Newbie to CISSP: Question about applicant requirement &

rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
Hello,

I am a newbie to CISSP. My 9 yrs IT experience has been in the field of Operations Management, Project Management, applications development & support.

I also have MS Comp Sc & MBA degrees, and PMI PMP, and ITIL Service Management Foundations certifications.

Although I do not have direct security experience but I do small security experiences while dealing with applications development and support.

Do you think I should study and try for CISSP certification? I am very enthusiastic for trying toward it and am confident that after studying for it thoroughly, I will have a good shot at it.

Pls let me know what you think?

Tx,
Rajesh

Comments

  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    Do you meet the requirements to be eligable to take the CISSP exam?

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
    I do not meet the professional requirements. So, I am planning to take the Associates exam.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    rbhatia6 wrote:
    Hello,
    Do you think I should study and try for CISSP certification? I am very enthusiastic for trying toward it and am confident that after studying for it thoroughly, I will have a good shot at it.

    Pls let me know what you think?

    Tx,
    Rajesh

    I guess you should ask yourself why not.
  • rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
    That is exactly my question. Althogh I do wanna give it, I just want some feedack how ot can help me in my career.

    Any advise will be greatly appreciated.

    Tx,
    Rajesh
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,886 Admin
    In my opinion, having the Associate of the (ISC)2 certification will do nothing for your career unless you have information security-related experience too. If you are interested in an information security specialization, look at the CompTIA Security+ certification as an example of the type of subjects that you will be studying. Also consider studying for the (ISC)2 SSCP exam as preparation for one day sitting for the CISSP exam.
  • TBLTZTBLTZ Member Posts: 49 ■■□□□□□□□□
    Are these cissp requirments check by anyone? Or can you go and just take the exam?
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,886 Admin
    TBLTZ wrote:
    Are these cissp requirments check by anyone? Or can you go and just take the exam?
    Looking at the CISSP How to Certify page, I would guess that if you sign an affidavit attesting to having experience that you do not really possess, you will be breaking the (ISC)2 Code of Ethics. You'll be able to take the exam, but you'll fail the post-exam audit and won't receive the certification regardless if you pass the exam.
  • TBLTZTBLTZ Member Posts: 49 ■■□□□□□□□□
    What types of security can you perform that makes you eligable to take the test?

    If you are in charge of network security will that let you take the test? What about software security?
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    TBLTZ wrote:
    What types of security can you perform that makes you eligable to take the test?

    If you are in charge of network security will that let you take the test? What about software security?

    Again, take a look at the requirments for the CISSP on the (ISC)2 website, and see if your particular experience falls in any of the security domains in the Common Body of Knowledge. It's always a good idea to familiarize yourself with the site of the vendor you're planning on taking a cert with. In this case, read through as much information on the (ISC)2 website, so you'll get a better idea of what you need to pass the test.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    JDMurray wrote:
    TBLTZ wrote:
    Are these cissp requirments check by anyone? Or can you go and just take the exam?
    Looking at the CISSP How to Certify page, I would guess that if you sign an affidavit attesting to having experience that you do not really possess, you will be breaking the (ISC)2 Code of Ethics. You'll be able to take the exam, but you'll fail the post-exam audit and won't receive the certification regardless if you pass the exam.

    Exactly. So you'll waste the $500. You won't get the certification, and once you're caught fabricating your app, you will probably never be allowed to take it again.
  • milliampmilliamp Member Posts: 135
    Eligible professional experience listed here
  • silentc1015silentc1015 Member Posts: 128
    TBLTZ wrote:
    Are these cissp requirments check by anyone? Or can you go and just take the exam?

    If you pass there's also a good chance of being audited. I wasn't audited, but it seems like a high number of people are.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,886 Admin
    milliamp wrote:
    I am a little surprised they list Security+ but not CEH).
    They probably accept Security+ because that helps the DoD people who by DoD Directive 8570.1 need to acquire both Security+ and the CISSP. Heck, they even accept the MCSA without also having a Security+. Now what's up with that?
  • TBLTZTBLTZ Member Posts: 49 ■■□□□□□□□□
    milliamp wrote:
    Eligible professional experience listed here

    And your job title and responsibilities do not have to _only_ involve security, it can also be consultant, engineer, administrator etc.

    If your title is "Sr network architect" or something they are not going to come back and complain because it does not have security in the title.

    It is basically any role that makes decisions involving security (rather than just acting on someone else's decisions).

    Also, along with education, they will sub 1 year for holding one or more of these certifications. (I am a little surprised they list Security+ but not CEH).

    I hope that helps.

    I think this answered my question. I am an IT manager I do make decisions about security such as firewalls and security strategies. So I do make decisions about security. So this would allow me to take this certification.
  • rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
    A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

    Do these count toward the security requirements of CISSP?

    Tx,
    Rajesh
  • rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
    A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

    Do these count toward the security requirements of CISSP?

    Tx,
    Rajesh
  • rbhatia6rbhatia6 Member Posts: 6 ■□□□□□□□□□
    A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

    Do these count toward the security requirements of CISSP?

    Tx,
    Rajesh
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,886 Admin
    rbhatia6, duplicate postings are not necessary or useful.

    I would suggest that you'd be best to email [email protected] when needing detailed questions such as these answered.
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    JDMurray wrote:
    I would suggest that you'd be best to email [email protected] when needing detailed questions such as these answered.
    Is that a new email address specifically for the purpose of getting detailed questions answered? Because when I had contact with ISC2 about year ago, they where very helpful, but getting you experience reviewed 'before' you take the exam is not an option.

    The thing with the CISSP is that if you have the required experience, you'll likely know you do. If you doubt your experience really is entirely as a full time security professional, then it's probably not.
    rbhatia6 wrote:
    Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.
    Were you working as a full time security professional, also by title? If that's not the case, it probably doesn't apply.

    When you find yourself trying to meet the requirement by adding up all sorts of security related 'tasks' you did during your career, you pretty much know you don't meet the requirements.

    At that point, you could consider the SSCP, or the Associate exam, but the best thing to do imo is to get that full-time job as a security professional (which certainly isn't impossible 'before' you are a CISSP). At the time your close enough to the required experience, the fact you are currently working as security professional will make the odds of getting certain security experience from the past accepted as relevant experience much better.

    Last but not least, the CISSP is not meant for those who want to 'get into security' but for those who already are (or have been) and want to advance.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,886 Admin
    Webmaster wrote:
    Is that a new email address specifically for the purpose of getting detailed questions answered? Because when I had contact with ISC2 about year ago, they where very helpful, but getting you experience reviewed 'before' you take the exam is not an option.
    That seems to be the email address on their contact page that is used for questions about the qualifications of the (ISC)2 exams.

    Contact (ISC)2 Page
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    I'm pretty sure they'll only answer basic question, basically what you can find online already. Unless perhaps when the experience is obviously relevant. I think this has to do with not giving any hopes nor promises in case the candidate gets reviewed. ("I called up front and they told me it did apply as relevant experience!")

    Also considering the Sticky just posted by Keatron (about the CISSP requirement changes), I think the best way to figure out whether your experience applies is to ask that CISSP in good standing you now need to know anyway.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Webmaster wrote:
    I'm pretty sure they'll only answer basic question, basically what you can find online already. Unless perhaps when the experience is obviously relevant. I think this has to do with not giving any hopes nor promises in case the candidate gets reviewed. ("I called up front and they told me it did apply as relevant experience!")

    Also considering the Sticky just posted by Keatron (about the CISSP requirement changes), I think the best way to figure out whether your experience applies is to ask that CISSP in good standing you now need to know anyway.

    To be quiet honest, if you read the requirements posted on the ISC2 web site, and you have to ask yourself"am I qualified", then the first action should be to ask them directly. And Johan has an even better solution, ask the CISSP (which now is your only option for endorsement), who's going to be endorsing you. Also as an aside, it'll probably be harder now to get a CISSP to endorse you if they're not sure of your experience. Because there will soon be an announcement to all existing CISSP's warning that if you endorse a candidate and they fail the audit, then you will most likely lose your certification as well. This will help with the inevitable trickle of people beginning to offerring to pay existing CISSP's for endorsements. I've already been approached several times by people who I don't know from Opie. It might sound harsh, but the code of ethics are quiet clear. Also, it should be pointed out that your endorsement has to come from a CISSP "in good standing".

    Him/Her: "I know you're a CISSP, since I took your CISSP class, will you endorse me"

    Me, in the voice of Bill Lumbergh from office space: "Ahhhh yeahh, I'm going to go ahead and ask you to ask another CISSP, someone who actually knows you and can vouch for all that security experience you have on your resume. If you could go ahead and do that for me that'd be great.....yeahh."

    A few things have been key in leading to this.

    1. People have been failing the audits at an alarming rate over the last 2 years.

    2. People who are obviously not qualified have been trying to push through on "security experience" that's in nice terms "questionable". Imagine an office knowledge worker trying to sit the CISSP to move from office manager role to a role in the IT security department (because all of us here know that IT is where the money is right???), so they apply for the CISSP citing their security experience as "making sure people have their name badges on when they come into the office" and "making sure all of our word documents are password protected".

    3. The buddy system. "Hey we're buds, I'm a CISSP, you wanna be one too? I know you don't have any security experience, but I'll endorse you dude. Yeah. Cause we're buds" (in the voice of Napoleon Dynamite).

    4. Clueless HR people (most are not, but some are). I think I've already mentioned in previous posts where HR posts job ads for a position like help desk technician and have CISSP listed as a requirement. Just because they heard from someone they know in IT that CISSP is the best "computer" certification to have.

    I know it seems a little extreme and might be even a little unfair to the people just approaching their 4 year date, but I seriously believe it is a sincere move by ISC2 to maintain the integrity of the CISSP.

    Keatron.
  • drakhan2002drakhan2002 Member Posts: 111
    keatron wrote:
    (because all of us here know that IT is where the money is right???)

    I almost laughed out loud when I read that! icon_lol.gif Good one.
    It's not the moments of pleasure, it's the hours of pursuit...
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    keatron wrote:
    I know it seems a little extreme and might be even a little unfair to the people just approaching their 4 year date...
    I can imagine they don't 'entirely' consider it as just good news, but I think most of them will agree it's better for the cert they want to get, so better for them. Also, if you do have 4 or close to 4 years relevant experience, getting a job to get the remaining experience should be relatively easy considering the demand of security professionals. See my question for Keatron in this topic for another suggestion for those who are close to those meeting the previous requirements:
    www.techexams.net/forums/viewtopic.php?p=144438#144438
Sign In or Register to comment.