"Bryan J. Smith" <[EMAIL PROTECTED]> wrote: >> We can get into ISO and NIST and countless other standards. I'm more than open to those as well. <<
The problem here, though, Brian, is the old "nice thing about standards - there are so many to choose from". <g> At some point, we'll have to cull. I guess the point I'm getting at (not explaining myself particularly well as I rush off to work) is that the objective I'm looking for in this Content Area is the ability for the candidate to communicate effectively with management, i.e. to speak the same language and be able to translate high-level objectives (as expressed in The Standards and Corporate Policy) into effective implementations. >> I merely suggested the CBK because it is recognized and used by _both_ the ISC2 and the SANS/GIAC, two established certification vendors. << Slightly different issue, Bryan. Let me see if I can pry them apart. The CBK is a way of organising topics for a certification exam. It hasn't been subjected to open review and development in quite the same way that, for example, the ISO standards have. Also, the cynic in me would suggest that SANS haven't made an objective & impartial decision to adopt the CBK - they just see a chance to sell some CISSP "boot camp" courses. However, more to the point is that C-level and senior ICT management don't think in terms of the CBK - they think in terms of the ISO/NIST/etc. standards, and that's the language they will use to describe what they want done, the ISMS, etc. They don't care about how someone organised their study for a certification and have never heard of the CBK. You got the cert, you got the job, that's history - now we have a customer who *requires* us to be BS7799.2 certified, so what are you going to do about it? So let's distinguish the knowledge of standards a practitioner should have (and which, incidentally, is part of the CBK) and may be a suitable topic for examination, from the way the developers of the LPIC-3 (Security) certification organise the topic areas. >> More specifically, I suggested following the 7 CBK domains of the SSCP at the top-level of the LPIC-3 Security Exam, and then breaking down from there into tasks (as they do so easily). It's so hard to differentiate between "procedures" and "tasks" in many standards. Again, I feel the 7 CBK domains of the SSCP are the most relevant to a system security practioner, mapping well into LPI's task-focused approach as we get more specific into actual Linux administration and knowledge. << Agreed. I've just been wondering out loud whether categorising along the lines of BS 7799.2 might be more beneficial and more widely understood (specifically, outside the world of certification). . . Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] _______________________________________________ lpi-examdev mailing list [EMAIL PROTECTED] http://list.lpi.org/mailman/listinfo/lpi-examdev
