RE: Seeking input: Research Proposal: "Is a third position possible?"

["Laura Taylor" <ltaylor () relevanttechnologies com>]

This is the database I was speaking of in my prior email. According to ISC2,
not all CISSPs are listed in this database. They actually told me that some
don't choose to be listed...not sure why anyone going through the trouble to
get the certificate wouldn't want to be listed. They don't automatically
list every CISSP and told me that many are not listed. The CISSP has to ask
to be listed. It thought it seemed strange that they just didn't list them
all. Laura

-----Original Message-----
From: Bill Royds [mailto:broyds () rogers com]
Sent: Monday, April 05, 2004 6:39 PM
To: ltaylor () relevanttechnologies com
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Seeking input: Research Proposal: "Is a third
position possible?"


Laura, I forwarded your message to the CISSPforum mailing list and received
several comments including this useful one:
-----Original Message-----
From: Bill Putman [mailto:w_putman () pacbell net]
Sent: April 5, 2004 12:11 PM
To: cisspforum () yahoogroups com
Subject: [cisspforum] Re: FW: [fw-wiz] Seeking input: Research Proposal: "Is
a third position possibl

There is a "Certification Verification" page on the public side of the
ISC Web site.  It is not easy to find.  One must click on the
"Post-Certification" link on a page other than the home page.  A menu
of links is then presented with one labeled "Certification
Verification - Verify an individual's (ISC)2 credentials."  The link
is as follows:

https://www.isc2.org/cgi/cert_verification.cgi

Querying on the last name or portion thereof, the full name and some
location info is displayed of the "certified individual."  Presumably
the queried database is complete and the cert is in good standing.
Hopefully, the navigation to this page will be more apparent in the
redesigned Web site, and ISC personnel will direct phone inquiries to it.

Bill Putman


--- In cisspforum () yahoogroups com, "Brigitte Grieger"
<Brigitte.Grieger@g...> wrote:
> > Keep in mind the person said they CALLED the ISC2 offices and were
turned
> > down... this makes sense if you think about it.  If the person
followed
> the
> > instructions and WRITTEN to ISC2 on corporate letterhead, then
there would
> > have likely been a verification.
> [...]
> > > I was thinking of hiring a person with a CISSP and called up ISC2 to
> > verify
> > > if they really were a CISSP. ISC2 told me that they never verify if
> > anyone
> > > is a CISSP as it is an invasion of the person's privacy.
>
> Seems that this case was handled very badly by the ISC2 person
answering the
> call. (S)he should have told the caller what to do in order to get a
> verification.
>
> However, if that was the reason the CISSP was not hired (s)he might be
> better off that way.
>
> Regards,
> Brigitte
>
> --

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Laura Taylor
Sent: April 2, 2004 10:31 AM
To: 'Crispin Cowan'; 'Holt, Philip'
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Seeking input: Research Proposal: "Is a third position
possible?"

Something curious to know about CISSP is this....

I was thinking of hiring a person with a CISSP and called up ISC2 to verify
if they really were a CISSP. ISC2 told me that they never verify if anyone
is a CISSP as it is an invasion of the person's privacy. I then asked them
how could I know for sure if this person really was a CISSP and told them
that the person was not listed in the CISSP database on the ISC2 web site.
They then told me that not all CISSPs are listed in the database because
some don't want to be listed. They told me that the only way to verifiy if a
person is a CISSP is to ask them for their certificate. I then asked them if
all certificates look exactly alike and can they tell me how to know if a
certificate it authenticate. I was told that all certificates do not look
exactly alike and that they have changed their look over the years so there
is no way to know if a particular certificate is real or not.

After much discussion, it became clear that they were not willing to verify
if anyone is a CISSP, and that there was no way for anyone to really verify
this information unless the person chooses to be listed in the database on
the ISC2 web site. I told them that in my opinion their process for
certification was not consistent with the concept of "trust, but verify" and
I ended up not hiring the person I had originally interviewed.

If a certification cannot be verified, to me it is worthless. I'd rather
hire an MCSE because Microsoft is willing to verify all their
certifications.

The philosophies and ethics of 2600 could possibly be questionable, but I
dare say that ISC2 is not at all the organization that I once thought it to
be.

Laura

------------------------------------------------
Laura Taylor
Relevant Technologies, Inc.
www.relevanttechnologies.com


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Crispin
Cowan
Sent: Tuesday, March 23, 2004 12:28 AM
To: Holt, Philip
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Seeking input: Research Proposal: "Is a third
position possible?"


Holt, Philip wrote:

> that reveals your thoughts concerning, "Is a third position possible?"
>   We are all aware of CISSP's Canons.
>   We are also all aware of the positions put forth and the beliefs
> held fast to of the 2600 Group, Hacktivismo, John Perry Barlow's
> "Declaration of Cyberspace" and a host of other similar positions and
> beliefs that are in fact counter-positions to those revealed in
> CISSP's Canon.
No, I'm not aware of the CISSP canon. To me, the philosophies of CISSP
are about as mystic and secretive as Scientology, and as such about as
useful :)

The 2600 crowd have a lot of well-known philosophies. One of the
particularly well-known canon of the 2600 crowd is that they never
actually agree on anything :) And I dare say that some 2600 people have
CISSPs.

So no, I have no idea what your question is. You suggest that there are
two diametrically opposed views here, but since you specify both by
obscure reference and never actually define them, it's really hard to
tell what the hell you are talking about. Please specify what you think
the opposing views are, and then we can discuss them.

Crispin

--
Crispin Cowan, Ph.D.
Security Consulting  http://crispincowan.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards