Newbie to CISSP: Question about applicant requirement &

rbhatia6 · May 2007

Hello,

I am a newbie to CISSP. My 9 yrs IT experience has been in the field of Operations Management, Project Management, applications development & support.

I also have MS Comp Sc & MBA degrees, and PMI PMP, and ITIL Service Management Foundations certifications.

Although I do not have direct security experience but I do small security experiences while dealing with applications development and support.

Do you think I should study and try for CISSP certification? I am very enthusiastic for trying toward it and am confident that after studying for it thoroughly, I will have a good shot at it.

Pls let me know what you think?

Tx,
Rajesh

Slowhand · May 2007

Do you meet the requirements to be eligable to take the CISSP exam?

rbhatia6 · May 2007

I do not meet the professional requirements. So, I am planning to take the Associates exam.

keatron · May 2007

rbhatia6 wrote:

Hello,
Do you think I should study and try for CISSP certification? I am very enthusiastic for trying toward it and am confident that after studying for it thoroughly, I will have a good shot at it.

Pls let me know what you think?

Tx,
Rajesh

I guess you should ask yourself why not.

rbhatia6 · May 2007

That is exactly my question. Althogh I do wanna give it, I just want some feedack how ot can help me in my career.

Any advise will be greatly appreciated.

Tx,
Rajesh

JDMurray · May 2007

In my opinion, having the Associate of the (ISC)2 certification will do nothing for your career unless you have information security-related experience too. If you are interested in an information security specialization, look at the CompTIA Security+ certification as an example of the type of subjects that you will be studying. Also consider studying for the (ISC)2 SSCP exam as preparation for one day sitting for the CISSP exam.

TBLTZ · May 2007

Are these cissp requirments check by anyone? Or can you go and just take the exam?

JDMurray · May 2007

TBLTZ wrote:

Are these cissp requirments check by anyone? Or can you go and just take the exam?

Looking at the CISSP How to Certify page, I would guess that if you sign an affidavit attesting to having experience that you do not really possess, you will be breaking the (ISC)2 Code of Ethics. You'll be able to take the exam, but you'll fail the post-exam audit and won't receive the certification regardless if you pass the exam.

TBLTZ · May 2007

What types of security can you perform that makes you eligable to take the test?

If you are in charge of network security will that let you take the test? What about software security?

Slowhand · May 2007

TBLTZ wrote:

What types of security can you perform that makes you eligable to take the test?

If you are in charge of network security will that let you take the test? What about software security?

Again, take a look at the requirments for the CISSP on the (ISC)2 website, and see if your particular experience falls in any of the security domains in the Common Body of Knowledge. It's always a good idea to familiarize yourself with the site of the vendor you're planning on taking a cert with. In this case, read through as much information on the (ISC)2 website, so you'll get a better idea of what you need to pass the test.

keatron · May 2007

JDMurray wrote:

TBLTZ wrote:

Are these cissp requirments check by anyone? Or can you go and just take the exam?

Looking at the CISSP How to Certify page, I would guess that if you sign an affidavit attesting to having experience that you do not really possess, you will be breaking the (ISC)2 Code of Ethics. You'll be able to take the exam, but you'll fail the post-exam audit and won't receive the certification regardless if you pass the exam.

Exactly. So you'll waste the $500. You won't get the certification, and once you're caught fabricating your app, you will probably never be allowed to take it again.

milliamp · May 2007

Eligible professional experience listed here

silentc1015 · May 2007

TBLTZ wrote:

Are these cissp requirments check by anyone? Or can you go and just take the exam?

If you pass there's also a good chance of being audited. I wasn't audited, but it seems like a high number of people are.

JDMurray · May 2007

milliamp wrote:

I am a little surprised they list Security+ but not CEH).

They probably accept Security+ because that helps the DoD people who by DoD Directive 8570.1 need to acquire both Security+ and the CISSP. Heck, they even accept the MCSA without also having a Security+. Now what's up with that?

TBLTZ · May 2007

milliamp wrote:

Eligible professional experience listed here

And your job title and responsibilities do not have to _only_ involve security, it can also be consultant, engineer, administrator etc.

If your title is "Sr network architect" or something they are not going to come back and complain because it does not have security in the title.

It is basically any role that makes decisions involving security (rather than just acting on someone else's decisions).

Also, along with education, they will sub 1 year for holding one or more of these certifications. (I am a little surprised they list Security+ but not CEH).

I hope that helps.

I think this answered my question. I am an IT manager I do make decisions about security such as firewalls and security strategies. So I do make decisions about security. So this would allow me to take this certification.

rbhatia6 · May 2007

A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

Do these count toward the security requirements of CISSP?

Tx,
Rajesh

rbhatia6 · May 2007

A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

Do these count toward the security requirements of CISSP?

Tx,
Rajesh

rbhatia6 · May 2007

A question: Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

Do these count toward the security requirements of CISSP?

Tx,
Rajesh

JDMurray · May 2007

rbhatia6, duplicate postings are not necessary or useful.

I would suggest that you'd be best to email service@isc2.org when needing detailed questions such as these answered.

Webmaster · May 2007

JDMurray wrote:

I would suggest that you'd be best to email service@isc2.org when needing detailed questions such as these answered.

Is that a new email address specifically for the purpose of getting detailed questions answered? Because when I had contact with ISC2 about year ago, they where very helpful, but getting you experience reviewed 'before' you take the exam is not an option.

The thing with the CISSP is that if you have the required experience, you'll likely know you do. If you doubt your experience really is entirely as a full time security professional, then it's probably not.

rbhatia6 wrote:

Over the 9 yrs of myu experience, I have implemented and made decisions on application security like LDAP authentication and database level security like views, etc.

Were you working as a full time security professional, also by title? If that's not the case, it probably doesn't apply.

When you find yourself trying to meet the requirement by adding up all sorts of security related 'tasks' you did during your career, you pretty much know you don't meet the requirements.

At that point, you could consider the SSCP, or the Associate exam, but the best thing to do imo is to get that full-time job as a security professional (which certainly isn't impossible 'before' you are a CISSP). At the time your close enough to the required experience, the fact you are currently working as security professional will make the odds of getting certain security experience from the past accepted as relevant experience much better.

Last but not least, the CISSP is not meant for those who want to 'get into security' but for those who already are (or have been) and want to advance.

JDMurray · May 2007

Webmaster wrote:

Is that a new email address specifically for the purpose of getting detailed questions answered? Because when I had contact with ISC2 about year ago, they where very helpful, but getting you experience reviewed 'before' you take the exam is not an option.

That seems to be the email address on their contact page that is used for questions about the qualifications of the (ISC)2 exams.

Contact (ISC)2 Page

Webmaster · May 2007

I'm pretty sure they'll only answer basic question, basically what you can find online already. Unless perhaps when the experience is obviously relevant. I think this has to do with not giving any hopes nor promises in case the candidate gets reviewed. ("I called up front and they told me it did apply as relevant experience!")

Also considering the Sticky just posted by Keatron (about the CISSP requirement changes), I think the best way to figure out whether your experience applies is to ask that CISSP in good standing you now need to know anyway.

keatron · May 2007

Webmaster wrote:

I'm pretty sure they'll only answer basic question, basically what you can find online already. Unless perhaps when the experience is obviously relevant. I think this has to do with not giving any hopes nor promises in case the candidate gets reviewed. ("I called up front and they told me it did apply as relevant experience!")

Also considering the Sticky just posted by Keatron (about the CISSP requirement changes), I think the best way to figure out whether your experience applies is to ask that CISSP in good standing you now need to know anyway.

To be quiet honest, if you read the requirements posted on the ISC2 web site, and you have to ask yourself"am I qualified", then the first action should be to ask them directly. And Johan has an even better solution, ask the CISSP (which now is your only option for endorsement), who's going to be endorsing you. Also as an aside, it'll probably be harder now to get a CISSP to endorse you if they're not sure of your experience. Because there will soon be an announcement to all existing CISSP's warning that if you endorse a candidate and they fail the audit, then you will most likely lose your certification as well. This will help with the inevitable trickle of people beginning to offerring to pay existing CISSP's for endorsements. I've already been approached several times by people who I don't know from Opie. It might sound harsh, but the code of ethics are quiet clear. Also, it should be pointed out that your endorsement has to come from a CISSP "in good standing".

Him/Her: "I know you're a CISSP, since I took your CISSP class, will you endorse me"

Me, in the voice of Bill Lumbergh from office space: "Ahhhh yeahh, I'm going to go ahead and ask you to ask another CISSP, someone who actually knows you and can vouch for all that security experience you have on your resume. If you could go ahead and do that for me that'd be great.....yeahh."

A few things have been key in leading to this.

1. People have been failing the audits at an alarming rate over the last 2 years.

2. People who are obviously not qualified have been trying to push through on "security experience" that's in nice terms "questionable". Imagine an office knowledge worker trying to sit the CISSP to move from office manager role to a role in the IT security department (because all of us here know that IT is where the money is right???), so they apply for the CISSP citing their security experience as "making sure people have their name badges on when they come into the office" and "making sure all of our word documents are password protected".

3. The buddy system. "Hey we're buds, I'm a CISSP, you wanna be one too? I know you don't have any security experience, but I'll endorse you dude. Yeah. Cause we're buds" (in the voice of Napoleon Dynamite).

4. Clueless HR people (most are not, but some are). I think I've already mentioned in previous posts where HR posts job ads for a position like help desk technician and have CISSP listed as a requirement. Just because they heard from someone they know in IT that CISSP is the best "computer" certification to have.

I know it seems a little extreme and might be even a little unfair to the people just approaching their 4 year date, but I seriously believe it is a sincere move by ISC2 to maintain the integrity of the CISSP.

Keatron.

drakhan2002 · May 2007

keatron wrote:

(because all of us here know that IT is where the money is right???)

I almost laughed out loud when I read that!

Good one.

Webmaster · May 2007

keatron wrote:

I know it seems a little extreme and might be even a little unfair to the people just approaching their 4 year date...

I can imagine they don't 'entirely' consider it as just good news, but I think most of them will agree it's better for the cert they want to get, so better for them. Also, if you do have 4 or close to 4 years relevant experience, getting a job to get the remaining experience should be relatively easy considering the demand of security professionals. See my question for Keatron in this topic for another suggestion for those who are close to those meeting the previous requirements:
www.techexams.net/forums/viewtopic.php?p=144438#144438

Newbie to CISSP: Question about applicant requirement &

Comments