Question about CISSP experience
pizzafiasco
Member Posts: 5 ■□□□□□□□□□
in SSCP
These will probably sound dumb but I don't want to waste my time studying if I don't have the required experience.
First, I worked as Division security during my stint in the Army. Patrolling the grounds, checking IDs, etc. Do you think that would count towards the Security Operations domain (which includes physical security)?
Next, I also used to work in healthcare in radiology. A huge part of that job was HIPAA compliance. Essentially protecting patient records and exam images. Do you think that would count towards the domain Asset Security (which includes data privacy)?
I currently work in Information Security but I have only been in the field for 10 months. I already have my Security+ but I would like to get my CISSP for marketability purposes.
First, I worked as Division security during my stint in the Army. Patrolling the grounds, checking IDs, etc. Do you think that would count towards the Security Operations domain (which includes physical security)?
Next, I also used to work in healthcare in radiology. A huge part of that job was HIPAA compliance. Essentially protecting patient records and exam images. Do you think that would count towards the domain Asset Security (which includes data privacy)?
I currently work in Information Security but I have only been in the field for 10 months. I already have my Security+ but I would like to get my CISSP for marketability purposes.
Comments
In that example above, with your 10 months of experience, Sec+, and another technician-level infosec cert instead of CISSP, I would consider you as a potential hire as a Jr Security Analyst. But it's a mistake to think a CISSP helps you if you don't have the experience to back it up.
As for the exampled you gave and whether or not they qualify:
Physical security: Maybe. I don't think it's strong enough. If you didn't make facility design or physical security policy or countermeasures decisions, or inspect for compliance with physical security requirements (fire systems, alarms, locking mechanisms, HVAC, lighting, location, etc), or coordinate red team exercises to ensure effectiveness, things like that, then you'll have a hard time qualifying your experience as valid with ISC2.
The second example you gave sounds like you basically followed HIPAA rules while performing medical duties. You weren't identifying or implementing admin or technical security controls to protect PHI at rest, in transmit, DLP, data classification, access control, etc. A medical professional isn't halfway toward meeting the CISSP experience requirement just because they follow HIPAA regulations.
My advice is forget about CISSP until you have at least 4 years of infosec experience, in the meantime there are much, much more relevant certs for the jobs you qualify for (SSCP, GSEC, GCIH, CASP).
Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig
Actually, if you have to become an associate, your title will be Associate of (ISC)2, not Associate of CISSP. As an associate, you aren't allowed to use the term CISSP anywhere, even on your resume.
Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig
Your second experience....HIPAA as in you were actually protecting the information with ACLs and other measures, or they were on the system you just happen to log into...that experience would be weak at best as its not really INFORMATION SECURITY.
You cannot list CISSP if you don't have the experience requirement so marketability is out the window and as said you cannot infer that you passed the exam either....not to mention you probably have nowhere near the knowledge to pass at this point. You would be better off trying to get SSCP or something along those lines that you can actually list.
It depends. It won't get you through crap HR filters, but a hiring manager who knows what the (ISC)2 certifications are will give it some credit.
https://www.isc2.org/cissp-how-to-certify.aspx
When looking for junior analyst I do prefer to see the SSCP. A CISSP may get you turned-in to the now standing ethics committee.
The cheaters only make the certificate less desirable over time.
- b/eads
I'm the hiring manager for infosec positions in my company. Suppose I'm hiring for a senior technical position that will have significant authority for making tactical decisions, and requires broad understanding of other functions in our security department, in IT, and with business units. So based on that I list CISSP as a desired qualification, but more importantly I want someone with at least 5 years of experience in infosec.
I get 3 resumes from the recruiter. Resume 1 is for someone with 2 years in infosec and Associate of ISC2. Resume 2 is for someone with 4 years infosec exp, Sec+, and CISSP. Resume 3 has 8 years infosec exp, no CISSP or Associate of ISC2.
Resume 1 guy's resume is sent back to HR to keep on file for when we need a lower-level position filled.
Resume 2 and 3 get interviewed. Resume 3 gives better interviews. Job is offered to Resume 3.
Hope this gives you some perspective.
Not all experience is the same.
First of all, the example I gave was a hypothetical example, not a rule. There are a lot of factors that go into a hiring decision, you're missing the point if you read that hypothetical example as me saying "certs are worthless". You can see I have a few certs of my own.
My point was that certs are but one factor in a hiring decision, that a CISSP has more weight than Associate of ISC2, and that relevant experience can and usually does trump certifications.
Knowledge of a field does not equate to effectiveness in the job either. You can be in infosec expert that can sit any exam you throw at them with no notice and pass, but they may have lousy work ethic, are hard to work with, don't understand how security risk impacts their company's business, lack communications skills, lack project management/problem solving skills, can't lead/follow, doesn't play well with others, or just plain can't apply their vast knowledge in a work environment.
Also, in the hiring process you don't look for years of experience and just stop there, obviously. You find out what they did what they accomplished during those years.
The best indicator of future performance is past performance.
Your assertion is really for the hiring manager to determine the quality of the experience and how it relates to the position at hand. It simply a matter of relevance. Your confusing quantitative for qualitative in your analysis.
- b/eads
Its in the Bylaws and in the agreement you sign for the SSCP if I recall correctly but it most certainly is there. Here's your acid test. Obtain the SSCP and your certification number then call the ISC(2) and ask for a verification as a CISSP and see what they have to say on the matter.
- b/eads
lol, yea... Here is the page that I was told says the exact rules on it:
https://www.isc2.org/logo-usage-guidelines/default.aspx
I even created an account to see if I could access it after that, but apparently you must need to have purchased an exam or passed a test to access because I get a "you don't have access to this page" error message still... Guess they think if you haven't earned it you don't need to know the rules for it! But here is the exact wording on it (thank you renacido for this):
"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."
So I CAN use the logo? It's not very clear...
CISSP Long Sleeve Twill Shirt
CISSP Baseball Cap
From your experience I think you should take the SSCP from ISC2. From their site one year of cumulative work experience in one or more of the seven domains of the CBK is required. As others have said you can't say anything about you being a CISSP or passing the CISSP until they approve your endorsement by a CISSP.
You could also try for CompTIA's CASP, that one doesn't have hard requirements merely recommendations.
CASP is reasonable though, since it is more technical, and would complete the CompTIA path. I may do that in the interim to pass the time.
I have a few questions regarding the professional experience. In the steps for certification, is it correct to say that you need to obtain the requirement 5 years experience in 2 or more of that 8 domains first before you are allowed to register for the exam? The reason I asked is because there are a lot of candidates that are still missing the required 5 years experience after passing the exam. What about if I have 2 years of experience on 2 of the domains and I decide to take the exam. If I pass the exam, can I become an associate and complete the 3 years experience after?
Please see below for the basis of my question.
[h=2]5. Complete the Endorsement Process[/h]Once you are notified that you have successfully passed the examination, you will be required to have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to your professional experience. With the Endorsement Time limit, you are required to become certified within 9 months of the date of your exam OR become an Associate of (ISC)². If you do not become certified or an Associate of (ISC)² within nine (9) months of the date of your exam you will be required to retake the exam in order to become certified. (ISC)² can act as an endorser for you if you cannot find a certified individual to act as one. Please refer to the Endorsement Assistance Guidelines for additional information about the endorsement requirements.
Thanks all!
Details: https://www.isc2.org/associate/default.aspx