RE: CISSP Continuing Education

["Simmons, James" <jsimmons () eds com>]

I see what you are getting at, but there is a possible flaw I see. 
You get the CISSP to say that you have general knowledge across the 10
domains. Regardless of the difficultly of the test, you are right in
that it is, as someone else put it "a mile wide and an inch deep." It is
a good cert for those who need the basic idea of stuff but don't need to
know the technical details. 
But then what is the continuing education requirement for? It was my
understanding to keep yourself up-to-date, if not just familiar with the
ten domains. So why not have a requirement saying spread out your
education to include x (for x>1) different domains?
They already have an idea of what counts as credit for continuing
education. They just need to add it to the policy from what I can see. 

Regards,

Simmons

-----Original Message-----
From: David Harley [mailto:david.a.harley () gmail com] 
Sent: Friday, May 18, 2007 2:32 AM
To: Simmons, James; security-basics () securityfocus com
Cc: 'Craig Wright'
Subject: RE: CISSP Continuing Education

>  ISC2 does not have in place a requirement that spreads the continuing

> education across the 10 ten domain.
 
I don't actually think that's a weakness for this type of cert. It isn't
like a Juniper or Cisco cert: it's about knowing general principles, not
current product knowledge.
 
> "Does ISC2 have in place a system to ensure that certified people 
> continue

> their education across all 10 domains?"

I don't think the verification process is anything like that
fine-grained.
The question is whether it should be. (Even apart from the extra
administrative load it would impose.)
 
>  But for your continuing education, you can focus on strictly one 
> domain
and lose familiarity 
> with the other 9 domain. 
 
That depends on what you mean by familiarity. Very few people work
consistently across all ten domains, and I certainly wouldn't expect
anyone to give me a high-flying specialist job purely on the basis of my
current knowledge of cryptography or physical security. 
 
CISSP doesn't say that you're an expert in all ten domains and fully
up-to-date in those areas. If it did, your previous criticisms would be
justified, or at any rate justifiable. It says that you have a basic
understanding of all those areas which gives you a good overall feel for
general principles, the way in which different areas interconnect, and a
solid basis on which to augment your basic knowledge if and when
required to (a change of job focus, for instance.)
 
Actually, what CISSP says to me is this (and yes, it's a subjective
view):
"I am an information security professional with a minimum of x years
experience in security management, awareness and knowledge of the
fundamentals of the ten domains, and I'm committed to certain
professional and ethical standards. One aspect of those ethical
standards is that I don't claim knowledge and expertise that I don't
actually have."
 
I think you're expecting too much of the cert. It doesn't stretch those
with technical expertise in particular domains: the only stretch is that
it requires you to be fairly conversant with all the domains.  (Don't be
misled by the fact that I've used the term "basic knowledge": the test
isn't -that- easy. But it doesn't require specialist knowledge.) 
 
I'd be mad to say "Look, I''m an expert in malware management, and I've
got the CISSP to prove it." If I needed that sort of endorsement, I'd be
looking at a different range of certs, say GIAC. 
 
> But this does seem counter productive to the purpose of the cert,
 
Not necessarily. The cert doesn't target people who need to be expert
practitioners in all ten domains (how many people do need to be?) It
targets people who can work more effectively with a fundamental
understanding of all ten domains. On the other hand, a CISSP holder
isn't necessarily "expert" in any single domain. In those circumstances,
there might be an argument for requiring them to reaffirm their
competence across all domains from time to time. But for that, a re-test
might actually be more appropriate. In fact,
(ISC)2 may have that scenario in mind by offering re-testing as an
alternative to CPE credits.
 
> and a relatively easy fix. Of course there would be more man hours 
> spent during audits and the sort,
 
Not easy at all. It's not just auditing: it's sorting through all the
different types of activity that can be seen as qualifying to weight
them according to domain, then tracking an individual's record across
all domains. Not impossible, but more work (and expense!) than you may
think.
 
> and I am sure a lot of CISSP certified people really do not want to 
> sit through classes on cryptography, or physical security.

I look at all sorts of things that aren't strictly related to my main
work (not all of them particularly security or IT-related). Of course,
classes aren't the only way to stay current, and I'd resent having to
spend large amounts of my own time and money on keeping up-to-date with
areas of marginal relevance to my own field.

--
David Harley CISSP, Small Blue-Green World Security
Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html



 

         

         

         

         

        Regards, 

        Simmons