Issep?

Just wanted to get some thoughts on the ISSEP cert. I don't see many job postings that mention it but the material seems pretty interesting to me and pretty in-line with what I do at work. Would this cert actually be worth getting or would I get more from a CISA or CISM?

Find more posts tagged with

Comments

redz

Better ROI with ISACA certifications, generally, unless your goal is to do really high level ISSE work and are in an area with a lot of government/DoD work. They can pay really well.

It's not heavily pursued in the commercial world.

EDIT: I got it because I have met a high volume of very stupid CISSP's, probably more than the ones I know who are even security-literate. I wanted to differentiate myself, and the ISSEP was the certification I felt closest to.

2nd EDIT: Here is a write up on the exam, prep, etc that I did a month or two ago: http://www.techexams.net/forums/isc-sscp-cissp/91899-path-issep.html

If you decide to pursue it, feel free to PM me for guidance on study materials and tactics.

NavyIT

Thanks redz, I'll look into that. I work for a government contractor now and probably will for the rest of my career if I had to guess. Quick question about your CNSS qualifications. How did you get them? Did your employer send you to a class or did you get them some other way? Also, which ones are required to be considered a fully qualified navy validator? Thanks.

Darxtar

CNSS 4016 is recommended to be a FQNV. Without that you have to submit a lot of proof that you know how to perform risk analysis, assessment and mitigation. I recommend IA2 Inc, the instructors are outstanding.

As far as ISSEP, if you are working C & A and paricularly as a validator for DoD systems then I suggest it or CAP. If you are performing an ISSE role or fill an IASAE position then obviously ISSEP.

redz

Darxtar wrote: »

CNSS 4016 is recommended to be a FQNV.

I believe 4015 (Navy Certifier) is a requirement.

I never went after FQNV status as I do not have a degree, so I didn't much concern myself with it.

Darxtar

Its been a while since I applied so I forgot, but yes the application asks for the Certifier Course or equivalent. I don't know what the equilalent to 4015 would be, but I am guessing experience or training that does not meet the CNSS certificate requirements but does cover most/some of the topics.

As for a college degree, the form asks for them but I do not see that they are a requirement as it also has High School as a selection in the education section.

So CNSS 4015 and 4016...desired but not required as long as experience or other equivalent training can be shown. OBTW, this is for Navy, the Marine corps Valadator requirements are different.

redz

Darxtar wrote: »

As for a college degree, the form asks for them but I do not see that they are a requirement as it also has High School as a selection in the education section.

So CNSS 4015 and 4016...desired but not required as long as experience or other equivalent training can be shown. OBTW, this is for Navy, the Marine corps Valadator requirements are different.

Huh. I didn't know you could get to FQNV without a degree, I thought you could only do the first two tiers of Navy Validation work. But then, I'm a Marine Corps Validator and haven't done Navy-specific work.

EDIT: Wow... I never answered your question about the CNSS certifications. I'm sorry.

I took the Q/CA class through Security University. The teacher and courseware were phenomenal, including the exam (no multiple choice, all long-answer open book, including some prac app). This was paid for by my employer; I paid a prorated portion back when I moved to another company.

Darxtar

From what I have seen (I know a lot of Validators) documented experience with C & A (DITSCAP, DIACAP, PIT) and Risk Assesment trumps education and training in the validator application.

dijital1

If you do a lot of work in the Federal space or DIB then it's probably worth pursuing. Even if you're totally in the commercial sector, I still feel that the certification has a lot of value because it really drives home the process of engineering secure information systems. Not from a "Use this firewall and these controls" perspective but from the perspective of learning how to use the standards to properly categorize systems and thus apply the appropriate types of controls to them.

In the commercial space an ISSEP is able to make a pretty good business case for why X dollars should be spent on a given system(s) because they have a well documented process for ascribing value to them.

With that said, the ISSEP is by far the most challenging of the specialization exams from ISC2. If I had to rank them it would be ISSEP by a substantial margin, followed by the ISSAP and finally the ISSMP.

My 10 cents.