RE: CISSP Question

[Elizabeth Tolson <etolson () gibralter net>]

First of all, to all who have written privately with loads of encouragement --- THANK YOU!!!!

Secondly, regarding the facing of opposing counsel while on stand.  I have to say that I have been cross-examined by 
the best and was able to stand my ground and win my case.  Prior to being a paralegal, I was a Child Protective 
Services Social Worker.  When you have to prove abuse (sexual or physical or emotional) and/or neglect, to the extent 
that the children should be removed from the home and the parents sent to prison, you had been be on your "p's and 
q's".  I always was prepared before going to Court.

Then I started working for the Child Support Office.  Again, I was cross-examined by the best attorneys.  Again, I 
stood my ground.

Sometimes, and I don't know why, I see that when people have a certain degree or certification or job, they don't want 
to see other people do the same.  I am not sure why -- I don't think I would be any kind of threat hear in little 
Eastern North Carolina to anyone overseas, etc.

Elizabeth



-----Original Message-----
> From: Craig Wright <Craig.Wright () bdo com au>
> Sent: May 4, 2007 8:56 PM
> To: Elizabeth Tolson <etolson () gibralter net>, david.a.harley () gmail com
> Cc: security-basics () securityfocus com
> Subject: RE: CISSP Question
>
> In cases where one does not have the required experience, ISC2 has instituted an Associate qualification. This is for 
> people who have passed the exam but do not as yet have the experience.
>
>
>
> If you are looking to work with law enforcement in digital forensics, most critically you need to be able to build and 
> demonstrate a level of expertise. Most of the time it will never be challenged, if you find the evidence - than 9-10 
> times (form personal experience) it is not disputed (as long as procedures are followed). The issue is that you never 
> know when the evidence will be challenged in court and this is where the opposing party will attempt to dispute your 
> level of knowledge, skill and professional judgement.
>
>
>
> In jury cases, the difficulty is that juries do not just make decisions on the facts, but also have a level of 
> perception added in. How well you handle under pressure aides in this process and as strange as it may sound, joining 
> something like toastmasters may aide. The reason for this is that it helps you master speaking in front of people and 
> when testifying as an expert, this is a particularly stressful experience (which though gets better with experience, 
> never really goes away).
>
>
>
> By undermining your composure on the stand, an opposing attorney will attempt to make it seem that you do not handle 
> stress well and thus may make mistakes. If you can make a mistake on the stand, than it is presumable that you may 
> make an error in collecting evidence and that introduces reasonable doubt. Thus it is that not only experience and 
> skill is required but also a level of control in front of difficult people (and this is generally the role of opposing 
> council - to be difficult).
>
>
>
> This also adds the issue of using questionable experience (such as being a physical security guard and this is not 
> aimed at anyone, but is a generalised analogy). If you are going to work with LE or otherwise in forensics, the 
> question of ethics and integrity becomes even more crucial. Often it is simpler to dispute the credentials or attack 
> the person than to attack the evidence, the result is the same - reasonable doubt.
>
>
>
> So the process is that if the opposing council can dig up dirt on you from your past (even 20 years back) they will. 
> As an expert, many of the protections which apply to a witness do not apply to you. There are protections on attacking 
> the character of witnesses that do not apply to experts.
>
>
>
> So if for instance the opposing council subpoenas your CISSP records and it stated 5 years professional security 
> experience and you had been a security guard - they will use this. The questioning would go along the lines of:
>
>
>
> Attorney:           You state that you had 5 years professional experience in information security before applying for 
> the CISSP?
>
>
>
> Expert:              Yes
>
>
>
> Attorney:           But your resume states that you where a security patrol coordinator, is this correct?
>
>
>
> Expert:              Yes, I was. I also worked with...
>
>
>
> Attorney:           Just answer the question, please do not embellish it. Yes is all I want. So did you work 2 jobs at 
> that time?
>
>
>
> Expert:              No, what are you getting at?
>
>
>
> Attorney:           So you lied on your CISSP application?
>
>
>
> Expert:              No! I never would.
>
>
>
> Attorney:           You did state that you are an IT Security professional with 5 years experience on the application, 
> but that you where working in physical security?
>
>
>
> Expert:              Yes - I was a security professional.
>
>
>
> Attorney:           So you are either ignorant of what IT Security is and where not a professional or you lied. Is 
> this true?
>
>
>
> Expert:              No, I w...
>
>
>
> Attorney:           No you are lying now or that you lied before. I would like to tender to the bench evidence that 
> categorically demonstrated that "Expert" lied in his/her application to be considered for a CISSP.
>
>
>
> Expert:              That is not....
>
>
>
> Judge:               Mr/Miss/Mrs "Expert" will please be quiet unless addressed.
>
>
>
> Attorney:           I would like to submit to the bench that all evidence from "Expert" should be disallowed. 
>
>
>
> This above situation is one that can and does occur. Thus it was mentioned that the legal terminology of a profession 
> does not matter, maybe if you never go into a court. In digital forensics, it is your role to be prepared to go to 
> court.
>
>
>
>
>
> A nasty attorney would likely file a perjury suit against Mr/Mrs "Expert" - which would likely exclude them and their 
> evidence. It could also result in charges. 
>
>
>
> So I am maybe a little risk adverse these days. I prefer to accept the legally defined class of what is a professional 
> as if anything ever goes wrong for instance; the legally accepted definition is the one that counts.
>
>
>
> This states nothing in regards to the level of skill or ethics of the person, just if they are in either a legalistic 
> or sociologically accepted defined class as a professional.
>
>
>
> Regards
>
> Craig
>
> Regards
> Craig
>
>
>
> Craig Wright
> Manager of Information Systems
>
> Direct +61 2 9286 5497
> Craig.Wright () bdo com au
> +61 417 683 914
>
> BDO Kendalls (NSW)
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> www.bdo.com.au
>
> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such legislation exists.
>
> The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
> read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
> received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
> system. 
>
> Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
> You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
> Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
> viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
> result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
> statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com 
> au.
>
> BDO Kendalls is a national association of separate partnerships and entities.
>
> ________________________________
>
>
> From: listbounce () securityfocus com on behalf of Elizabeth Tolson
> Sent: Sat 5/05/2007 2:15 AM
> To: david.a.harley () gmail com
> Cc: security-basics () securityfocus com
> Subject: RE: CISSP Question
>
>
>
> My original question was whether a Masters Degree in Information Systems Security and a CCE Certification would 
> qualify me for CISSP or do I need several years experience in the field.
>
> There were some suggestions as to what I could label as "experience" and how to maybe cut corners.  I never asked how 
> to cut corners to get the Cert. 
>
> Elizabeth
>
> -----Original Message-----
> > From: David Harley <david.a.harley () gmail com>
> > Sent: May 4, 2007 4:54 AM
> > To:
> > Cc: security-basics () securityfocus com
> > Subject: RE: CISSP Question
> >
> > > I, in NO way, want to cheat, cut corners, etc. to get this or
> > > any other Certification. 
> >
> > Elizabeth, I didn't see your original question (I've only just rejoined this
> > list), but I'm sure no-one was questioning your personal integrity. In fact,
> > I'm still not sure exactly what your original question was, but if it helps,
> > I'd think that a Masters in Info Sec (or even working towards one) plus CCE
> > would make you a good candidate for a range of jobs offering a way to
> > acquire more hands-on experience. Even if you didn't go straight into
> > something forensics related, CCE certification would say something very
> > positive about your dedication and capacity for learning. Employers worth
> > working for will value (among other things) experience, proven skill,
> > academic achievement and willingness to work for professional (in a
> > non-legal sense) qualifications. It depends on the exact job and the other
> > candidates, of course, but they'll often use the attributes you do have as a
> > guide to your potential in areas in which you may be less qualified right
> > now.
> >
> > I wish you every success in realizing your potential.
> >
> > --
> > David Harley CISSP
> > Security Author/Editor/Consultant/Researcher
> > Small Blue-Green World
> > AVIEN Guide to Malware:
> > http://www.smallblue-greenworld.co.uk/pages/avienguide.html
> > Security Bibliography:
> > http://www.smallblue-greenworld.co.uk/pages/bibliography.html