Firewall Wizards mailing list archives
RE: CISSP
From: "Ames, Neil" <NAmes () anteon com>
Date: Wed, 28 Nov 2001 12:27:37 -0500
All,
I enjoy this thread, though it seems far afield from firewall
wizardry. I just took a look at the *outline* of the ten domains of
knowledge for the CISSP. Firewalls are mentioned on one line in the
outline. That line in the "Key Areas of Knowledge" for Domain 2,
Telecommunications and Network Security, is one of roughly 60 concepts on
which a CISSP should be able to expound--for that domain. The other domains
are:
1) Access Control Systems & Methodology
3) Security Managment Practices
4) Applications & Systems Development Security
5) Cryptography
6) Security Architecture & Models
7) Operations Security
8) Business Continuity Planning & Disaster Recovery
9) Law, Investigations & Ethics
10) Physical Security
Let's say that's 600 concepts on which a CISSP should be able to
write at least one paragraph. The exam has 250 questions, lasts six hours,
and costs $450. There are people with little experience (even with a
3-year-experience requirement) doing a lot of memorizing in order to get the
shingle (I have not idea of success rates--but I am sure that there is some
success). There are people with plenty of experience also doing a lot of
reading and brushing up in order to pass. There is a reasonable burden to
pass the exam, but not overwhelming. Look at what CPA's endure by
comparison: A 3-day test that something like 4% pass on the first attempt.
(I don't know the number for the CISSP, but I know that it is *much*
higher.) A friend who is a former Navy SEAL and a current CPA says that the
CPA exam is the mental equivalent of the physical testing that a SEAL
endures. (Now I need to find a former SEAL who is a current CISSP.) The
CISSP body of knowledge may be refined, and the test may eventually reach
the high level of standards of a CPA, at which point I don't think that
there will be a debate about its value.
It appears that there is agreement that anyone looking for a
firewall administrator does not need to look for a CISSP. I hope that
concensus builds that someone needing consulting, managed services, and such
should regard the certification highly--though not yet with the confidence
in a CPA-like certification. I am confident, however, in saying that an IT
manager with a CISSP certificate *will* be able to get more traction with
executives, and be much more likely to get their security budget, than a
manger without one. I know from personal experience that CISSP-related
study contributes to my value to clients. (More money for fast cars and
cheap women, and more time for X-tank, if I may borrow some of Stephen
Berry's humor).
Full disclosure: I am in a study group of prospective and current
CISSP's. We discuss one to three articles a week, meeting for two hours
every Saturday afternoon. It is a lot of fun and it's educational. (It may
be more that it is an excuse to miss diaper-changing duty, or to put off
raking leaves...)
Thanks,
Fritz
-----Original Message-----
From: Bill_Royds () pch gc ca [mailto:Bill_Royds () pch gc ca]
Sent: Tuesday, November 27, 2001 12:18 PM
To: t
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] CISSP
To be allowed to write the CISSP, one has to document at least 3 years
experience in at least 2 of the "domains" of knowledge.
The CISSP has been describe as the 10,000 foot view of IT security. It
does NOT indicate great depth in any field, as Crispin Cowan has properly
noted. But it does means someone has looked at a large number of areas and
is aware of the implications of them.
I am involved in a CISSP study course at the moment and plan to write
the exam in January. I am finding that I know something about each of the
areas we study, some in a lot of depth, some only loosely. But the
systematic review is very useful, even it is to learn a consistent
terminology for various things.
I have worked with computer security for over 20 years, as well as real
time software development for longer. What Robert and Crispin ask is that
people do the thing right. What the CISSP helps assure is that people know
to do the right thing.
If I were hiring someone to work on my system security architecture, I
would want someone who knows what the CISSP tests. If I were looking for
an implementer of this architecture, I would want someone with more of the
SANS GIAC certifications.
Certainly, just having the CISSP certification doesn't ensure you have any
depth, but it does ensure that you have some breadth.
Bill Royds
t <miedaner () twcny rr com>
11/26/01 09:04 PM
To:
cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] CISSP
I try to stay silent on this list but have got to say put this into
perspective.
Testing is great and certification is great but you all realize that
passing a
test in college and graduating with a degree does not mean you can
actually do
anything useful.
Is a person with only a CISSP and 0 experience useful. Well, in theory
and you
know where that gets us.
On the other side it is a bench mark of sorts. If anything it does teach
some
lingo (talk the talk).
I guess I would ask the question of all: Can a person with zero experience
in
the field pass the CISSP test? All the time, 5, 10, 50 percent of the
time?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: CISSP, (continued)