Should ISC2 get rid of endorsements??

I saw this on linkedin and I thought it would be a good discussion to have here. Please don't get the pitch forks and torches.

Here are my thoughts:
I would have to go with no on this but I think that the requirements make it a little difficult to start at the bottom. I see that the SSCP requires one year of full time cumulative work experience. It makes it a little difficult for the traditional student who has worked part time for over a year in one or more of the domains. On top of that, he or she is finishing up or has a degree in Information Technology. Now the student has to start over before they can even qualify for full certification for SSCP.

If someone who is working on the CISSP certification can use a 4 year degree to wave one year off the requirement. It kinda makes me wonder why someone can't use the combination of part time cumulative work experience of one year and a degree in order to obtain the SSCP certification status.

I'm not trying to devalue the certification. It makes me wonder why there isn't another alternative to obtaining the SSCP certification.

Find more posts tagged with

Comments

holysheetman

as far as endorsements go, I would think ISC2 needs to stiffen the requirements. When you pass, you could basically get any CISSP to endorse you OR even fill out that endorsement assistance form that says that someone from ISC2 will endorse you. Now, with that said, I don't really buy into their belief of endorsement. I believe that if you have the skills, pass the exam, then you need to inquire with someone who can actually validate and/or vouch for your particular skill-set. The audit on such things needs to be looked at again also. If you get audited, there needs to be some kind of skill validation done. I mean, any other CISSP can "endorse" you but do they really know that you maintain the skills that fall within any of the 10 domains that were tested on when you sat for the exam? Interesting really, and thankfully I got a CISSP to endorse me that I actually worked with for over a year, so, at least he can literally vouch for my skills with a little bit of confidence.

JDMurray

The (ISC)2 created peer endorsements to speed up the process of becoming fully certified. People complained the auditing procedure every cert candidate must go through took too long for the (ISC)2 to complete. Now it is much faster because of the legwork the endorser does. Endorsement is necessary to help ensure the exam candidates meet the criteria for full certification.

emerald_octane

I don't think it's that bad. Trust me, I have mucho skin in the game. Much of my experience is part time working on high end stuff. Even with a college degree I have to wait two years, + associated AMF and CPE requirements, before my CISSP investment pays off. My LinkedIn profile gets trafficked but I don't know how real world perception is on the Associate of ISC2.

With that said, I wouldn't want paper CISSPs or SSCPs floating around. Yes the test is tough but it really is the experience that makes it a dozy. Same reason the PMP is top dog. One does not simply *become* a project manager and what good is a certified PM with no experience. The CISSP experience is really broad, i'll give them that, but not counting part time experience sucks.

swild

The "endorsement" is absolutely necessary. The "endorsement" is nothing more than verification of the experience requirement that either a certified member or the certifying body must accomplish. If the experience requirement wasn't verified, then the certification would lose value. If the certifying body must verify all who pass the exam, then the time to be certified after passing the exam would be at least 6 months, maybe a year or more.

SephStorm

I'm going to disagree on this line. it's too easy for someone to have the requisite experience in the domains. Work Active Directory? There's your Access Control. The Endorsement means nothing to me because CISSP is supposed to be a management certification, and managers shouldn't have the majority of experience in these areas. Save endorsement for certs validating experience and implementation, not knowledge.

paul78

I've never quite understood why people think that the CISSP is for managers or a management cert. There's nothing about management in the CISSP CIB. A review of the CIB implies that it's a means to validate that the cert holder has the requisite exposure to the necessary broad range of topics which any infosec professional should have.

The ISC2 web site describes CISSP as ".... standard of achievement that confirms an individual's knowledge in the field of information security. CISSPs are information assurance professionals...."

As for the idea of endorsement, it seems that it would be a lot more cumbersome and cost-prohibitive if ISC2 had to handle all the experience validation itself. As a non-profit organization, I would rather that ISC2 spend it's funds on other activities. ISACA does something similar but they require that your supervisor attest via signature that they validated your experience.

wes allen

Paul, I agree as well on the "nothing about management in the CISSP." I think of it as a framework to sorta tie very diverse domains together, but not in management. Maybe since it isn't specifically "technical" people think management is the only other option?

I think the endorsement process is fine as is, truthfully.

bobloblaw

The 5 CISSP holders I know outside of my work do everything from auditing, pen testing, server hardening, and a many other random things scattered across the CISSP domains. None of them are strictly management. All of them are doing mostly tech.

Endorsement process seems fine. I don't think it's just about passing a test, but having the requisite experience in the applicable field(s). Also has to cut down on the dues and turnaround. I wouldn't endorse someone that didn't have the experience no more than I would allow someone I didn't have confidence in to use me as a reference on their resume.

SephStorm

So let me put forward a hypothetical question, If someone had built a fully functional "work" lab, with a full domain, with network infrastructure , routers, switches, firewalls, ids, ips, the works. Built from the ground up, and then secured according to best practices and in line with the CBK, but didnt have a day of work experience, would you recommend them?

and then the opposite, a person who has spent years reading books on infosec, blogs, has a MS in infosec, every cert from security5 to GSE, but not a day in the lab, or a day on the job. Do you recommend him?

Both, in my opinion are what I would view as a CISSP, an Information Systems Security Professional. They have the knowledge needed to protect information systems. Now if that P stood for Practitioner, and indicated experience, then you have a different ballgame.

EDIT: I just want to say my experience is different, most CISSP's that I know were either managers or in an IA role where the majority of the work was not technical in nature. If your job is writing policy and directing response to IA issues, I consider it a management role.

paul78

I have never considered the CISSP as a qualification that someone is capable of execution of a particular job role or function. So in your two hypothetical scenarios, both individuals are probably capable of doing some segment of information systems security.

But as for if they qualify to be certified as a CISSP, I would not endorse either individuals. The ISC2 has a specific criteria for experience and it "direct full-time professional security work". Neither of those hypothetical individuals fit that definition.

Overcertified

I have many certs, including the CISSP, SSCP, ISSMP, and ISSAP from ISC2. I have had them for a while, (more than 10 years) and I don't recall requiring an endorsement. Now, I just earned the CCFP, and entered the endorsement process. I have never been audited on my certs, although I know collegues that have been audited - (and when I say "on my certs", I have certs from EC-Council, ISACA, IAPP, ASIS, ISC2, IBM, CISCO, CompTIA, GIAC, etc.

In looking at the earlier posts in this thread, I see complaints regarding the amount of experience and what constitutes experience. These have nothing to do with the endorsement process, they have to do with certification design. The endorsement is nothing more than another party vouching for someone else that they met the requirements, as per the certification authority (in this case ISC2). Although there are weaknesses in this, it is better than nothing. The full application, with the candidates CV/Resume, and if alternate experience (degree, other certification) waiver is involved, proof has to be sent as well. If you consider that ISC2 says that it takes "up to" 5 weeks to process after they receive the paperwork, [I just endorsed someone for CISSP and it took 4 weeks) I am assuming that ISC2 does not just rubber stamp the certification based on the endorsement, that they must do some sort of sanity check themselves.

As far as what does the certification give you, consider that certifications from ISC2, ISACA, EC-Council, ASIS, IAPP, GIAC (SANS) etc [Professional Organizations] are considered vendor neutral and are more general in nature. Just like a Masters Degree, I can learn Computer Science, but that does not make me a programmer unless I took programming classes. The idea of the CISSP being for managers is based on the theory that the CISSP covers security well but is not really that technical. The SSCP is more of a technical exam, the GIAC exams are very technical as well.

Example: Domain Logical access control, will test understanding of different methods of access, including DACL, MAC, etc. If you understand the domain, then you should understand logical access control, and even IdM concepts. It doesn't mean that you can sit down and implement access control on Windows or Linux, that is technical, but at least you undertand how it works. If you actually needed to be a Windows Adminsitrator and adminsiter accounts and access lists on a Windows box, then get a MCSE (or even a MCSE+Security). Managers don't need that much "technical detail" they need conceptual understanding, and that is one reason why you would associated CISSP with Managers.

So, why is everyone getting the CISSP, especially non-managerial? For job postings, HR only knows how to set up keywords, CISSP is (in my opinion and experience) the most common in InfoSec job listings, followed by the CISM. You will find CISA and GSEC as well, but not as often - although almost every audit job witll have CISA. Another reason is closing the gap. By earning the CISSP, which has 10 domains, and is close to (close, no where exact) to the ISO 17799/27002 framework, provides an across the board overview of information security and provides a "big picture" of security. So, for example, I could get a MCSE for Windows (actually I have a few of those myself) but you learn the technical stuff of how to do things - but rarely do you learn the big picture of security and how to do things - and why. So, as a MCSE I can learn how to provide permissions, and I can take the easy route and give everyone "full permissions" because that is easy, and that is something a MCSE learns, but the CISSP - and any other "security" certification should teach you "least privilege" and assign permissions as needed and not give full permissions. Think of this as doing your work requires both knowledge of the commands that need to be entered and the philosophy required to know best practices and security foundations to pick the correct commands.

Another thing to consider in certification development is the US government, with DOD requirements which broght about ANSI certification of the certification body. So, the CISSP is ANSI certified, and to meet that certification, criteria about the certification, how it is administered, and renewal (recertification) and all factors in meeting the ANSI requirements. Each certification body has their quirks, (ex: ISC2 endorsement) but those are the models they run under.

Overcertified

paul78 wrote: »

The ISC2 has a specific criteria for experience and it "direct full-time professional security work".

This brings an interesting question, based on something I just read.

From the endorsement application:

Professional Experience Guidelines
[FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic]. [/FONT][/FONT][/FONT][FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic]Experience in the specified credential domains qualifies as security experience but may not qualify as professional experience. [/FONT][/FONT]Non-professional [FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic]or [/FONT][/FONT]para-professional [FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic] work, even in the applicable credential domains, does not satisfy the requirement. Professional work is usually compensated by salary, retainer, fee, or commission rather than per hour. It is, by definition, exempt from the wage and hour laws.

[/FONT][/FONT]
Professional experience includes:

[FONT=Century Gothic,Century Gothic][FONT=Century Gothic,Century Gothic]· Work requiring special education or intellectual attainment, usually including a liberal education or a college degree. · Work requiring habitual memory of a body of knowledge shared with others doing similar work. · Management. · Supervision of the work of others while working with a minimum of supervision one's self. · Work requiring the exercise of judgment, management decision making, and discretion. · Requires the exercise of ethical judgment (as opposed to ethical behavior). · Creative writing and oral communication. · Teaching, instructing, training, and mentoring of others. · Research and development. · The specification and selection of controls and mechanisms (rather than the mere operation of those controls)(e.g., identification and authentication technology), but not when the basis is that of established standards or procedures.

This sentence bothers me, although it does not apply to me.

"Professional work is usually compensated by salary, retainer, fee, or commission rather than per hour. It is, by definition, exempt from the wage and hour laws"

The first part, "rather than hour". Right now it is common to bring on consultants, compaines are less likely to hire full time perm. Consultants, i.e. contractors, are usually paid hourly, and with no benefits. Yet, in my opinion they should qualify.

The second part, "exempt from ..." meaning an exempt employee, I am not sure non-exempt employees should be considered non-professional.

it looks like there is room to argue in those outlier cases.

[/FONT][/FONT]

abnmi

Overcertified, must say your cert line is impressive. I was aspiring to a similar path, could you share your cert experiences. Thanks in advance.

JDMurray

Overcertified wrote: »

"Professional work is usually compensated by salary, retainer, fee, or commission rather than per hour. It is, by definition, exempt from the wage and hour laws"

The use of "usually" would indicate "in most cases" and not "the only case," so this allows some hourly workers to be professional too. I work with several people who are paid hourly for the same professional InfoSec work I do as a salaried employee only because they are at a lower pay grade (i.e., more junior to me).

ptilsen

Overcertified wrote: »

The first part, "rather than hour". Right now it is common to bring on consultants, compaines are less likely to hire full time perm. Consultants, i.e. contractors, are usually paid hourly, and with no benefits. Yet, in my opinion they should qualify.

And they do. Consultants are almost always exempt employees. They are paid an hourly fee, but not typically an hourly wage (they may be paid a wage by the firm, but it would still be on an exempt basis). And independent contractor doing full-time contract work would certainly still be eligible as they, too, are non-exempt. ISC2 uses the word usually because most exempt employees are paid a salary. Salaried employees can be non-exempt and hourly employees can be exempt; it's just not very common.

Overcertified wrote: »

The second part, "exempt from ..." meaning an exempt employee, I am not sure non-exempt employees should be considered non-professional.

They should. Note the summary from the DoL on exempt computer employees:
http://www.dol.gov/whd/regs/compliance/fairpay/fs17e_computer.pdf

The employee must be employed as a computer systems analyst, computer programmer, software
engineer or other similarly skilled worker in the computer field performing the duties described below;
• The employee’s primary duty must consist of:
1) The application of systems analysis techniques and procedures, including consulting with users, to
determine hardware, software or system functional specifications;
2) The design, development, documentation, analysis, creation, testing or modification of computer
systems or programs, including prototypes, based on and related to user or system design
specifications;
3) The design, documentation, testing, creation or modification of computer programs related to
machine operating systems; or
4) A combination of the aforementioned duties, the performance of which requires the same level of
skills.

Anyone not meeting that definition would not be exempt, and would certainly not meet my understanding of a "professional" nor ISC2's. The type of position which is supposed to be hourly, non-exempt under the law would be, for example, a service desk representative who strictly follows a script and can only use pre-determined methods to respond to requests. Even most help desk and low-level positions probably meet the legal definition, but many companies treat them as non-exempt because the chances of losing in court would be pretty good.