TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
My remarks were not intended to be inflammatory--they were intended to
make a point of fact that gets lost when folks talk about CISSP
certification: CISSP does not provide any assurance that the candidate
will actually be able to understand any technical security issues. I'm
not even talking about configuring ACLs in a router or firewall. I'm
thinking of even more fundamental qualifications of a security
specialiast. Would you want a security specialist that didn't know how to
go about securing a host (any OS) or know why you shouldn't put Internet
web servers on your internal network or didn't know what a buffer overflow
attack is, etc.? It's all possible if CISSP is the only yardstick
applied.
Is CISSP only then good for Security Managers, as you say? If so, then
the level of importance placed on it for new security hires is
even more disproportionate.
CISSP has a place--a small place IMHO--but I think that applied security
knowledge is more useful in actually getting security implemented in an
environment. What good is it to know that encrypting data is good (I know
the 'confidentiality' security service), when you can't tell good crypto
from bad (i.e. recognize snake oil), for example?
Personally, I decided against spending time studying for the CISSP when I
can instead study for my Master's and gain practical, in-depth security
knowledge. That's not to say that having the CISSP credential wouldn't be
icing on the cake too.
The other problem I have with the CISSP is the secrecy around the test
questions and the test itself. So, you're left with the ISC^2's light
study guide with only 10 sample questions per area--not enough to get a
lot of insight into anything, let alone the exam. IIRC, nobody can
discuss the test or the questions or even share or duplicate the study
guide (which you have to buy hard-copy from ISC^2 and they track which
individuals receive each study guide--I couldn't order 10 to give to a
class, for example. They need names of everyone.)
On a related note, I just heard of an MCSE who didn't know the difference
between FAT and NTFS and thought that NT used fat32. Hmmm...
Certification is not a panacea.
-Jason
On Thu, 13 Jan 2000, Gary Dentremont/Towers Perrin wrote:
> Date: Thu, 13 Jan 2000 00:03:08 -0500
> From: Gary Dentremont/Towers Perrin <[EMAIL PROTECTED]>
> To: Jason Axley <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], Jim Boxmeyer <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: Information -reply
>
>
>
> I believe you should choose your words a little more carefully; inflammatory
> verbiage only requires a spark to ignite a flamewar...
>
> If your talking about configuring ACLs on a router, or writing PERL scripts to
> monitor audit logs, you would be correct. But, I disagree if you mean
> instituting and managing an effective Information Security Program for a large
> corporation. Although you may "feel" omnisicent as root on your corporate
> firewall; you won't get paid or get new goodies to play with without a dedicated
> security professional managing the Information Security department and budget.
>
> Gary Dentremont, CISSP
> Information Security Officer
> Towers Perrin
>
>
>
>
> Jason Axley <[EMAIL PROTECTED]> on 01/10/2000 04:43:54 PM
>
>
> To: [EMAIL PROTECTED]
> cc: Jim Boxmeyer <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
> [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] (bcc:
> Gary Dentremont/Towers Perrin)
> From: Jason Axley <[EMAIL PROTECTED]>
> Date: 01/10/2000 04:43 PM
> Subject: Re: Information -reply
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
>
> >From my brief look at the SANS certification track, it is actually
> technically-oriented whereas CISSP can be obtained by someone who doesn't
> know a thing about actually implementing security.
>
> -Jason
>
> On Mon, 10 Jan 2000 [EMAIL PROTECTED] wrote:
>
> > Date: Mon, 10 Jan 2000 07:20:57 -0800
> > From: [EMAIL PROTECTED]
> > To: Jim Boxmeyer <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
> > [EMAIL PROTECTED]
> > Subject: Re: Information -reply
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> > ----------------------------------------------------------------------------
> >
> > the SANS SNAP courses are new, and they do not have the recognition as the
> > CISSP does. SANS SNAP courses are still pretty much in the infancy
> > development, some courses are much mature than the others. One approach
> > is to sign up for every single conference out there, become a conference
> > roadie if you will. Another approach is become intimate with the Sendmail
> > book 2nd ed. and everything else will fall into place :).. Tongue in
> > cheek.. :)
> >
> > /mark
> >
> >
> >
> >
> > "Jim Boxmeyer" <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 01/08/00 05:49 PM
> >
> >
> > To: "Matthew F. Caldwell" <[EMAIL PROTECTED]>, "Julie Williams"
> > <[EMAIL PROTECTED]>
> > cc: <[EMAIL PROTECTED]>
> > Subject: Re: Information
> >
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> > to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> > problems!
> > ----------------------------------------------------------------------------
> >
> > Hi,
> >
> > Another site which is bringing a security training program online is the
> > SANS organization.
> > Their SNAP program is looking very good, although it is still new there
> > has
> > been approval given
> > by many security professionals. You can get further information at their
> > web
> > site http://www.sans.org
> >
> >
> > Jim Boxmeyer
> > Senior Engineer
> > ONCTek LLC
> > http://www.onctek.com
> > 908-595-2159
> >
> > -----Original Message-----
> > From: Matthew F. Caldwell <[EMAIL PROTECTED]>
> > To: Julie Williams <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Saturday, January 08, 2000 8:27 AM
> > Subject: Re: Information
> >
> >
> > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> > to
> > >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> > problems!
> > >---------------------------------------------------------------------------
> > -
> > >
> > >
> > >Hi Julie,
> > >
> > > The only test I have found that provides some security knowledge
> > >testing is the CISSP exam for information security professionals.
> > >
> > >The web site with test information is located at the following:
> > >http://www.isc2.org. ISC^2 is a independent consortium that does the
> > >testing. This is a ~258 question test that deals with everything from
> > VMS
> > >security to encryption.
> > >
> > >
> > >Matthew F. Caldwell, CISSP - Senior Consultant
> > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > Guarded.Net - An Information Security Company
> > > connect(); to the future of secure computing!
> > > Email: [EMAIL PROTECTED]
> > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > http://www.guarded.net
> > >
> > >On Tue, 4 Jan 2000, Julie Williams wrote:
> > >
> > >> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
> > message
> > to
> > >> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> > problems!
> > >>
> > -------------------------------------------------------------------------
> > ---
> > >>
> > >> I apologize if this email is being sent out of the realm of this
> > listserv,
> > >> but I am sorta lost as to where it would be appropriately sent..
> > >> I am trying to find out how commercial business test their experts.
> > >> 1. Are they tested?
> > >> 2. How are they tested?
> > >> 3. As a supervisor in Information Assurance/Security/Vulnerabilities,
> > how
> > >> do you OBJECTIVELY test the people that are supposed to know what they
> > are
> > >> doing.
> > >>
> > >> Why test, I need to know where I am at, Is their a standard level of
> > >> knowledge for this stuff???
> > >> Any Help would be greatly benefical
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> AT&T Wireless Services
> IT Security
> UNIX Security Operations Specialist
>
>
>
>
>
>
>
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
