CISSP seems very close to security+? Hmmmm?

jvrlopez

It's funny how the DoD considers Associate of ISC2 and CISSP on equal footing.

Undermines the experience requirement if you ask me.

JDMurray

Actually, it reenforces that the DoD is only concerned with having their IA people demonstrate their InfoSec knowledge by passing cert exams and not necessarily obtaining full certification. This puts all the certifications in DoDD 8570.01 on a more equal footing by only requiring that IA personnel pass exams and not have any specific InfoSec work experience. Any cert that requires having work experience as a prerequisite to taking its exam would not make it on to DoDD 8570.01.

beads

Really argues the point that the CISSP in the mid-run will become just another certification to have rather than one of respect.

(*Hat tip to Humbre*)

beads

LarryDaMan wrote: »

Congrats I guess? But, I can't remember which part of Security+ was technical.

Split the difference on this and consider it a history exam. Personally, I see no difference in remembering the difference between 10BaseT and 5BaseT is going to make in my career outside of nostalgia or in this case - history. They both amount to about the same, here.

- B Eads

colemic

JDMurray wrote: »

Actually, it reenforces that the DoD is only concerned with having their IA people demonstrate their InfoSec knowledge by passing cert exams and not necessarily obtaining full certification. This puts all the certifications in DoDD 8570.01 on a more equal footing by only requiring that IA personnel pass exams and not have any specific InfoSec work experience. Any cert that requires having work experience as a prerequisite to taking its exam would not make it on to DoDD 8570.01.

WTH I STILL CANNOT MAKE NEW PARAGRAPHS ON THIS SITE. lol so back to the matter at hand - wait a sec- CEH requires proof of work history prior to taking the exam. Although since there is a way around that (give them money for training that somehow magically equals 2-3 years of work experience) that might be why it is allowed. that's a really interesting way of looking at it though. Although it kind of undermines the point of certifications for DoD - at this point they would be better off coming up with their own exam than relying on 3rd party vendors to measure knowledge.

Humbe

beads wrote: »

Really argues the point that the CISSP in the mid-run will become just another certification to have rather than one of respect.

(*Hat tip to Humbre*)

Told ya!

philz1982

I took and passed the CISSP with a few weeks study. It was valuable from the perspective of that it exposed me to certain things I don't work on regularly. I look at the CISSP like a bachleors degree. You study a bunch of stuff some of which you could care less about and it allows you to find out what you like and what you don't like that way you can focus your career/cert path.

colemic

OK, I'll play... Humbe, in your eyes, what is a 'well-respected cert' today, and what is a 'regular cert' to have? The reason I ask, I believe that CISSP is in a class all by itself as far as non-technical, security certifications. I don't think any security cert is going to overtake the CISSP anytime soon.

Humbe

A cert that makes you study your behind off for it and gives you incredible source of knowledge. Ex: CCIE.

If only the CISSP would go a bit deeper on every domain specially in telecommunications since thats the worlds standard then you could argue the complexity level of this exam. Please don't get me wrong, the CISSP is quite tough to obtain but for me it does not go deep enough into certain areas that it should.

TeKniques

IMO for the CISSP to go deeper on every domain would require either splitting it into two exams or just make it overly difficult with a limited number of questions -- there is already a lot of material covered. I've seen other post that the material needs to be refreshed more often; that may certainly be a valid point.

You get out of something what you put into it ... if you take the time to really understand the CISSP material (and there is a lot of it!) then you will walk away knowing quite a bit. Having the experience by the candidate validated seems to be a loophole which I believe is where people are frustrated with the exam.

People also seem to forget that the CISSP is not a technical certification whereas the CCIE from what I've read is purely a technical track so I think this is comparing apples to oranges, but both require a good deal of study and preparation for most people to obtain.

colemic

Agree w/ Tekniques, CCIE is a cert that shows you have mastered very technical skills in networking and Cisco technology/products, and is totally different than the CISSP. Fundamentally there are differences between the exams - and their target audiences - that make that a poor comparison. Specifically, you usually wouldn't see a CCIE in a managerial-type or executive role (more hands-on), but the CISSP is marketed and targeted to be a measure of knowledge of the management side of security, not in-depth technical skill evaluation. (I am sure there are C-levels who have CCIE, but I strongly suspect they are not the norm.) Short of the SANS GSE cert, there is nothing in the security arena that I know of that would even come close to your definition... and it leaves out entirely the fact that there is a value for the CISSP in gauging security knowledge in the context of management, whereas the CCIE does not. (as far as I know.) And the GSE is so far out of reach of most people on cost alone, there are less than 100 worldwide. GIAC GSE Certified Security Expert Professionals | Directory

bobloblaw

Humbe wrote: »

A cert that makes you study your behind off for it and gives you incredible source of knowledge. Ex: CCIE.

If only the CISSP would go a bit deeper on every domain specially in telecommunications since thats the worlds standard then you could argue the complexity level of this exam. Please don't get me wrong, the CISSP is quite tough to obtain but for me it does not go deep enough into certain areas that it should.

If it went deeper into each domain then it would negate the entire point of the CISSP. If you want deeper, go get your CCNP, DBA, MCSE, PMP, RHCE, etc. It's broad spectrum. In fact, that's the commonality you see in people holding the CISSP. They typically hold something else akin to their specialty.

Darxtar

Have you ever read the 8570 and if so did you actually understand it?

From the 8570:

“IA certification programs are intended to produce IA personnel with a baseline understanding of the fundamental IA principles and practices related to the functions of their assigned position. Each category, specialty, and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training and experiential activities such as on-the-job training and continuing education.”

Note that certification is meant to provide a baseline understanding…

Meeting job requirements is a combination of formal training and experience…

If you have ever worked for the DoD you would know they are not just “concerned with having their IA people demonstrate their InfoSec knowledge by passing cert exams.” If you have worked for the DoD and your activity did in fact do that then shame on them for not following the spirit and intent of the guidance.

And to expect military personnel just out of IT “A” school, typically a year or so out of high school, to have years of experience is unrealistic. Basic certs such as Sec+ which require no proof of experience at least gives the holder a grasp of the concepts. Mentored OJT provides the required experience for more advanced certs such SSCP or CISSP. And no system owner is supposed to allow privileged access by any person, no matter how experienced or what certs they have until that person has demonstrated that they are qualified to perform their duties on that particular system.

Meh…

colemic

I know of no branch that requires anything beyond Sec+ for apprentice-level jobs (as would be common for someone who just completed A school, tech school, whatever. And while it's noble to think that they would follow the spirit, I was a DoD contractor most of the last 10 years, and it was NEVER anything more than a checkbox, at multiple locations worldwide. Same thing on the military side - they got Sec+ because they HAD to, not because it is considered a best practice to have knowledgeable, security-aware users/technicians/admins. They are very much focused on just passing the exams, and I would wager that **** are beyond rampant at most locations to get 8570 requirements checkmarked. And while indeed it does say they meeting these requirements will require a combination of formal training and experiential activities, the reality is that 8570 doesn't provide a single dollar for funding the formal training that it requires, and it becomes yet another unfunded task that units have to attempt to cover to meet the requirement. Additionally, from your snippet: 'IA certification programs are intended to produce IA personnel...' then why is 8570 not just limited to IA personnel? Anyone within earshot of elevated privileges are required to meet requirements. Hardware techs are not are not IA personnel. I get what you are saying, I just think it is a bit too idealistic especially after seeing 8570 in action. It's become its own monster that is nothing more than a checkbox and a cash cow for cert vendors.

broli720

I think we can all agree that CISSP is more managerial than technical. Security+ is entry level and does not even brush the technical aspects of most systems. Sometimes I think we get hung up on certs that we forget that knowledge, experience, and education play a bigger role. Those are really the factors that make us better security practitioners and compliment any credential we receive. The only fault I find with the CISSP credential is that people forget that it is a high level designation meant for those who have shown that they have the technical aptitude to work in the industry. Regardless of what credential you hold, a strong interview/vetting process will expose you. CISSP is not a get rich quick scheme and those that treat it as such are really the ones adding to its loss in value.

Darxtar

It is not an unfunded mandate, one of the DOD IA controls is to "Ensure that a discrete line item for Information Assurance is established in program and budget documentation". This includes funding for training and certification. If your program managers were not making sure dedicated funding was part of their budget then they were not doing their job. Every one of my IT people are budgeted for 10K of training annually.

I do not believe it is any more of a check in the box for DoD then it is for private business, who routinely advertise for a CISSP and then want them to perform basic security or IT tasks, totally unrelated to the intent of the cert. I do agree that 8570 is a cash cow for all cert vendors, which is why many try to get their cert accepted on the "approved" list.

Maybe being a contractor you were not exposed to the bigger picture, it seems you were unaware of the actual requirements, and it sounds like whoever was managing your programs were not doing them justice. What I do see is that IA requirements are becoming more ingrained into programs as the bar for C & A of systems is raised. Hopefully this will eliminate some of the situations you describe.

colemic

For private businesses, it is their prerogative if they wish to hire a CISSP to perform basic security tasks... for DoD, that cert is the golden ticket to meeting... a checkbox. Regardless of your experience or knowledge. Hence, my assertion that they would be better served to create their own internal certification system prior to granting IA-level access to systems. It is a bit presumptuous of you to presume that my program managers weren't doing their job, and very presumptuous of you to imply that I wasn't exposed to the bigger picture. It must nice as a greensuiter such as yourself to have 10k dedicated for training every year, but how much of that is allocated for the contractors who are probably filling your IA slots?Probably none. I know that contractors vs greensuiters is an entirely different discussion regarding funding, but it is relevant because 8570 says they should have training funds provided, not just greensuiters. ESPECIALLY for new requirements. I developed and managed 8570 programs at 3 different locations worldwide, and have seen first-hand how flawed it is. And C&A is a whole other bag of apples... Most DIACAP accreditations are done the same way that healthcare.gov was - riddled with vulnerabilities, and yet was done to the letter of federal guidelines. While they may be becoming more ingrained, they were also becoming more obsessed with their people meeting the 8570 deadline a few years ago and shelling out thousands and thousands of dollars to get people who have no idea what they are doing, to get their CISSP. Adding layers of bureaucracy doesn't fix the problem it only obfuscates it.

Darxtar

If you are as familiar with DoD regulations as you claim, then you would know that the government is not allowed to pay to train or certify contractors. 8570 does not say that the government is responsible for contractor training. We are mandated by law to hire them fully qualified. It is the responsibility of contractor’s company to provide qualified employees to the government, and to keep them qualified. They pass that cost on to the government via their contract bid.

Based on your posts which are full of inaccuracies about DoD IA and the government/contractor relationship and roles I would say that it is pretty much pointless in trying to convince you of anything beyond your uninformed viewpoint. Sounds like it is good that you don’t work with for the DoD in any capacity as you as you appear to be pretty clueless as to the requirements.

Humbe

We don't have to attack each other you know....

colemic

It's not your job to convince me of anything. I specifically brought up xcontractors, because at one location I was at, when 8570 kicked in, the site was under a full contract, and is locked in until 2016. Contractor says gov. should pay for training since it was not part of the original agreement (providing 8570-certifed personnel.) Gov says contractors have to eat that cost out of their own pocket. Gov wound up paying for the training and certs. But by all means, please keep singing the praises of 8570. At least I don't sound condescending and arrogant.