Laris,
I agreed Cisco's program is a good one. To me it's just a matter of the
auditor auditing themselves or the security administrator certifying the
security configuration. We wouldn't find that acceptable. It doesn't mean
that the auditor or the security administrator wouldn't do a good job. It's
poor practice to have someone police themselves. In competency testing it
is poor practice to have someone test themselves. That doesn't mean that
the vendors can't contribute to the process, just means they can't control
it.
I don't want to bore the list was a bunch of certification rhetoric so I'll
try to make this brief.
A big part of the problem is the use of the word certification. Which is
defined as:
Compliance with a set of standards defined by non-governmental
organizations. Certification is applied for by individuals on a voluntary
basis and represents a professional status when achieved, e.g.,
certification for a medical specialty.
While vendors would certainly qualify as non-government their "standards"
for certification vary from class attendance to passing a practical exam.
Again it's simply a question of quality. I asked one of my vendors what
they did to become "Network Security Certified" (it was in their marketing
packet). Turns out they attended the training class for a vendor's software
package, where they fully demonstrated their competence at sitting for 3
days!
Bill Stackpole, CISSP
"My opinions are my own and do not always reflect those of my employer."
> -----Original Message-----
> From: Laris Benkis [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, July 12, 1999 3:24 PM
> To: 'Bill Stackpole'; [EMAIL PROTECTED]
> Subject: RE: To Certify or Not To Certify - its a quality question
>
> I wouldn't entirely agree that vendor affiliation is bad. If the vendor
> has proven that their testing regime is of a high standard then it should
> be respected. Two examples of that come to mind are MCSE and CCIE
> (neither of which I have) I would be quite happy to put the latter on my
> business card but not the former. This is because I have a pretty good
> idea of what is involved in getting each of these certifications.
> Microsoft has devalued their certification process to the point that many
> people don't consider it a valid measure of technical competence. Cisco
> to date has taken the high road - it remains to be seen if the recent
> restructuring of the program maintains the integrity.
>
> Laris Benkis, QPSK, ATM, PSTN.
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
