Firewall Wizards mailing list archives
RE: CISSP
From: "Ames, Neil" <NAmes () anteon com>
Date: Wed, 28 Nov 2001 12:27:37 -0500
All, I enjoy this thread, though it seems far afield from firewall wizardry. I just took a look at the *outline* of the ten domains of knowledge for the CISSP. Firewalls are mentioned on one line in the outline. That line in the "Key Areas of Knowledge" for Domain 2, Telecommunications and Network Security, is one of roughly 60 concepts on which a CISSP should be able to expound--for that domain. The other domains are: 1) Access Control Systems & Methodology 3) Security Managment Practices 4) Applications & Systems Development Security 5) Cryptography 6) Security Architecture & Models 7) Operations Security 8) Business Continuity Planning & Disaster Recovery 9) Law, Investigations & Ethics 10) Physical Security Let's say that's 600 concepts on which a CISSP should be able to write at least one paragraph. The exam has 250 questions, lasts six hours, and costs $450. There are people with little experience (even with a 3-year-experience requirement) doing a lot of memorizing in order to get the shingle (I have not idea of success rates--but I am sure that there is some success). There are people with plenty of experience also doing a lot of reading and brushing up in order to pass. There is a reasonable burden to pass the exam, but not overwhelming. Look at what CPA's endure by comparison: A 3-day test that something like 4% pass on the first attempt. (I don't know the number for the CISSP, but I know that it is *much* higher.) A friend who is a former Navy SEAL and a current CPA says that the CPA exam is the mental equivalent of the physical testing that a SEAL endures. (Now I need to find a former SEAL who is a current CISSP.) The CISSP body of knowledge may be refined, and the test may eventually reach the high level of standards of a CPA, at which point I don't think that there will be a debate about its value. It appears that there is agreement that anyone looking for a firewall administrator does not need to look for a CISSP. I hope that concensus builds that someone needing consulting, managed services, and such should regard the certification highly--though not yet with the confidence in a CPA-like certification. I am confident, however, in saying that an IT manager with a CISSP certificate *will* be able to get more traction with executives, and be much more likely to get their security budget, than a manger without one. I know from personal experience that CISSP-related study contributes to my value to clients. (More money for fast cars and cheap women, and more time for X-tank, if I may borrow some of Stephen Berry's humor). Full disclosure: I am in a study group of prospective and current CISSP's. We discuss one to three articles a week, meeting for two hours every Saturday afternoon. It is a lot of fun and it's educational. (It may be more that it is an excuse to miss diaper-changing duty, or to put off raking leaves...) Thanks, Fritz -----Original Message----- From: Bill_Royds () pch gc ca [mailto:Bill_Royds () pch gc ca] Sent: Tuesday, November 27, 2001 12:18 PM To: t Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] CISSP To be allowed to write the CISSP, one has to document at least 3 years experience in at least 2 of the "domains" of knowledge. The CISSP has been describe as the 10,000 foot view of IT security. It does NOT indicate great depth in any field, as Crispin Cowan has properly noted. But it does means someone has looked at a large number of areas and is aware of the implications of them. I am involved in a CISSP study course at the moment and plan to write the exam in January. I am finding that I know something about each of the areas we study, some in a lot of depth, some only loosely. But the systematic review is very useful, even it is to learn a consistent terminology for various things. I have worked with computer security for over 20 years, as well as real time software development for longer. What Robert and Crispin ask is that people do the thing right. What the CISSP helps assure is that people know to do the right thing. If I were hiring someone to work on my system security architecture, I would want someone who knows what the CISSP tests. If I were looking for an implementer of this architecture, I would want someone with more of the SANS GIAC certifications. Certainly, just having the CISSP certification doesn't ensure you have any depth, but it does ensure that you have some breadth. Bill Royds t <miedaner () twcny rr com> 11/26/01 09:04 PM To: cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] CISSP I try to stay silent on this list but have got to say put this into perspective. Testing is great and certification is great but you all realize that passing a test in college and graduating with a degree does not mean you can actually do anything useful. Is a person with only a CISSP and 0 experience useful. Well, in theory and you know where that gets us. On the other side it is a bench mark of sorts. If anything it does teach some lingo (talk the talk). I guess I would ask the question of all: Can a person with zero experience in the field pass the CISSP test? All the time, 5, 10, 50 percent of the time? _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: CISSP, (continued)