Security Basics mailing list archives

RE: CISSP Question

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 2 May 2007 14:24:47 -0700

  I doubt that it's "all too common".  That gate guard is going to
find the other nine domains heavy sledding on the exam if he's never
gotten closer to IT than the gate; if he can do well in them, too, 
then the gate was a wasteful place to put him.

  The experience has to be endorsed by either a CIO (presumably the
employer) or a current CISSP (who would be risking their own
certification...).  While it could be legal to endorse based on
four years at the bottom of a single domain, I for one would 
prefer to see a mix of domains and some exercise of responsibility.

  So although the worst-case version of this scenario is theoretically
possible, I wouldn't expect it to be common, and I think there are
good odds that it hasn't ever happened.

David Gillett
Full Disclosure:  CISSP CCNP CCSE MCSE
  (and 30 years of experience, 20 in software
  development and 10 in networking and security)

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Simmons, James
Sent: Wednesday, May 02, 2007 12:58 PM
To: Florian Rommel
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

So here is a thought for everyone.

To qualify for CISSP, you should have at least four years of 
experience in one of the ten domains. Of which includes 
Physical Security. So with a bit of cramming, your gun 
cleaning, gate guard of 4 years can be a qualified CISSP with 
next to minimal experience in Information security.
And as per the ISC2 webpage, to qualify experience you need 
to have done some of the included actions. 
(https://www.isc2.org/cgi-bin/content.cgi?category=1187)

Reactions anyone?

P.S. I am not saying that all gate guards are incapable of 
being good CISSP's.  I am just pointing out an all too common 
scenario.

Regards,

Simmons

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel
Sent: Wednesday, May 02, 2007 10:53 AM
To: Nicolas villatte; krymson () gmail com; 
security-basics () securityfocus com
Subject: Re: CISSP Question

I agree with Nicolas here. I definitely wouldn't endorse a 
Desktop Jockey with 4 years of experience. I already filed 
once a complaint because I know a guy who, because he has 
some certifications and has worked as a pc support, thinks he 
is qualified to take the exam. His "boss/ partner in crime" 
was ready to sign off on it. I know for some people a 
certification like the CISSP doesn't mean much but that still 
shouldn't mean anyone can get in. I had my work experience 
fully documented by all my previous employers  before I took the exam.

Security experience in any of the 10 domains for 4 years 
doesnt mean that during those 4 years you should have done 
something security related at some point it means that your 
position was directly security related.

//flosse
http://blog.2blocksaway.com

On 5/2/07 9:47 AM, "Nicolas villatte" 
<Nicolas.Villatte () chello be> wrote:

Not really, because 5% of your time involved in security during 4 
years would give you barely 2 months of experience. I don't

know any

CISSP who would endorse such a candidate.

https://www.isc2.org/cgi/content.cgi?category=1187

"Applicants must have a minimum of four years of direct full-time 
security professional work experience in one or more of the ten 
domains of the (ISC)² CISSP® CBK®."

Regards,
Nicolas.

----------------------------------------------------------------------

------
--------

Nicolas VILLATTE

CISSP, GCIA, GCIH, GCFA

Sr. Security Management Specialist


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com
Sent: mardi 1 mai 2007 14:14
To: security-basics () securityfocus com
Subject: RE: CISSP Question

Just a quick add, don't overthink the 4 years' experience

requirement.

You need that experience in any one (or more) of the 10 domains. 
Honestly, if you're a desktop support jockey for 4 years and you do 
some sort of security as part of your work (do you manage passwords 
and/or respond to spyware incidents?), you can still

qualify. Realistically, anyone with 4 years'

experience in IT.

Current thread:

RE: CISSP Question krymson (May 01)
- RE: CISSP Question Chris Smith (May 01)
- RE: CISSP Question Nicolas villatte (May 02)
  - Re: CISSP Question Florian Rommel (May 02)
    - RE: CISSP Question Simmons, James (May 02)
    - Re: CISSP Question Florian Rommel (May 02)
    - RE: CISSP Question Al Gettier (May 02)
    - RE: CISSP Question Simmons, James (May 02)
    - RE: CISSP Question Kelly, Robert L (Lee) (May 03)
    - RE: CISSP Question David Gillett (May 02)
- <Possible follow-ups>
- Re: Re: CISSP Question nomail (May 01)
- RE: CISSP Question David Gillett (May 01)
- RE: CISSP Question Craig Wright (May 02)
- RE: CISSP Question Craig Wright (May 02)
  - RE: CISSP Question Lee McDonald (May 04)
    - RE: CISSP Question Simmons, James (May 04)
    - RE: CISSP Question Lee McDonald (May 04)
- RE: CISSP Question krymson (May 02)
- RE: CISSP Question Craig Wright (May 02)
  - RE: CISSP Question Simmons, James (May 02)

(Thread continues...)