More changes to the WGU MSISA program?

colemic

Had a (previous) coworker who is also in the MSISA program say that new changes will be in effect tomorrow... from his email:

'EWB moves to having to take before program so doesn't show up on the full thing.

Drops 2nd CCNA course (2 credits). Drops the EC-Council DR course (3 credits), but adds a Risk Management (2) course...so performance assessment instead of objective. Total is now 32 credits (33 including the EWB) instead of 36.'

He sent me the new MSISA course overview PDF which confirms the changes (but is not on the site yet.) Has anyone else heard anything about this, or am I just not in the kool club?

Edit - now the updated pdf shows up for me. I seem to be a bit behind today.

tpatt100

I need to check mine, I know the EC-Council exams have been getting a lot of flack with students especially the DR one.

instant000

tpatt100 wrote: »

I need to check mine, I know the EC-Council exams have been getting a lot of flack with students especially the DR one.

Yes, from the complaints, many students feel that they're being tested against a chance they'll forget about some obscure tool on test day, and there are even some reports of questions being blatantly broken, as one guy said, if 3/50 questions are broken, you're already down 6 points, so you're 1/5 the way to failing already ... it seems kind of bogus, actually. Why not ask sound questions about the material? If you want me to think about it, require an essay. I'm studying for C|EH right now, and it does not feel difficult in the least. It just feels like I'll be memorizing a lot of material that is beyond scope of knowing "how it works" or "what it means". Of course, anything in the callouts that mentions "you better remember this" then of course I make notes for those things, but it does feel kind of bogus .

Of course, I'm not going to take it lightly, though.

There was a post on the DR test, and one student read what looked to be about 1,500 pages, plus studying everything she could find. She passed, though, and it only took three weeks, so you can't knock what works -- she said the failure reports scared her into studying all the material she could

ptilsen

I'm not in WGU or studying for C|EH, but what I've read about it is exactly what I see in here. There's a scathing sticky about it in the C|EH forum. It basically just tests obscure knowledge of obscure tools that have perfectly good man pages. Studying for it may be a valid way to gain decent exposure to those tools, but it doesn't seem like a good way to prove real skill or knowledge in the security field. WGU students' complaints seem pretty valid.

demonfurbie

i think they should change it up some more and add in the new comptia exam over the c|eh and re-tool it to were all the eccouncil certs are out of it

ptilsen

CASP wouldn't be bad at all. More GIAC certs and maybe even SSCP would be nice touches as well. It really should be certs that focus more on theory and strong conceptual knowledge than use of specific tools.

tpatt100

I think there is an over reliance on certs to be honest. There is a business side in picking the certs I am thinking which is why I see WGU choosing certs in the EC-Council side of things. EC-Council doesn't get much interest beyond the CEH and looking at the tests I don't even think EC is interested in much past the CEH.

I would prefer more labs than certs to be honest. Actual labs using the software where you have to prove you can use it.

I just checked again and my degree plan is not updated yet.

aethereos

tpatt100 wrote: »

I think there is an over reliance on certs to be honest. There is a business side in picking the certs I am thinking which is why I see WGU choosing certs in the EC-Council side of things. EC-Council doesn't get much interest beyond the CEH and looking at the tests I don't even think EC is interested in much past the CEH.

I would prefer more labs than certs to be honest. Actual labs using the software where you have to prove you can use it.

I just checked again and my degree plan is not updated yet.

I'm told you have to request to be enrolled in the new program, and only at the last month of your term.

I noticed the change two weeks ago and talked to my mentor about it, but alas I'm nearly done with the MS IA degree so I decided to just grind it out.

colemic

Well I think it's kind of sucky that they didn't announce it. I am definitely going to switch, since I have no desire for the CCNA and no background in it at all. I wish they would do away with the CEH as well... I would like to see less focus on technical, in-the-weeds certs and courses, and more higher-level security management courses.

demonfurbie

im looking into this after i finish my bs at wgu

my question to all of you is what certs/classes whould you want in this degree

personally id love to see it like this

C|eh - its a fair foundation and explanation of the tools
ITIL - most of the work in this field needs alot of documentation and project management
Linux+ - most all the pen testing/hacking tools are in linux not windows so linux+ would give you a fair foundation in linux
oscp - a real lab test environment for all the things one should learn with this degree
CASP - for the other end after oscp it covers alot of the Biz end of things

some could be swapped out for giac and a few papers/programs tossed in one on shell scripting could work as well

colemic

I would like to see it culminate in taking the CISSP/CISM. I don't think CEH should be included at all - a Master's degree should be more higher-level oriented than technical, and numerous people have criticized the CEH as being antiquated. That said, I do believe one should have a foundation in security tools, but they would be better off teaching a class for that than relying on a certification, IMO.

I would definitely, positively add a project management course, if not several. I would like to see the CAP incorporated as well, to show a true proficiency in knowledge of federal regulations, to understand the process of accreditation and the NIST guidelines.

Furbie I understand your position on wanting technical certs, but I want the MSISA to be more of a policy/framework/project management/CTO perspective, since I plan to utiilize my degree to obtain a position similar to that, versus a Master's degree in the technical aspects of security.

demonfurbie

i see it from wgus aspect, its more effective for them to have the final in a class be a certification due to testing sites/web cam test issues/cost

if they make cissp or any of the tests that have to be taken at a vendor spec. site then wgu would have to cover travel costs and test cost which would make the degree cost more.

i would like to see a prep class for cissp but no the cissp being the test at the end for it

colemic

Well it's no different than having to go to a Prometric site - WGU doesn't cover those costs. And there are multiple test locations throughout the country/world almost every weekend of the year.

Although I could see the benefit of a prep course, but then what gets dropped to make room? And would current CISSP holders be exempt from that course?

jmasterj206

It would be impossible to offer the CISSP since it requires 5 years experience. It wouldn't make a lot of sense to have a prereq to get into a program.

colemic

You don't need 5 years of experience to pass the exam.

You need 5 years of experience to become a full CISSP, but there is nothing wrong with being an associate for a while if you don't have the required experience. If you are in a master's program for information security, I think it's a relatively safe bet that you have some experience in the field.

jmasterj206

colemic wrote: »

You don't need 5 years of experience to pass the exam.

You need 5 years of experience to become a full CISSP, but there is nothing wrong with being an associate for a while if you don't have the required experience. If you are in a master's program for information security, I think it's a relatively safe bet that you have some experience in the field.

Good point, but you would still have to pay maintenance fees. I am guess there are quite a few people that would go into a Master's in Security to get into the field though. I am guessing it won't be long and there will be no certs in the Master's program. Similar to their upcoming Master's in Networking that will have no certs either.

colemic

Well, currently don't CCNA holders have to retake after 3 years? And Comptia certs require CPEs (don't know about maintenance fees), and they are part of WGU's technology core.

I don't mind certs in the program, I just want them to be appropriate for a master's program. I don't feel that CCNA is, and especially the Network+ that was required before. I would rather the focus be on a C-level since that is absolutely where I want to be in a few years, and I want to leverage that in a few years.

forestgiant

Like some here I have the CISSP and MCITP:EA but still feel my networking skills are somewhat lacking so I think the CCNA course(s) are quite useful.

However I have issues with the CEH, CHFI and EDRP, all from EC-Council. They're nitty picky for and too time consuming. I'm forced to study and memorize tons of stuffs just to pass them, but in my day to day job as an IT Manager I don't use most those (outdated) tools.

OTOH the GIAC course FYV2 (Security Policies and Standards - Compliance and Certification) and ISO-27001/27002 materials are hidden gems. Slow going at first, but the materials have really grown on me and are useful at work.

I personally would like to see the PMP exam on WGU MS ISA program --- I know the PMI requires of experience and whatnot, but the degree + PMP is quite a potent combo.

powerfool

Instead of just having one set of certifications that everyone must have (which will dilute the value of those specific certifications over time), they should give you a few options. For instance, they could just let you get credit for your CISSP (waive 1/3 of all your credits) and not need any other certifications; it would make sense, since the curriculum is geared towards it anyway.

ptilsen

To expand on that, I think there could be value to "elective" certs & classes. A degree could focus more towards one domain or several sets of domains based, and/or focus more towards technical vs management.

Overall, though, I see C|EH as a poor choice. It doesn't seem to teach or prove real skill or knowledge, and it doesn't see altogether that highly regarded by security professionals, technical or managerial.

forestgiant

I respectfully disagree that the CISSP should give one 1/3 of credits, or any graduate credit for that matter.

I got the CISSP two years before enrolling in the MS ISA program, so I can say that the exposure and experience helped me move quickly through the performance assessment courses, but in no way that I would recommend the school giving people credits based on this certification alone. I did not have to write any paper to earn the cert but thru the school I have written over 200 pages + numerous PPTs this term. The papers forced me to think very hard about the whole mile-wide-inch-deep nature of the beast. Now if someone looked down on the my CISSP, I'd give them my stack of papers and tell them have a good read!

forestgiant

ptilsen wrote: »

To expand on that, I think there could be value to "elective" certs & classes. A degree could focus more towards one domain or several sets of domains based, and/or focus more towards technical vs management.

Overall, though, I see C|EH as a poor choice. It doesn't seem to teach or prove real skill or knowledge, and it doesn't see altogether that highly regarded by security professionals, technical or managerial.

It's the nature of the beast...a business oriented degree could be MBA or MS IT, and a more technical one could be MS Computer Science. So I wouldn't try to get the MS ISA and expect it to mirror any one of those other degrees. Thoughts?

spiderjericho

As some said, it shouldn't be about certifications, but if they did map the program to several certifications, I'd definitely like: Project Management Professional Certified Information Systems Auditor CompTIA Advanced Security Practitioner CEH ITILv3 Either VMware Certified Advanced Professional or VMware Certified Design Expert The rest of the courses should be management courses. Honestly, I don't understand how WGU comes up with their certification requirements. Someone mentioned Linux+. That SHOULD be in the BS programs (regardless of the specialty). They seem too Microsoft happy. I think getting the Server, Exchange and an OS would suffice. There is no VMWare in their program, and virtualization is big now. Also, going along with that is Storage (NAS/SAN).

ptilsen

forestgiant wrote: »

It's the nature of the beast...a business oriented degree could be MBA or MS IT, and a more technical one could be MS Computer Science. So I wouldn't try to get the MS ISA and expect it to mirror any one of those other degrees. Thoughts?

Business oriented = CISSP or something of that nature. Technical oriented would be most of the GIAC certs. C|EH isn't technical or business; it's the use of specific, outdated tools. Computer science degrees don't tend to focus on teaching specific IDEs anymore than a computer security degree should focus on teaching specific security tools. It should still focus on concepts and knowledge of the underlying technology over how to use specific tools to apply the technology. If it were about solely application, it would be a degree of applied science, rather than a degree of science.

I have no problem with WGU degrees, even the Master's, revolving around certifications. I do have a problem if those certifications are more about the use of specific tools than about fundamental understanding. For example, while the MCTS and MCITP certifications do involve a certain amount of MS-specific GUI knowledge and syntax knowledge, but the largely focus on a strong understanding of how the operating system and its features work. C|EH is simply a measurement of how well you remember [x] switch for [y] command to test [z]. GIAC certs measure actual understanding of technology, as do Cisco, MS, and Comptia. CISSP, along with some GIAC certs, measure more of a theoretical, managerial, high-level understanding. Either way, both groups are valuable, depending on ones' goals. C|EH isn't valuable outside of very specific job roles.

instant000

Master's of Information Security and Assurance -- what does that mean to you? What type of skills does that mean to you? To me, it would mean knowing the regulations surrounding things like HIPAA, PCI, SOX, privacy, cyberlaw, wiretapping laws, etc.. It would also involve being familiar with standards/best practices like COBIT, ISO, PRINCE, ITIL, NIST, ANSI, etc. Also, you have to worry about stuff like physical security, audits and network perimeter security.

To me, part of securing information requires having a knowledge of how things get from one point to another, and how it's vulnerable in its various transition states.

Now, with regards to the program, it is still in its infancy, and overall, the curriculum is very strong. I remember going through "series" of classes that had issues for my bachelor's, and I just took it because it meant a degree at the end.

Now, would it be nice if there was a way to get in a few electives? Yes, indeed, it would be. However, we don't have that available to us yet. Still, we can advocate for those who come after us. Having multiple paths will help.

I find it a bit odd that the Master's in Networking wouldn't have a single cert in it. I rather dislike these Performance Assessments as it is! They're not easy, and in my case, it takes me more time to write three or four papers (each often 15-20 pages even though the instructions say 7-8 is enough) for a single class, than it does to study for and pass a single test.

Obviously, I need to work on my writing more, as I'm addicted to runon sentences; that is, I don't know how to quit when I'm ahead, and just keep piling more and more on.

Hah, did it again.

Have a nice day!

forestgiant

ptilsen wrote: »

I have no problem with WGU degrees, even the Master's, revolving around certifications. I do have a problem if those certifications are more about the use of specific tools than about fundamental understanding. For example, while the MCTS and MCITP certifications do involve a certain amount of MS-specific GUI knowledge and syntax knowledge, but the largely focus on a strong understanding of how the operating system and its features work. C|EH is simply a measurement of how well you remember [x] switch for [y] command to test [z]. GIAC certs measure actual understanding of technology, as do Cisco, MS, and Comptia. CISSP, along with some GIAC certs, measure more of a theoretical, managerial, high-level understanding. Either way, both groups are valuable, depending on ones' goals. C|EH isn't valuable outside of very specific job roles.

I think what you're referring to is an institution's growing pain. It has to find and serve a particular niche while still teaching those interested a broad and comprehensive curriculum. WGU is young by any academic standard, so while I'm disheartened at having to memorize a gazillion+1 hacking tools and their syntax under my program requirements at the moment, at least the program developers are evolving it ... that's likely the key to its success now and in the future. Other MS ISA programs are more rigid, partly out of the size and partly out of adherence (or laziness) to the "Godfather" NSA CAE. I cannot imagine many schools would dramatically change their curriculum and lose the coveted CAE status if that's what they use to market their programs.

forestgiant

colemic wrote: »

I would like to see it culminate in taking the CISSP/CISM.

Traditionally graduate degrees have either a thesis or capstone. I don't think the CISSP/CISM cut it, mostly because neither is academic by nature, also too broad and shallow. By the end of a graduate program, one is supposed to demonstrate some sort of subject mastery, and traditionally people are required to do a thesis or capstone to demonstrate either real world or theoretical application of given knowledge. The certs fail that requirement, and because they are not/cannot be granted life-time status (another marker of academic degrees), they have no place in the final stage of an academic degree.

That said, I have no problem with mapping a graduate degree to the CISSP. It's quite useful to earn a graduate degree based on real world best practices and applications. MS ISA is not a pursuit of knowledge just for the sake of doing so, but a degree created out of urgent necessity and demand for the information age. If the Neanderthal had an equivalent degree the, it'd be called MS RSA (Master of Science, Rock Security Assurance) hhahahaa.

colemic

forestgiant wrote: »

I respectfully disagree that the CISSP should give one 1/3 of credits, or any graduate credit for that matter.

I got the CISSP two years before enrolling in the MS ISA program, so I can say that the exposure and experience helped me move quickly through the performance assessment courses, but in no way that I would recommend the school giving people credits based on this certification alone. I did not have to write any paper to earn the cert but thru the school I have written over 200 pages + numerous PPTs this term. The papers forced me to think very hard about the whole mile-wide-inch-deep nature of the beast. Now if someone looked down on the my CISSP, I'd give them my stack of papers and tell them have a good read!

I would be ok with giving credit for something like intro to network security, or a similar course. And I would love for them to develop a technical and managerial track.

colemic

My mentor just confirmed with me that I am now switched into the new track. Glad to see them making some changes.

alathea

While a knowledge of some networking is important, I don't think starting down the CCNA track is necessary for this major. I figured Id have to take Network + or something along the way for this course, but a full CCNA isn't going to be used by me for what I want to do, which is info forensics. Id LOVE to work for a police dept or some such. A full on Cisco networking cert seems like an awfully long way down the wrong direction for that. Does anyone have a link to WGU's site where the changes are laid out? I haven't seen it yet.


Id like it Sec + was put in there, though.

forestgiant

colemic wrote: »

My mentor just confirmed with me that I am now switched into the new track. Glad to see them making some changes.

Please let us know how you like the JIT2 Risk Management course. IMHO RM is one of the most difficult concepts because it's too much like gibberish floating on wet sand.