Security Basics mailing list archives
RE: CISSP Continuing Education
From: "David Harley" <david.a.harley () gmail com>
Date: Fri, 18 May 2007 10:31:44 +0100
ISC2 does not have in place a requirement that spreads the continuing education across the 10 ten domain.
I don't actually think that's a weakness for this type of cert. It isn't like a Juniper or Cisco cert: it's about knowing general principles, not current product knowledge.
"Does ISC2 have in place a system to ensure that certified people continue
their education across all 10 domains?"
I don't think the verification process is anything like that fine-grained. The question is whether it should be. (Even apart from the extra administrative load it would impose.)
But for your continuing education, you can focus on strictly one domain
and lose familiarity
with the other 9 domain.
That depends on what you mean by familiarity. Very few people work consistently across all ten domains, and I certainly wouldn't expect anyone to give me a high-flying specialist job purely on the basis of my current knowledge of cryptography or physical security. CISSP doesn't say that you're an expert in all ten domains and fully up-to-date in those areas. If it did, your previous criticisms would be justified, or at any rate justifiable. It says that you have a basic understanding of all those areas which gives you a good overall feel for general principles, the way in which different areas interconnect, and a solid basis on which to augment your basic knowledge if and when required to (a change of job focus, for instance.) Actually, what CISSP says to me is this (and yes, it's a subjective view): "I am an information security professional with a minimum of x years experience in security management, awareness and knowledge of the fundamentals of the ten domains, and I'm committed to certain professional and ethical standards. One aspect of those ethical standards is that I don't claim knowledge and expertise that I don't actually have." I think you're expecting too much of the cert. It doesn't stretch those with technical expertise in particular domains: the only stretch is that it requires you to be fairly conversant with all the domains. (Don't be misled by the fact that I've used the term "basic knowledge": the test isn't -that- easy. But it doesn't require specialist knowledge.) I'd be mad to say "Look, I''m an expert in malware management, and I've got the CISSP to prove it." If I needed that sort of endorsement, I'd be looking at a different range of certs, say GIAC.
But this does seem counter productive to the purpose of the cert,
Not necessarily. The cert doesn't target people who need to be expert practitioners in all ten domains (how many people do need to be?) It targets people who can work more effectively with a fundamental understanding of all ten domains. On the other hand, a CISSP holder isn't necessarily "expert" in any single domain. In those circumstances, there might be an argument for requiring them to reaffirm their competence across all domains from time to time. But for that, a re-test might actually be more appropriate. In fact, (ISC)2 may have that scenario in mind by offering re-testing as an alternative to CPE credits.
and a relatively easy fix. Of course there would be more man hours spent during audits and the sort,
Not easy at all. It's not just auditing: it's sorting through all the different types of activity that can be seen as qualifying to weight them according to domain, then tracking an individual's record across all domains. Not impossible, but more work (and expense!) than you may think.
and I am sure a lot of CISSP certified people really do not want to sit through classes on cryptography, or physical security.
I look at all sorts of things that aren't strictly related to my main work (not all of them particularly security or IT-related). Of course, classes aren't the only way to stay current, and I'd resent having to spend large amounts of my own time and money on keeping up-to-date with areas of marginal relevance to my own field. -- David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html Regards, Simmons
Current thread:
- RE: CISSP Continuing Education David Harley (May 18)
- RE: CISSP Continuing Education Simmons, James (May 18)
- RE: CISSP Continuing Education David Harley (May 22)
- RE: CISSP Continuing Education Simmons, James (May 18)