CISSP exam and endorsement

lakhilovelakhilove Member Posts: 5 ■□□□□□□□□□
Hi

Please pardon me if some one ask this question again. I am system/network administrator for last 15 years, managing,configuring, updating and all related systems admin tasks and have bachelor in CS and Master in Tech Management, my question is can I will be able to appear in CISSP exam and how can I satisfy the endorsement process as I don't have direct experience with security but I manage and secure all type networks and systems, https, ssl , ssh and all type of encryptions etc. Finally how CISSP will help me in finding job

Will be appreciated in right directions.

Comments

  • tuabuikiatuabuikia Member Posts: 52 ■■□□□□□□□□
    You can certainly sit for the exam. As for satisfying the endorsement requirement, it really depends on your working experience. If you do not satisfy the endorsement requirement, you still can become an Associate of ISC2. Why not go over to ISC2's website to see if your working experience satisfies any 2 out of the 8 domains in CISSP?

    Also, don't mind me asking. What value do you see in getting CISSP for your career?
  • splash24splash24 Member Posts: 30 ■■□□□□□□□□
    From your post looks like you do qualify , Telecommunications and Networking domain is the largest CBK in CISSP and would help you very well to clear the exam.The cert itself will not do much if you do not have required experience and you do not take CISSP as a journey to learn.It certainly helps to prove people that you are serious about a career in Info sec.There will be an opportunity for sure but cannot guarantee the timeline.Go ahead if you want to learn and can chance it.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    You need to have 5 years accumulated experience in 2 of the 8 domains listed on https://isc2.org/cissp-domains/default.aspx
    Based on your background, one of the domains will be Communication and Network Security; you need to find another domain that you are involved in. You can also get 1 year experience waiver if you have one of the certifications listed at https://isc2.org/credential_waiver/default.aspx
  • lakhilovelakhilove Member Posts: 5 ■□□□□□□□□□
    Hi,

    Thanks for reply, I am also in the middle to decide whether to go CISSP (Is CISSP help my career ?) or CCIE (which will take while, I have CCNA), I want to switch from sys admin to security
  • lakhilovelakhilove Member Posts: 5 ■□□□□□□□□□
    Hi Mike,

    I have gone through sic www site before, I can certainly full fill 2 domains but my concerns was as I am not directly security guy, how will I full fill endorsement and how will I find CISSP member who recommend my endorsement ?
  • lakhilovelakhilove Member Posts: 5 ■□□□□□□□□□
    Hi Splash24,

    I want to learn but not for learning only but to find decent job/career, timeline is important as I have family and bank (home loan ) on my head.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    lakhilove wrote: »
    I have gone through sic www site before, I can certainly full fill 2 domains but my concerns was as I am not directly security guy, how will I full fill endorsement and how will I find CISSP member who recommend my endorsement ?

    You can get ISC2 to endorse you. I took that option.

    As for relevant experience, some of what you do at work qualifies. Highlight the security related tasks in your endorsement resume; applying patches, SSL certs installation, network switch MAC address filters, 802.1X configuration... . If you do not have sufficient accumulated experience, you can apply to be a CISSP associate. Use other IT certs such as CCNA security, CCNP security, MCSA to claim experience waiver, check web site for details. And if you are new to security, you may want to go for Security+ first. Easier exam since it is entry level, and also provides foundation knowledge for your CISSP later.
  • nk_vnnk_vn Member Posts: 38 ■■□□□□□□□□
    Mike7 wrote: »
    You can get ISC2 to endorse you. I took that option.

    As for relevant experience, some of what you do at work qualifies. Highlight the security related tasks in your endorsement resume; applying patches, SSL certs installation, network switch MAC address filters, 802.1X configuration...

    I would challenge this. Applying patches and SSL certs installation are purely operational things, and not necessarily security related. Every click monkey can install patches and point the configuration to the cert file. I would consider security-related work to be dealing with configuration/change management process (which includes patching) and designing/deploying an entire PKI (not just getting a cert from Godaddy and using it).

    If we follow this line of thought, setting up the wireless encryption for SOHO routers (i.e. setting a password and selecting WPA2) is also security-related work. Same applies to installing OS on one of these awful pseudo-RAID-capable commodity motherboards. To me security-related work means doing a task with security being the PRIMARY consideration, not just the coincidence of using a technology that happens to be mentioned in some CISSP domain. This is one of the reasons that stops me from using my 10+ years of experience for CISSP endorsement. I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration. Security was in many cases something that was in the way, and ended with having non-trivial password and using SSH instead of Telnet (not always).

    Please correct me if I am wrong, I would be extremely happy to stand corrected here.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    nk_vn wrote: »
    I would challenge this. Applying patches and SSL certs installation are purely operational things, and not necessarily security related.

    To me security-related work means doing a task with security being the PRIMARY consideration,
    I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration.

    Please correct me if I am wrong, I would be extremely happy to stand corrected here.

    I am not the one doing the endorsing process, so....icon_rolleyes.gif

    You are correct. SSL cert installation is operational. How you configure it securely makes the difference. To me, these are the security-related configuration
    1) Use SHA-256 instead of SHA-1 signatures during SSL cert application
    2) Configure web server to support and favor PFS (perfect forward secrecy) ciphers
    3) Enable TLS 1.2, disable SSL v3
    4) Disable weak ciphers, i.e. RC4, 3DES, DHE
    5) Configure ciphers as per PCI-DSS requirements
    We actually did some of the above well before any security vulnerabilities were flagged out. So we were not affected by POODLE, LogJam...

    Applying patches for 5 years definitely will not qualify as security work, risk management is. We apply patches to mitigate risks; when a patch is not available, we use mitigating controls. e.g. we are unable to apply a patch as it breaks an existing application. So we isolate the server from internet access and implement ACLs and IPSec.

    To me, the CISSP is not just a technical exam. It is a management exam; it is about how you employ infosec concepts to protect and support the business. Before you do, you need the technical knowledge first. And you need to understand security concepts in order to understand why you configure in a certain way.

    Guess it depends on how the tasks are described when submitting endorsement form. Someone who put "install SSL cert" does not qualify. A person who mentions the above considerations when installing SSL demonstrates that he has the necessary competence. And I expect someone who pass the CISSP to "get it" and fill in accordingly.

    @lakhilove, do check out http://www.techexams.net/forums/security-certifications/113328-what-information-security-certifications-should-i-get.html
  • nk_vnnk_vn Member Posts: 38 ■■□□□□□□□□
    Mike7 wrote: »
    I am not the one doing the endorsing process, so....icon_rolleyes.gif
    I am not the one doing the endorsing process, so....icon_rolleyes.gif
    2) Configure web server to support and favor PFS (perfect forward secrecy) ciphers
    3) Enable TLS 1.2, disable SSL v3
    4) Disable weak ciphers, i.e. RC4, 3DES, DHE
    5) Configure ciphers as per PCI-DSS requirements
    We actually did some of the above well before any security vulnerabilities were flagged out. So we were not affected by POODLE, LogJam...

    All of the above can be under the "system hardening" umbrella, IMO. The main question is: did you do this ALL THE TIME, of just, say, every now and then? Does "every now and then" satisfy the requirement? If you spent a total of 1 week in system hardening for your entire 5 years career, does that qualify you as having worked in security-related role?
    Guess it depends on how the tasks are described when submitting endorsement form. Someone who put "install SSL cert" does not qualify. A person who mentions the above considerations when installing SSL demonstrates that he has the necessary competence. And I expect someone who pass the CISSP to "get it" and fill in accordingly.

    You can always word your experience in a way that suits you best for the purpose. If you simply want to get your cert, you can bend and twist it in any way you want. I am sure that I can easily describe the role of a (physical) security guard in a way that will satisfy CISSP. Apparently it all boils down to how serious you are about the ethics of the entire process.

    Maybe I am overthinking it. My friends and colleagues are laughing at me (but they also do it for many other ethics related things). I bet that hardly anyone ever had a full-time ONLY security-related job before getting his CISSP (apart from say firewall admins). Most people wear many hats in their work, and security is only one of them...
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    nk_vn wrote: »
    All of the above can be under the "system hardening" umbrella, IMO. The main question is: did you do this ALL THE TIME, of just, say, every now and then? Does "every now and then" satisfy the requirement? If you spent a total of 1 week in system hardening for your entire 5 years career, does that qualify you as having worked in security-related role?
    "Hardening" is security control. Settings need to be reviewed and revised from time to time. A few years back, RC4 was considered the security solution against BEAST. Now RC4 is considered insecure. 3DES was required because XP does not support AES. Since XP EOL in 2014, we change our default config and disable 3DES. In a way, we are also encouraging people to migrate away from XP. Definitely more than 1 week of effort, not including time to learn crypto. There is also OS hardening; we have fun every time Microsoft or RedHat release a new version.
    nk_vn wrote: »
    Maybe I am overthinking it. My friends and colleagues are laughing at me (but they also do it for many other ethics related things). I bet that hardly anyone ever had a full-time ONLY security-related job before getting his CISSP (apart from say firewall admins). Most people wear many hats in their work, and security is only one of them.
    UTM firewall admin, which I also do, is just one of the domains. The requirement is for a minimum of five years cumulative paid full-time work experience in two or more of the 8 domain. Note the emphasis on cumulative.
    My endorsement was done by ISC2 and not by a helpful CISSP friend. This is as good as having an audit. If ISC2 deemed it insufficient, they can award CISSP associate. I applied for 1-year waiver with my Security+, MCSA and MCSE certs; and submitted the application listing last 7 years experience. I have 15+ years IT experience. icon_redface.gif

    nk_vn wrote: »
    This is one of the reasons that stops me from using my 10+ years of experience for CISSP endorsement. I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration.
    Please correct me if I am wrong, I would be extremely happy to stand corrected here.
    CISSP is just the beginning, you still need to earn CPE credits to keep it current.
    Many years back, I did ask about endorsement process and what qualifies as experience during CISSP review seminar. The reply is that experience refers to the domains in your full-time job, so even a full-time programmer can go for it. I was a programmer at that time. Decided not to go for it until I have picked up knowledge in other domains.icon_rolleyes.gif

    And the gained experience helps! But the time I hit the books, I knew more than half the material inside. My only study materials was Eric Conrad and AIO. No questions, no brain ****, and passed 2 months later.

    Go figure.. Seek clarification from ISC2 whether you qualify. Do not overthink. :)
  • nk_vnnk_vn Member Posts: 38 ■■□□□□□□□□
    Mike7 wrote: »
    UTM firewall admin, which I also do, is just one of the domains. The requirement is for a minimum of five years cumulative paid full-time work experience in two or more of the 8 domain. Note the emphasis on cumulative.

    Good point. Accumulation requires quantifying, though.I really doubt that many people keep track on their involvement in the particular roles.
    My endorsement was done by ISC2 and not by a helpful CISSP friend. This is as good as having an audit. If ISC2 deemed it insufficient, they can award CISSP associate. I applied for 1-year waiver with my Security+, MCSA and MCSE certs; and submitted the application listing last 7 years experience. I have 15+ years IT experience. icon_redface.gif

    This point is even better. The "as good as having an audit" is actually exactly true according to the ISC(2) website. For whatever reason I never considered that option until now. Thank you for the input, sometimes you need the opinion of somebody else to start thinking outside your own box. Thank you!
  • lakhilovelakhilove Member Posts: 5 ■□□□□□□□□□
    Hi Guys,

    nice to see good conversion, can I ask as I do same system admin and firewall admin (checkpoint and cisco asr) and all security stuff as i am working in medium size org, can I get sample points to follow for endorsement process
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    lakhilove wrote: »
    I am system/network administrator for last 15 years, managing,configuring, updating and all related systems admin tasks and have bachelor in CS and Master in Tech Management, my question is can I will be able to appear in CISSP exam and how can I satisfy the endorsement process as I don't have direct experience with security but I manage and secure all type networks and systems, https, ssl , ssh and all type of encryptions etc. Finally how CISSP will help me in finding job

    lakhilove wrote: »
    can I ask as I do same system admin and firewall admin (checkpoint and cisco asr) and all security stuff as i am working in medium size org, can I get sample points to follow for endorsement process


    BTW, you did not mention whether you have any certifications listed at https://www.isc2.org/credential_waiver/default.aspx. You may want to try Security+ first to get a taste of what infosec is like, and to decide if this is something you wish to pursue.

    Studying for CISSP can be a marathon or short sprint depending on your work experience. It was fairly easy for me as I have experience in most of the domains listed at https://isc2.org/cissp-domains/default.aspx. Read the forum threads for study tips.

    As for endorsement process, we will cross the bridge after you pass. :)
    Good luck on your endeavors!
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    In fact, basic security tasks may not meet CISSP endorsement requirements. I went back and looked at the endorsement requirements outlined on the ISC2 endorsement application form. In the instructions to the endorser, it states in part (tl;dr):

    Endorsement Application – Endorser’s Guidelines

    When acting as an Endorser, you assume the responsibility of confirming the background and qualifications for the candidate you are endorsing. Below are a set of guidelines that you must consider and follow before you complete and sign the endorsement form. These guidelines may be used as a checklist throughout the endorser's review process and should be submitted along with the signed form. ...

    To qualify for the CISSP® credential: Applicants must have a minimum of five years of direct full time security professional work experience in two or more of the eight domains of the (ISC)2 CISSP CBK. If you hold a certification on the (ISC)2 Approved List, you may receive a one year waiver out of the five year experience requirement. Alternatively, a four year degree leading to a Baccalaureate or regional equivalent can substitute for one year towards the five year requirement. No more than 1 year of experience may be waived. ...

    Step 3 - Determination if Jobs/Positions Constitute Professional Experience. Determining what jobs constitute professional experience (vs. those that are non-professional or para-professional) will involve a comparison between each job/position title and corresponding description of duties. For each job/position listed on the resume (ignoring non certification-related jobs) the Endorser will conduct the comparison and record the words "Valid Experience," "Not Valid Experience," or "Experience Validity Indeterminate" on the resume. For those jobs/positions that are determined to be "Valid Experience," the Endorser will also record on the resume/CV the number of months being credited as professional experience towards the requirement. For the CISSP, Professional Experience is a minimum of five years of direct full time experience in two or more of the 8 domains of the (ISC)2 CISSP CBK®, or four years of work experience with an applicable college degree or a credential from the (ISC)2 - approved list. ...

    Professional Experience Guidelines. Experience in the specified credential domains qualifies as security experience but may not qualify as professional experience. Non-professional or para-professional work, even in the applicable credential domains, does not satisfy the requirement. Professional work is usually compensated by salary, retainer, fee, or commission rather than per hour. It is, by definition, exempt from the wage and hour laws.

    Professional experience includes:
    · Work requiring special education or intellectual attainment, usually including a liberal education or a college degree.
    · Work requiring habitual memory of a body of knowledge shared with others doing similar work.
    · Management.
    · Supervision of the work of others while working with a minimum of supervision one's self.
    · Work requiring the exercise of judgment, management decision making, and discretion.
    · Requires the exercise of ethical judgment (as opposed to ethical behavior).
    · Creative writing and oral communication.
    · Teaching, instructing, training, and mentoring of others.
    · Research and development.
    · The specification and selection of controls and mechanisms (rather than the mere operation of those controls) (e.g., identification and authentication technology), but not when the basis is that of established standards or procedures.


    Whether the requirements are consistently upheld by ISC2 and by the endorsers is a different conversation entirely.
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    I just shared the ISC2 definition of and requirements for endorsers in assessing an applicant's "direct full-time security professional work". If an endorsement is found to be inadequate or even improper, the endorser might lose their own certification.

    My understanding is that ISC2 does review the candidate's application and endorsement package. While it is not unheard of for ISC2 to determine an applicant does not meet the experience requirements, feel free to argue with ISC2 all you want.

    I've been known to argue the opposite side, to assure all angles are explored (or sometimes, just for fun). ;)
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    justjen wrote: »
    My understanding is that ISC2 does review the candidate's application and endorsement package. While it is not unheard of for ISC2 to determine an applicant does not meet the experience requirements, feel free to argue with ISC2 all you want.
    I've been known to argue the opposite side, to assure all angles are explored (or sometimes, just for fun). ;)


    Noted. We should keep this objective and civil. Just for fun. ;)


    ISC2 did my CISSP endorsement. This is equivalent to an audit.
    The guidelines define what professional experience is. Some of the points below highlight this definition.
    justjen wrote: »
    Professional experience includes:
    · Work requiring special education or intellectual attainment, usually including a liberal education or a college degree.
    · Work requiring habitual memory of a body of knowledge shared with others doing similar work.
    · Management.
    · Supervision of the work of others while working with a minimum of supervision one's self.
    · Work requiring the exercise of judgment, management decision making, and discretion.
    · Requires the exercise of ethical judgment (as opposed to ethical behavior).
    · Creative writing and oral communication.
    · Teaching, instructing, training, and mentoring of others.
    · Research and development.
    · The specification and selection of controls and mechanisms (rather than the mere operation of those controls) (e.g., identification and authentication technology), but not when the basis is that of established standards or procedures.
    Back to my earlier post about SSL ciphers.
    I need a good understanding of cryptography, what the current vulnerabilities/weakness are (HeartBleed, LogJam, Poodle) in order to know why, what and how to do it ("body of knowledge")
    Deciding on the exact secure configuration (Disable RC4, disable SSL 3.0, enable TLS1.2. configure PFS) qualifies as professional experience. ("exercise of judgment", "discretion", "specification of controls")

    For the engineer who apply these settings to our environment, what he did does not qualify as professional security experience. Installing anti-virus to secure environment is not. Neither is the mere act of configuring firewall ("mere operation of these controls").

    Deciding how to secure a data center environment, what to secure, what controls/tools to use and getting your engineers to roll them out is ( "work requiring the exercise of judgment", "management decision making", "supervision of work of others").

    So in the resume, we need to demonstrate that we are exercising our professional experience and not merely following established processes. i.e. do you follow procedures or do you manage the process?

    Which is why I alway tell others that CISSP is a management exam.
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    Mike7 wrote: »
    Noted. We should keep this objective and civil. Just for fun. ;)


    ISC2 did my CISSP endorsement. This is equivalent to an audit.
    The guidelines define what professional experience is. Some of the points below highlight this definition.


    Back to my earlier post about SSL ciphers.
    I need a good understanding of cryptography, what the current vulnerabilities/weakness are (HeartBleed, LogJam, Poodle) in order to know why, what and how to do it ("body of knowledge")
    Deciding on the exact secure configuration (Disable RC4, disable SSL 3.0, enable TLS1.2. configure PFS) qualifies as professional experience. ("exercise of judgment", "discretion", "specification of controls")

    For the engineer who apply these settings to our environment, what he did does not qualify as professional security experience. Installing anti-virus to secure environment is not. Neither is the mere act of configuring firewall ("mere operation of these controls").

    Deciding how to secure a data center environment, what to secure, what controls/tools to use and getting your engineers to roll them out is ( "work requiring the exercise of judgment", "management decision making", "supervision of work of others").

    So in the resume, we need to demonstrate that we are exercising our professional experience and not merely following established processes. i.e. do you follow procedures or do you manage the process?

    Which is why I alway tell others that CISSP is a management exam.
    You provided a concrete description of the distinctions that I was attempting to convey by quoting from the source.

    Bravo! ;)
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    So someone could be a Security Engineer for 10 years, setting up anti-virus systems, working on configuring firewalls, using tools to analyze logs and packets for incidents, managing access to systems... but still not be able to get the CISSP? Just surprises me. Guess I will just be an associate for awhile when I pass the test in a few months then.


    That security engineer should be senior security engineer by say year 5; i.e. he is able to manage, make security-related decisions and advise junior engineers. :)

    Have you passed your Security+? That qualifies for 1 year experience waiver, so you need 4 years of cumulative experience.
    You can get ISC2 to endorse (aka audit) you. I will not endorse you. icon_cool.gif
    If ISC2 deems your experience insufficient, you will be an associate and have 6 years to earn the necessary experience.
  • nk_vnnk_vn Member Posts: 38 ■■□□□□□□□□
    By the way, from what I have noticed, ISC(2) requests that you use the option to be endorsed by them ONLY if you don't have anyone to endorse you.

    <RANT>
    Most of the CISSP certified people that I know certainly DO NOT qualify for the credential. They have twisted their experience in a way that gets them certified. Way too much cheating, encouraged by both ISC(2) and employers. Associate? Who would consider an Associate to be a serious job candidate? I keep seeing CISSPs who are plain incompetent and unable to provide service without being guided, and have NO ethics.

    This credential has been downgraded to a simple door holder, and nothing else. And everybody seems to be happy with this status quo.
    </RANT>
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    nk_vn wrote: »
    I would challenge this. Applying patches and SSL certs installation are purely operational things, and not necessarily security related. Every click monkey can install patches and point the configuration to the cert file. I would consider security-related work to be dealing with configuration/change management process (which includes patching) and designing/deploying an entire PKI (not just getting a cert from Godaddy and using it).

    If we follow this line of thought, setting up the wireless encryption for SOHO routers (i.e. setting a password and selecting WPA2) is also security-related work. Same applies to installing OS on one of these awful pseudo-RAID-capable commodity motherboards. To me security-related work means doing a task with security being the PRIMARY consideration, not just the coincidence of using a technology that happens to be mentioned in some CISSP domain. This is one of the reasons that stops me from using my 10+ years of experience for CISSP endorsement. I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration. Security was in many cases something that was in the way, and ended with having non-trivial password and using SSH instead of Telnet (not always).

    Please correct me if I am wrong, I would be extremely happy to stand corrected here.

    It took how many years to select SOHO equipment? Five years of diddling with stuff at home isn't exactly a well thought out qualifier. The idea is behind this was you were at least working with security concepts during the course of your normal work load, you know... at work. The place that supposedly pays you money to perform IT and security related tasks?

    I know the (ISC)2 is primarily concerned with cranking out newly minted members at nearly any costs but c'mon, now.

    - b/eads
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    Personally, I don't know why people hold the CISSP up on a pedestal to begin with. It is certification that covers a very broad range of topics and doesn't go very deep at all into them. Granted I've only been studying for it for a couple weeks but that is how I feel. Maybe cause the wording on questions in the exam can be difficult and require some thought?

    I know people won't agree with my studying strat (studying 2 subjects at the same), but I'm even taking 1 or 2 days out a week from my CISSP studing to study for the Wireshark Certification. I find it more interesting and think will help me more knowing that information. Then why not just schedule the CISSP earlier you ask? because I don't like to cram information day after day after day on one topic in my head. Just how I am...

    All I know is that the CISSP will look 100 times better than WCNA to companies on my resume though... I agree that it is a "door holder"

    When the certification was first thought out there was nothing like it, no books, no web sites. Security was a very obscure, back in the corner of the shop, afterthought. We had to literally the Jack-of-all-trades types. Most of us had full time jobs as Sys Admins and the exam reflects its origins. You needed a broad but shallow set of skills and the ability to figure almost anything out on your own, any time of the day, seven days a week, etc.

    Because of certification inflation and demand and the (ISC)2's need to crank out as many CISSPs as they can you now have a very weak certification with little actual bearing to what is really needed in the industry.

    Hence why I started stratifying CISSPs by certification number many years ago. I say much the same about many other certs as well, not that I am picking on any one particular authority.

    http://attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf

    Its not what you think, lol.

    -b/eads
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    While my professional career spans decades, I submitted only the last six years as a full-time information security professional for my CISSP endorsement - to facilitate the qualifications review process. And, IMHO, most Codes of Ethics/Codes of Conduct promulgated by certification bodies set a fairly low bar. I don't know - maybe I chose the wrong line of work. I believe in honesty, integrity ... and apple pie (particularly ala mode). ;)

    For Enterprise and Department ISO positions with my current employer, the CISSP may meet the requirement for professional certification, and other certifications may also be considered acceptable. Depending on the level of ISO responsibility, an entry-level applicant is required to have (at the time of application), working knowledge and experience in 3 of the 10 security domains, with the most senior level requiring the same for 8 of the 10 security domains.

    FWIW, my colleagues would be amused that in a different context, I am apparently at least somewhat idealistic - not the clear-eyed pragmatist they see. [ What I do know - I am NOT a number! icon_cool.gif ]
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    beads wrote: »
    Because of certification inflation and demand and the (ISC)2's need to crank out as many CISSPs as they can you now have a very weak certification with little actual bearing to what is really needed in the industry.
    ISC2 do have SSCP and CISSP Associate, but HR.. icon_redface.gif
    I just wish every other damn security job didn't put it as requirement or preferred cert, or I wouldn't even be going for it right now...

    Look at this position for Infrastructure Technology Specialist
    1) At least a Bachelor's Degree with 3 -7 years experience....
    2) the candidate must have to be willing to obtain all of the following certifications - GIAC GXPN, GEPN, GCIH, CISSP and CEH
    Reality
    I think there are other certification that would better worth my time in regards to what would help me on a job at this point in my career. Unfortunately, though, this is what is needed to get those interviews I'm craving for. icon_sad.gif
    Infosec is everywhere. I dare say that if someone has the experience, passing the CISSP is easy.

    The good thing about different infosec exams is that the subject areas overlap. Almost all of them will cover CIA trial, crypto.
    And among all the infosec certs, CISSP probably covers the most domains.
    The knowledge is useful. And if your CISSP knowledge is solid, passing other infosec exams becomes easier.

    Go for CISSP more for the journey. Let the knowledge sink in. Be one with the force. :D
Sign In or Register to comment.