Question about CISSP experience

These will probably sound dumb but I don't want to waste my time studying if I don't have the required experience.

First, I worked as Division security during my stint in the Army. Patrolling the grounds, checking IDs, etc. Do you think that would count towards the Security Operations domain (which includes physical security)?

Next, I also used to work in healthcare in radiology. A huge part of that job was HIPAA compliance. Essentially protecting patient records and exam images. Do you think that would count towards the domain Asset Security (which includes data privacy)?

I currently work in Information Security but I have only been in the field for 10 months. I already have my Security+ but I would like to get my CISSP for marketability purposes.

Find more posts tagged with

Comments

renacido

First and most importantly, if you've only been working full-time in infosec for 10 months, a CISSP will NOT make you the least bit more marketable. On the contrary, if I'm screening you for a job that a CISSP is an appropriate qualification for (ie., SOC lead, Sr Sec Engineer, InfoSec Manager) and I see 10 months of infosec experience alongside a CISSP, I immediately call bullsh** and toss that resume into the circular file.

In that example above, with your 10 months of experience, Sec+, and another technician-level infosec cert instead of CISSP, I would consider you as a potential hire as a Jr Security Analyst. But it's a mistake to think a CISSP helps you if you don't have the experience to back it up.

As for the exampled you gave and whether or not they qualify:

Physical security: Maybe. I don't think it's strong enough. If you didn't make facility design or physical security policy or countermeasures decisions, or inspect for compliance with physical security requirements (fire systems, alarms, locking mechanisms, HVAC, lighting, location, etc), or coordinate red team exercises to ensure effectiveness, things like that, then you'll have a hard time qualifying your experience as valid with ISC2.

The second example you gave sounds like you basically followed HIPAA rules while performing medical duties. You weren't identifying or implementing admin or technical security controls to protect PHI at rest, in transmit, DLP, data classification, access control, etc. A medical professional isn't halfway toward meeting the CISSP experience requirement just because they follow HIPAA regulations.

My advice is forget about CISSP until you have at least 4 years of infosec experience, in the meantime there are much, much more relevant certs for the jobs you qualify for (SSCP, GSEC, GCIH, CASP).

Clm

Cissp Is a more advanced Certificate but it is something you can attain if you want to go for it I say do it and get what they call an associate of CISSP it will allow everyone to know that you passed the test and are waiting for experience to come in and that enough can land you a job. then you work that job and master it and continue on. don't let anyone hold you back cause you didn't take a long hard way.

jt2929

Clm wrote: »

Cissp Is a more advanced Certificate but it is something you can attain if you want to go for it I say do it and get what they call an associate of CISSP it will allow everyone to know that you passed the test and are waiting for experience to come in and that enough can land you a job. then you work that job and master it and continue on. don't let anyone hold you back cause you didn't take a long hard way.

Actually, if you have to become an associate, your title will be Associate of (ISC)2, not Associate of CISSP. As an associate, you aren't allowed to use the term CISSP anywhere, even on your resume.

Clm

Correct you are only allowed to say you are an associate but if someone ask you are what you are working toward or which test you passed you can tell them CISSP I have seen it plenty of times and have had plenty of recruiters ask me about it.

TechGuru80

Your first experience would be a stretch...not really INFORMATION SECURITY...but maybe?

Your second experience....HIPAA as in you were actually protecting the information with ACLs and other measures, or they were on the system you just happen to log into...that experience would be weak at best as its not really INFORMATION SECURITY.

You cannot list CISSP if you don't have the experience requirement so marketability is out the window and as said you cannot infer that you passed the exam either....not to mention you probably have nowhere near the knowledge to pass at this point. You would be better off trying to get SSCP or something along those lines that you can actually list.

TheFORCE

Your current experience does not qualify you for taking the test. As per ISC2, you need to have Full Time experience in the CBK domains. That does not mean performing duties as part of another job.

psheehan5

"An Associate of ISC2" do you all think that carries any weight when applying for jobs?

jt2929

psheehan5 wrote: »

"An Associate of ISC2" do you all think that carries any weight when applying for jobs?

It depends. It won't get you through crap HR filters, but a hiring manager who knows what the (ISC)2 certifications are will give it some credit.

beads

Please reference the following link.

https://www.isc2.org/cissp-how-to-certify.aspx

When looking for junior analyst I do prefer to see the SSCP. A CISSP may get you turned-in to the now standing ethics committee.

The cheaters only make the certificate less desirable over time.

- b/eads

renacido

Clm wrote: »

Correct you are only allowed to say you are an associate but if someone ask you are what you are working toward or which test you passed you can tell them CISSP I have seen it plenty of times and have had plenty of recruiters ask me about it.

I'm the hiring manager for infosec positions in my company. Suppose I'm hiring for a senior technical position that will have significant authority for making tactical decisions, and requires broad understanding of other functions in our security department, in IT, and with business units. So based on that I list CISSP as a desired qualification, but more importantly I want someone with at least 5 years of experience in infosec.

I get 3 resumes from the recruiter. Resume 1 is for someone with 2 years in infosec and Associate of ISC2. Resume 2 is for someone with 4 years infosec exp, Sec+, and CISSP. Resume 3 has 8 years infosec exp, no CISSP or Associate of ISC2.

Resume 1 guy's resume is sent back to HR to keep on file for when we need a lower-level position filled.

Resume 2 and 3 get interviewed. Resume 3 gives better interviews. Job is offered to Resume 3.

Hope this gives you some perspective.

TheFORCE

Years on the job experience does not equate to knowledge of a particular field. I have seen it many times where someone with less years on the job experience plus certs has more knowledge than a person with 8 years experience and no certs.

Not all experience is the same.

renacido

TheFORCE wrote: »

Years on the job experience does not equate to knowledge of a particular field. I have seen it many times where someone with less years on the job experience plus certs has more knowledge than a person with 8 years experience and no certs.

Not all experience is the same.

First of all, the example I gave was a hypothetical example, not a rule. There are a lot of factors that go into a hiring decision, you're missing the point if you read that hypothetical example as me saying "certs are worthless". You can see I have a few certs of my own.

My point was that certs are but one factor in a hiring decision, that a CISSP has more weight than Associate of ISC2, and that relevant experience can and usually does trump certifications.

Knowledge of a field does not equate to effectiveness in the job either. You can be in infosec expert that can sit any exam you throw at them with no notice and pass, but they may have lousy work ethic, are hard to work with, don't understand how security risk impacts their company's business, lack communications skills, lack project management/problem solving skills, can't lead/follow, doesn't play well with others, or just plain can't apply their vast knowledge in a work environment.

Also, in the hiring process you don't look for years of experience and just stop there, obviously. You find out what they did what they accomplished during those years.

The best indicator of future performance is past performance.

EnderWiggin

I see everyone saying that you cannot so much as mention as CISSP, that you can only list Associate of (ISC)2, but I cannot find anything stating this on (ISC)2's website. Only that you can't get the full credential without the experience. Can anyone point me to a source to verify that Associate of (ISC)2 - CISSP would be an improper entry on a resume? I just want to be able to verify this myself before committing to the exam or holding off a bit.

beads

TheFORCE wrote: »

Years on the job experience does not equate to knowledge of a particular field. I have seen it many times where someone with less years on the job experience plus certs has more knowledge than a person with 8 years experience and no certs.

Not all experience is the same.

Your assertion is really for the hiring manager to determine the quality of the experience and how it relates to the position at hand. It simply a matter of relevance. Your confusing quantitative for qualitative in your analysis.

- b/eads

beads

EnderWiggin wrote: »

I see everyone saying that you cannot so much as mention as CISSP, that you can only list Associate of (ISC)2, but I cannot find anything stating this on (ISC)2's website. Only that you can't get the full credential without the experience. Can anyone point me to a source to verify that Associate of (ISC)2 - CISSP would be an improper entry on a resume? I just want to be able to verify this myself before committing to the exam or holding off a bit.

Its in the Bylaws and in the agreement you sign for the SSCP if I recall correctly but it most certainly is there. Here's your acid test. Obtain the SSCP and your certification number then call the ISC(2) and ask for a verification as a CISSP and see what they have to say on the matter.

- b/eads

NetworkNewb

EnderWiggins, you need to have an account with them to see those requirements on their site. They are there and are definitely stated clearly on not using CISSP in any form though. Another thread on here shows the link to the page and exact wording.

EnderWiggin

NetworkNewb wrote: »

EnderWiggins, you need to have an account with them to see those requirements on their site. They are there and are definitely stated clearly on not using CISSP in any form though. Another thread on here shows the link to the page and exact wording.

So they don't tell you that you can't use the CISSP term in any way (not even coupled with the Associate designation clearly marked), until after you pay for the test? That seems a bit unethical to me....

NetworkNewb

EnderWiggin wrote: »

So they don't tell you that you can't use the CISSP term in any way (not even coupled with the Associate designation clearly marked), until after you pay for the test? That seems a bit unethical to me....

lol, yea... Here is the page that I was told says the exact rules on it:

https://www.isc2.org/logo-usage-guidelines/default.aspx

I even created an account to see if I could access it after that, but apparently you must need to have purchased an exam or passed a test to access because I get a "you don't have access to this page" error message still... Guess they think if you haven't earned it you don't need to know the rules for it! But here is the exact wording on it (thank you renacido for this):

"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."

IaHawk

NetworkNewb wrote: »

"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."

So I CAN use the logo? It's not very clear...

EnderWiggin

NetworkNewb wrote: »

lol, yea... Here is the page that I was told says the exact rules on it:

https://www.isc2.org/logo-usage-guidelines/default.aspx

I even created an account to see if I could access it after that, but apparently you must need to have purchased an exam or passed a test to access because I get a "you don't have access to this page" error message still... Guess they think if you haven't earned it you don't need to know the rules for it! But here is the exact wording on it (thank you renacido for this):

"Associates of (ISC)² are NOT certified and may not use any Logo or description other than "Associate of (ISC)²". Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than "Associate of (ISC)²", in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)² certification."

I just made an account and also ran into the same "You don't have access to this page" message...... This kind of thing should be clearly stated in the description for the Associate designation on their site. They push that for anyone who doesn't have the experience, but won't let people state they've passed the test? And the way it says that you can't identify what exam you passed, you can't even tell an interviewer that it was a CISSP if they directly ask you which exam....? For a company that prides itself on ethics, this is pretty shady..... Heck, even for a company that DOESN'T pride itself on its ethics, that's pretty shady...............

cyberguypr

You guys are over-complicating this. The obvious solution to the Associate secrecy is to wear these to the interview:

CISSP Long Sleeve Twill Shirt
CISSP Baseball Cap

EnderWiggin

cyberguypr wrote: »

You guys are over-complicating this. The obvious solution to the Associate secrecy is to wear these to the interview:

CISSP Long Sleeve Twill Shirt
CISSP Baseball Cap

Might as well just take the easiest (ISC)2 test, put Associate on the resume, and wear that gear. "So this Associate here, I take it you passed the CISSP?" "Oh, I'm not allowed to say

fitzlopez

EnderWiggin wrote: »

Might as well just take the easiest (ISC)2 test, put Associate on the resume, and wear that gear. "So this Associate here, I take it you passed the CISSP?" "Oh, I'm not allowed to say "

From your experience I think you should take the SSCP from ISC2. From their site one year of cumulative work experience in one or more of the seven domains of the CBK is required. As others have said you can't say anything about you being a CISSP or passing the CISSP until they approve your endorsement by a CISSP.

You could also try for CompTIA's CASP, that one doesn't have hard requirements merely recommendations.

EnderWiggin

fitzlopez wrote: »

From your experience I think you should take the SSCP from ISC2. From their site one year of cumulative work experience in one or more of the seven domains of the CBK is required. As others have said you can't say anything about you being a CISSP or passing the CISSP until they approve your endorsement by a CISSP.

You could also try for CompTIA's CASP, that one doesn't have hard requirements merely recommendations.

Thanks, but I'll skip that one. I only want the CISSP, as it is the more recognized certification. I don't want to waste my time or money on a lower-level certification, when I'm capable of passing the higher-level certification.

CASP is reasonable though, since it is more technical, and would complete the CompTIA path. I may do that in the interim to pass the time.

anthonx

Hi All,

I have a few questions regarding the professional experience. In the steps for certification, is it correct to say that you need to obtain the requirement 5 years experience in 2 or more of that 8 domains first before you are allowed to register for the exam? The reason I asked is because there are a lot of candidates that are still missing the required 5 years experience after passing the exam. What about if I have 2 years of experience on 2 of the domains and I decide to take the exam. If I pass the exam, can I become an associate and complete the 3 years experience after?

Please see below for the basis of my question.

[h=2]5. Complete the Endorsement Process[/h]Once you are notified that you have successfully passed the examination, you will be required to have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to your professional experience. With the Endorsement Time limit, you are required to become certified within 9 months of the date of your exam OR become an Associate of (ISC)². If you do not become certified or an Associate of (ISC)² within nine (9) months of the date of your exam you will be required to retake the exam in order to become certified. (ISC)² can act as an endorser for you if you cannot find a certified individual to act as one. Please refer to the Endorsement Assistance Guidelines for additional information about the endorsement requirements.

Thanks all!

cyberguypr

Correct. If you pass and don't have the required experience you become an Associate off ISC2. You will then have up to 6 years to gain complete the required experience. You do not submit the endorsement until you attain the 5 year experience.

Details: https://www.isc2.org/associate/default.aspx