Military Experience for CISM Requirement

amicmanzo

Afternoon, As I'm searching and reading through the ISACA website regarding the experience requirements, I feel a little baffled about my experience within the military to see if it suffices to get certified. Would anyone be able to share their insight? I have three years of Incident Response and three years of penetration testing. Of course both entail information security, network security, and so on, but would how would I be able to submit my eligibility? I will also be taking my capstone for my MS in Cybersecurity come end of this month. Much appreciated!

zeroG

amicmanzo wrote: »

Afternoon, As I'm searching and reading through the ISACA website regarding the experience requirements, I feel a little baffled about my experience within the military to see if it suffices to get certified. Would anyone be able to share their insight? I have three years of Incident Response and three years of penetration testing. Of course both entail information security, network security, and so on, but would how would I be able to submit my eligibility?

If I were in your shoes, after successfully passing the exam I'd submit the application with the military experience as if it were "real world" working experience. After all, you did work in this area of expertise, didn't you? The person who is (or used to be) your supervisor should be able to verify and confirm your experience. As I just filled in my CRISC application, the supervising position of the verifier isn't mandatory. It could be a coworker/colleague who can testify your experience. Good luck!

jcundiff

hate to be a downer, but Incident Response and Pen testing does not equal InfoSec management experience. How many resources did you manage in the service?

From ISACA web site:

"Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam.

Experience Substitutions
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.
Two Years:

• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

• One full year of information systems management experience
• One full year of general security management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
• Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.

Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every 1 year of information security experience. "

Incident Response = Domain 4
Pen Testing = (Loosely) Domain 2

so while you have the time, you don't have 3 of the 4 domain experience

amicmanzo

jcundiff wrote: »

hate to be a downer, but Incident Response and Pen testing does not equal InfoSec management experience. How many resources did you manage in the service?

From ISACA web site:

"Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam.

Experience Substitutions
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.
Two Years:

• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

• One full year of information systems management experience
• One full year of general security management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
• Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.

Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every 1 year of information security experience. "

Incident Response = Domain 4
Pen Testing = (Loosely) Domain 2

so while you have the time, you don't have 3 of the 4 domain experience

That's what I was kind of afraid to hear. I mean, I don't necessarily have to have this cert anytime soon but I thought it'd be worth to challenge while I'm waiting to get out. For the post-graduate and the SANS cert I have, does not that equate to 2 years worth of substitution? Not sure how that really work. Do you recommend that my next route is to challenge the CISSP then?
When you say resources, do you mean personnel, classified material, and infrastructure?
I really appreciate your response

jcundiff

CISSP would be my recommendation. Resources=troops

Substitution for security experience, there is no substitution allowed for management experience for CISM.

"The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement."

If you are not already signed up for it, register for FedVTE (https://fedvte.usalearning.gov/) lots of great FREE training there for us prior service guys (and gals)

Amars663

I suggest taking a look at the application yourself and determining which domains your experience falls within. That will give you a true understanding of whether or not you would meet the requirements. Good luck!

Apply for CISM Certification

zeroG

jcundiff wrote: »

hate to be a downer, but Incident Response and Pen testing does not equal InfoSec management experience.

This might be an issue, indeed.
@amicmanzo: As I understand, you didn't register for the exam yet, right?
Maybe you should go for the CISA first. CISSP requires a more extensive preparation, but the certification is more valuable. Since I aim for the Iso 27001 LA next, I'm not aware of the CISSP requirements right now, so you may want to check them first.

amicmanzo

In regards to resources, I've been a Senior Digital Forensic Analyst in charge of 17 personnel, a team lead of 20 and technicall lead of smaller groups during IR missions . Are these not valid enough?

jcundiff

I think you will need to have actually had a manager title vs the team lead/technical lead title/roles unfortunately. Take the exam and pass and submit and roll the dice with ISACA. You definitely have the required experience for the CISSP

jcundiff

did you have any P&L responsibilities in those roles?

TranceSoulBrother

amicmanzo,
I would roll the dice.
We, in the military, might have titles like commo chief, team leader or shift supervisor but you would definitely be a manager since you're dealing with personnel issues, scheduling, managing resources and such.
While I haven't been a civilian in a hot minute, I can't think that what you're doing wouldn't be considered in line with what a civilian manager would be charged with and qualify for CISM.
Take the test, get someone to endorse your experience and let ISACA decide.

xxxkaliboyxxx

amicmanzo wrote: »

In regards to resources, I've been a Senior Digital Forensic Analyst in charge of 17 personnel, a team lead of 20 and technicall lead of smaller groups during IR missions . Are these not valid enough?

So us military guys can tell if you were in a manager type role or just in a leadership position, yes there is a difference. Sounds like you were just the team leader type of guy or senior/ most competent. A manager would be the OIC of your shop aka your boss.

With that said, civilians do not know the difference either way. Phrase your words directly and I don't see why you wouldn't get by with a little play on words.

jcundiff

xxxkaliboyxxx wrote: »

So us military guys can tell if you were in a manager type role or just in a leadership position, yes there is a difference. Sounds like you were just the team leader type of guy or senior/ most competent. A manager would be the OIC of your shop aka your boss.

With that said, civilians do not know the difference either way. Phrase your words directly and I don't see why you wouldn't get by with a little play on words.

thats the way i read it as well

amicmanzo

jcundiff wrote: »

did you have any P&L responsibilities in those roles?

The only thing that I can potentially relate to that is a training budget i.e TAD to classes/certifications and equipment, other than that, nothing much.
But thanks for all the informational post everyone, I think I might just hold this certification for later down the road and challenge the CISSP first.