lakhilove wrote: » I have gone through sic www site before, I can certainly full fill 2 domains but my concerns was as I am not directly security guy, how will I full fill endorsement and how will I find CISSP member who recommend my endorsement ?
Mike7 wrote: » You can get ISC2 to endorse you. I took that option. As for relevant experience, some of what you do at work qualifies. Highlight the security related tasks in your endorsement resume; applying patches, SSL certs installation, network switch MAC address filters, 802.1X configuration...
nk_vn wrote: » I would challenge this. Applying patches and SSL certs installation are purely operational things, and not necessarily security related. To me security-related work means doing a task with security being the PRIMARY consideration, I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration. Please correct me if I am wrong, I would be extremely happy to stand corrected here.
Mike7 wrote: » I am not the one doing the endorsing process, so.... I am not the one doing the endorsing process, so.... 2) Configure web server to support and favor PFS (perfect forward secrecy) ciphers 3) Enable TLS 1.2, disable SSL v3 4) Disable weak ciphers, i.e. RC4, 3DES, DHE 5) Configure ciphers as per PCI-DSS requirements We actually did some of the above well before any security vulnerabilities were flagged out. So we were not affected by POODLE, LogJam... All of the above can be under the "system hardening" umbrella, IMO. The main question is: did you do this ALL THE TIME, of just, say, every now and then? Does "every now and then" satisfy the requirement? If you spent a total of 1 week in system hardening for your entire 5 years career, does that qualify you as having worked in security-related role? Guess it depends on how the tasks are described when submitting endorsement form. Someone who put "install SSL cert" does not qualify. A person who mentions the above considerations when installing SSL demonstrates that he has the necessary competence. And I expect someone who pass the CISSP to "get it" and fill in accordingly. You can always word your experience in a way that suits you best for the purpose. If you simply want to get your cert, you can bend and twist it in any way you want. I am sure that I can easily describe the role of a (physical) security guard in a way that will satisfy CISSP. Apparently it all boils down to how serious you are about the ethics of the entire process. Maybe I am overthinking it. My friends and colleagues are laughing at me (but they also do it for many other ethics related things). I bet that hardly anyone ever had a full-time ONLY security-related job before getting his CISSP (apart from say firewall admins). Most people wear many hats in their work, and security is only one of them...
I am not the one doing the endorsing process, so.... 2) Configure web server to support and favor PFS (perfect forward secrecy) ciphers 3) Enable TLS 1.2, disable SSL v3 4) Disable weak ciphers, i.e. RC4, 3DES, DHE 5) Configure ciphers as per PCI-DSS requirements We actually did some of the above well before any security vulnerabilities were flagged out. So we were not affected by POODLE, LogJam...
Guess it depends on how the tasks are described when submitting endorsement form. Someone who put "install SSL cert" does not qualify. A person who mentions the above considerations when installing SSL demonstrates that he has the necessary competence. And I expect someone who pass the CISSP to "get it" and fill in accordingly.
nk_vn wrote: » All of the above can be under the "system hardening" umbrella, IMO. The main question is: did you do this ALL THE TIME, of just, say, every now and then? Does "every now and then" satisfy the requirement? If you spent a total of 1 week in system hardening for your entire 5 years career, does that qualify you as having worked in security-related role?
nk_vn wrote: » Maybe I am overthinking it. My friends and colleagues are laughing at me (but they also do it for many other ethics related things). I bet that hardly anyone ever had a full-time ONLY security-related job before getting his CISSP (apart from say firewall admins). Most people wear many hats in their work, and security is only one of them.
nk_vn wrote: » This is one of the reasons that stops me from using my 10+ years of experience for CISSP endorsement. I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration. Please correct me if I am wrong, I would be extremely happy to stand corrected here.
Mike7 wrote: » UTM firewall admin, which I also do, is just one of the domains. The requirement is for a minimum of five years cumulative paid full-time work experience in two or more of the 8 domain. Note the emphasis on cumulative.
My endorsement was done by ISC2 and not by a helpful CISSP friend. This is as good as having an audit. If ISC2 deemed it insufficient, they can award CISSP associate. I applied for 1-year waiver with my Security+, MCSA and MCSE certs; and submitted the application listing last 7 years experience. I have 15+ years IT experience.
lakhilove wrote: » I am system/network administrator for last 15 years, managing,configuring, updating and all related systems admin tasks and have bachelor in CS and Master in Tech Management, my question is can I will be able to appear in CISSP exam and how can I satisfy the endorsement process as I don't have direct experience with security but I manage and secure all type networks and systems, https, ssl , ssh and all type of encryptions etc. Finally how CISSP will help me in finding job
lakhilove wrote: » can I ask as I do same system admin and firewall admin (checkpoint and cisco asr) and all security stuff as i am working in medium size org, can I get sample points to follow for endorsement process
justjen wrote: » My understanding is that ISC2 does review the candidate's application and endorsement package. While it is not unheard of for ISC2 to determine an applicant does not meet the experience requirements, feel free to argue with ISC2 all you want. I've been known to argue the opposite side, to assure all angles are explored (or sometimes, just for fun).
justjen wrote: » Professional experience includes:· Work requiring special education or intellectual attainment, usually including a liberal education or a college degree.· Work requiring habitual memory of a body of knowledge shared with others doing similar work.· Management.· Supervision of the work of others while working with a minimum of supervision one's self.· Work requiring the exercise of judgment, management decision making, and discretion.· Requires the exercise of ethical judgment (as opposed to ethical behavior).· Creative writing and oral communication.· Teaching, instructing, training, and mentoring of others.· Research and development.· The specification and selection of controls and mechanisms (rather than the mere operation of those controls) (e.g., identification and authentication technology), but not when the basis is that of established standards or procedures.
Mike7 wrote: » Noted. We should keep this objective and civil. Just for fun. ISC2 did my CISSP endorsement. This is equivalent to an audit. The guidelines define what professional experience is. Some of the points below highlight this definition. Back to my earlier post about SSL ciphers. I need a good understanding of cryptography, what the current vulnerabilities/weakness are (HeartBleed, LogJam, Poodle) in order to know why, what and how to do it ("body of knowledge") Deciding on the exact secure configuration (Disable RC4, disable SSL 3.0, enable TLS1.2. configure PFS) qualifies as professional experience. ("exercise of judgment", "discretion", "specification of controls") For the engineer who apply these settings to our environment, what he did does not qualify as professional security experience. Installing anti-virus to secure environment is not. Neither is the mere act of configuring firewall ("mere operation of these controls"). Deciding how to secure a data center environment, what to secure, what controls/tools to use and getting your engineers to roll them out is ( "work requiring the exercise of judgment", "management decision making", "supervision of work of others"). So in the resume, we need to demonstrate that we are exercising our professional experience and not merely following established processes. i.e. do you follow procedures or do you manage the process? Which is why I alway tell others that CISSP is a management exam.
NetworkNewb wrote: » So someone could be a Security Engineer for 10 years, setting up anti-virus systems, working on configuring firewalls, using tools to analyze logs and packets for incidents, managing access to systems... but still not be able to get the CISSP? Just surprises me. Guess I will just be an associate for awhile when I pass the test in a few months then.
nk_vn wrote: » I would challenge this. Applying patches and SSL certs installation are purely operational things, and not necessarily security related. Every click monkey can install patches and point the configuration to the cert file. I would consider security-related work to be dealing with configuration/change management process (which includes patching) and designing/deploying an entire PKI (not just getting a cert from Godaddy and using it). If we follow this line of thought, setting up the wireless encryption for SOHO routers (i.e. setting a password and selecting WPA2) is also security-related work. Same applies to installing OS on one of these awful pseudo-RAID-capable commodity motherboards. To me security-related work means doing a task with security being the PRIMARY consideration, not just the coincidence of using a technology that happens to be mentioned in some CISSP domain. This is one of the reasons that stops me from using my 10+ years of experience for CISSP endorsement. I did lots of stuff, especially in networking which is huge part of the CBK, but I never had security as the primary work consideration. Security was in many cases something that was in the way, and ended with having non-trivial password and using SSH instead of Telnet (not always). Please correct me if I am wrong, I would be extremely happy to stand corrected here.
NetworkNewb wrote: » Personally, I don't know why people hold the CISSP up on a pedestal to begin with. It is certification that covers a very broad range of topics and doesn't go very deep at all into them. Granted I've only been studying for it for a couple weeks but that is how I feel. Maybe cause the wording on questions in the exam can be difficult and require some thought? I know people won't agree with my studying strat (studying 2 subjects at the same), but I'm even taking 1 or 2 days out a week from my CISSP studing to study for the Wireshark Certification. I find it more interesting and think will help me more knowing that information. Then why not just schedule the CISSP earlier you ask? because I don't like to cram information day after day after day on one topic in my head. Just how I am... All I know is that the CISSP will look 100 times better than WCNA to companies on my resume though... I agree that it is a "door holder"
beads wrote: » Because of certification inflation and demand and the (ISC)2's need to crank out as many CISSPs as they can you now have a very weak certification with little actual bearing to what is really needed in the industry.
NetworkNewb wrote: » I just wish every other damn security job didn't put it as requirement or preferred cert, or I wouldn't even be going for it right now...
NetworkNewb wrote: » I think there are other certification that would better worth my time in regards to what would help me on a job at this point in my career. Unfortunately, though, this is what is needed to get those interviews I'm craving for.
