Security Basics: RE: CISSP Question

["Simmons, James" <jsimmons () eds com>]

Well I can say from experience that a lot of aspiring military computer people are using that. A 4 year enlistment. 
Standing guard duty, firefighting, and then they reset passwords all day with little else experience. But of course on 
a resume/job sheet, it is easy to make it sound like you are single handedly running the entire network of 1000+ users. 
And for $2000 you too can attend a crash course to prep you for the test.

I find it funny/sad that there is an IT certification industry, and a "help you pass <cough>cheat</cough> an IT 
certification" industry.

Regards,

J.A. Simmons V
EDS - Navy Marine Corps Intranet (NMCI)
Information Assurance Engineer
3980 Sherman St. | San Diego, CA 92110
Office: 1 + 619 817 3821 | Fax: 1 + 619 817 3780
jsimmons () eds com

-----Original Message-----
From: Florian Rommel [mailto:frommel () gmail com] 
Sent: Wednesday, May 02, 2007 1:34 PM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: Re: CISSP Question


Touché James. Well done you pointed the one thing out that I have been thinking about for a while as well. However in 
99% I would say a person that has been on Guard duty for 4 years won't have much interest in a CISSP and then , if he 
should get it, will have to do quite some catching up to do.
Most employers will find it rather weird that he or she was doing guard duty
for 4 years and got a CISSP   :)

I do think though that this is a viable loophole for anyone that wants to exploit it that way. I do think it is a 
little far fetched because you still have to show that your job included some of the actions on the list.

Good point though, I like it. Wonder what ISC2 has to say about this and how many people have used that or a similar 
loophole already.

Cheers,

//Flosse

http://blog.2blocksaway.com

On 5/2/07 10:57 PM, "Simmons, James" <jsimmons () eds com> wrote:

> So here is a thought for everyone.
>
> To qualify for CISSP, you should have at least four years of 
> experience in one of the ten domains. Of which includes Physical 
> Security. So with a bit of cramming, your gun cleaning, gate guard of 
> 4 years can be a qualified CISSP with next to minimal experience in Information security.
> And as per the ISC2 webpage, to qualify experience you need to have 
> done some of the included actions.
> (https://www.isc2.org/cgi-bin/content.cgi?category=1187)
>
> Reactions anyone?
>
> P.S. I am not saying that all gate guards are incapable of being good CISSP's.
> I am just pointing out an all too common scenario.
>
> Regards,
>
> Simmons
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Florian Rommel
> Sent: Wednesday, May 02, 2007 10:53 AM
> To: Nicolas villatte; krymson () gmail com; 
> security-basics () securityfocus com
> Subject: Re: CISSP Question
>
> I agree with Nicolas here. I definitely wouldn't endorse a Desktop 
> Jockey with
> 4 years of experience. I already filed once a complaint because I know 
> a guy who, because he has some certifications and has worked as a pc 
> support, thinks he is qualified to take the exam. His "boss/ partner 
> in crime" was ready to sign off on it. I know for some people a 
> certification like the CISSP doesn't mean much but that still 
> shouldn't mean anyone can get in. I had my work experience fully 
> documented by all my previous employers  before I took the exam.
>
> Security experience in any of the 10 domains for 4 years doesnt mean 
> that during those 4 years you should have done something security 
> related at some point it means that your position was directly security related.
>
> //flosse
> http://blog.2blocksaway.com
>
>
> On 5/2/07 9:47 AM, "Nicolas villatte" <Nicolas.Villatte () chello be> wrote:
>
> > Not really, because 5% of your time involved in security during 4 
> > years would give you barely 2 months of experience. I don't know any 
> > CISSP who would endorse such a candidate.
> >
> > https://www.isc2.org/cgi/content.cgi?category=1187
> >
> > "Applicants must have a minimum of four years of direct full-time 
> > security professional work experience in one or more of the ten 
> > domains of the (ISC)² CISSP® CBK®."
> >
> > Regards,
> > Nicolas.
> >
> >
> > ---------------------------------------------------------------------
> > -
> > ------
> > --------
> >
> > Nicolas VILLATTE
> >
> > CISSP, GCIA, GCIH, GCFA
> >
> > Sr. Security Management Specialist
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com
> > Sent: mardi 1 mai 2007 14:14
> > To: security-basics () securityfocus com
> > Subject: RE: CISSP Question
> >
> > Just a quick add, don't overthink the 4 years' experience requirement.
> > You need that experience in any one (or more) of the 10 domains.
> > Honestly, if you're a desktop support jockey for 4 years and you do 
> > some sort of security as part of your work (do you manage passwords 
> > and/or respond to spyware incidents?), you can still qualify. 
> > Realistically, anyone with 4 years'
> > experience in IT.