISSP Question Just a quick add, don't overthink the 4 years' experience requirement. You need that experience in any one (or more) of the 10 domains. Honestly, if you're a desktop support jockey for 4 years and you do some sort of security as part of your work (do you manage passwords and/or respond to spyware incidents?), you can still qualify. Realistically, anyone with 4 years' experience in IT.
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question Craig Wright (May 02)
- RE: CISSP Question Craig Wright (May 03)
- RE: CISSP Question Simmons, James (May 03)
- Re: RE: CISSP Question barcajax (May 03)
- RE: CISSP Question Elizabeth Tolson (May 03)
- RE: CISSP Question Craig Wright (May 03)
- RE: CISSP Question David Harley (May 04)
- RE: RE: CISSP Question Simmons, James (May 03)
- "Professional", RE: RE: CISSP Question David Gillett (May 03)
- RE: "Professional", RE: RE: CISSP Question David Harley (May 04)
- "Professional", RE: RE: CISSP Question David Gillett (May 03)
- RE: CISSP Question Elizabeth Tolson (May 03)
- RE: CISSP Question Craig Wright (May 03)
- RE: CISSP Question Simmons, James (May 03)
- Message not available
- RE: CISSP Question Simmons, James (May 07)
- RE: CISSP Question Simmons, James (May 03)
- RE: CISSP Question Elizabeth Tolson (May 04)
- RE: CISSP Question David Harley (May 04)
- RE: CISSP Question Craig Wright (May 07)
- RE: CISSP Question Elizabeth Tolson (May 07)
- RE: CISSP Question David Harley (May 08)
- RE: CISSP Question Craig Wright (May 08)
- CISSP Question Simmons, James (May 08)