RE: CISSP Question

["Al Gettier" <agettier () tealeaf com>]

OK, how about something like a military officer.  I think my 4 years in hit all of these in one way or another....

- Work requiring habitual memory of a body of knowledge shared with others doing similar work. 
- Management of projects and/or other employees. 
- Supervision of the work of others while working with a minimum of supervision of one's self. 
- Work requiring the exercise of judgment, management decision-making, and discretion. 
- Work requiring the exercise of ethical judgment (as opposed to ethical behavior). 
- Teaching, instructing, training and the mentoring of others. 
- The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does 
not include the mere operation of these controls). 
- Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, 
cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, 
representative, etc. Title may include programmer. It may include administrator, except where it applies to one who 
simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are 
likely excluded.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel
Sent: Wednesday, May 02, 2007 4:34 PM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: Re: CISSP Question


Touché James. Well done you pointed the one thing out that I have been
thinking about for a while as well. However in 99% I would say a person that
has been on Guard duty for 4 years won't have much interest in a CISSP and
then , if he should get it, will have to do quite some catching up to do.
Most employers will find it rather weird that he or she was doing guard duty
for 4 years and got a CISSP   :)

I do think though that this is a viable loophole for anyone that wants to
exploit it that way. I do think it is a little far fetched because you still
have to show that your job included some of the actions on the list.

Good point though, I like it. Wonder what ISC2 has to say about this and how
many people have used that or a similar loophole already.

Cheers,

//Flosse

http://blog.2blocksaway.com

On 5/2/07 10:57 PM, "Simmons, James" <jsimmons () eds com> wrote:

> So here is a thought for everyone.
>
> To qualify for CISSP, you should have at least four years of experience in one
> of the ten domains. Of which includes Physical Security. So with a bit of
> cramming, your gun cleaning, gate guard of 4 years can be a qualified CISSP
> with next to minimal experience in Information security.
> And as per the ISC2 webpage, to qualify experience you need to have done some
> of the included actions.
> (https://www.isc2.org/cgi-bin/content.cgi?category=1187)
>
> Reactions anyone?
>
> P.S. I am not saying that all gate guards are incapable of being good CISSP's.
> I am just pointing out an all too common scenario.
>
> Regards,
>
> Simmons
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Florian Rommel
> Sent: Wednesday, May 02, 2007 10:53 AM
> To: Nicolas villatte; krymson () gmail com; security-basics () securityfocus com
> Subject: Re: CISSP Question
>
> I agree with Nicolas here. I definitely wouldn't endorse a Desktop Jockey with
> 4 years of experience. I already filed once a complaint because I know a guy
> who, because he has some certifications and has worked as a pc support, thinks
> he is qualified to take the exam. His "boss/ partner in crime" was ready to
> sign off on it. I know for some people a certification like the CISSP doesn't
> mean much but that still shouldn't mean anyone can get in. I had my work
> experience fully documented by all my previous employers  before I took the
> exam.
>
> Security experience in any of the 10 domains for 4 years doesnt mean that
> during those 4 years you should have done something security related at some
> point it means that your position was directly security related.
>
> //flosse
> http://blog.2blocksaway.com
>
>
> On 5/2/07 9:47 AM, "Nicolas villatte" <Nicolas.Villatte () chello be> wrote:
>
> > Not really, because 5% of your time involved in security during 4
> > years would give you barely 2 months of experience. I don't know any
> > CISSP who would endorse such a candidate.
> >
> > https://www.isc2.org/cgi/content.cgi?category=1187
> >
> > "Applicants must have a minimum of four years of direct full-time
> > security professional work experience in one or more of the ten
> > domains of the (ISC)² CISSP® CBK®."
> >
> > Regards,
> > Nicolas.
> >
> >
> > ----------------------------------------------------------------------
> > ------
> > --------
> >
> > Nicolas VILLATTE
> >
> > CISSP, GCIA, GCIH, GCFA
> >
> > Sr. Security Management Specialist
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com
> > Sent: mardi 1 mai 2007 14:14
> > To: security-basics () securityfocus com
> > Subject: RE: CISSP Question
> >
> > Just a quick add, don't overthink the 4 years' experience requirement.
> > You need that experience in any one (or more) of the 10 domains.
> > Honestly, if you're a desktop support jockey for 4 years and you do
> > some sort of security as part of your work (do you manage passwords
> > and/or respond to spyware incidents?), you can still qualify. Realistically,
> > anyone with 4 years'
> > experience in IT.