Certified Information Systems Security Professional

From Wikipedia, the free encyclopedia

Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the International Information Systems Security Certification Consortium (ISC)². It is considered one of the premiere Information Security certifications. The credential is accredited by the International Organization for Standardization (ISO) under ANSI/ISO/IEC 17024 standard in the area of information security.

The CISSP test includes information from 10 different domains which compose the (ISC)² Common Body of Knowledge® (CBK).

According to its sponsor (ISC)², applicants for the CISSP must have one of the following to qualify:

• A minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the CBK®
• Three years of direct full-time of the CBK® with a four-year college degree.
  • A Master's Degree in Information Security from a National Center of Academic Excellence (CAE) can substitute for one year toward the four-year requirement.

Applicants pay a fee of $499 and submit to a lengthy 6 hour multiple-choice exam that it is not computer based and is under intense supervision to prevent cheating. The certification test consists of 250 questions to be answered over six hours. Once the test is completed, the applicant waits several weeks to receive an email from (ISC)² informing them of their pass or fail results. If the results are pass, the applicant must then request to be "sponsored" by another individual holding the certification in good standing. Simply passing the written exam does not immediately grant an individual CISSP status, the applicant must submit other, qualifying information as well as the sponsorship information before being considered. After consideration, then the applicant is informed if their status as a CISSP is approved or denied.

Individuals who achieve the CISSP are required to complete 120 Continuing Professional Education (CPE) units over a period of 3 years in order to maintain the certification. CPE's can be earned several ways, including attending seminars, achieving additional certifications or degrees, publishing work related to information security. If a CISSP does not maintain 120 CPEs in 3 years, he/she will need to retake the CISSP exam in order to maintain active status.

The CISSP has been described as covering Information Security topics "A mile wide, and an inch deep." The certification demonstrates a wide range of expertise in a variety of topics as listed below.

The CBK® includes:

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

For experienced information security professionals with an (ISC)² credential in good standing, (ISC)² Concentrations demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current Concentrations for CISSPs include the:

• ISSAP, Concentration in Architecture
• ISSEP, Concentration in Engineering
• ISSMP, Concentration in Management

[edit] Criticism

Although the CISSP is widely considered to be the de facto certification for information security professionals, it has also been criticized by some parties:

• Being an "inch deep and a mile wide" means that the test has little or no depth, and passing it may prove only that a person is good at memorizing facts and passing examinations- although the requirement that candidates submit proof of four years' experience in the field does address this issue to some extent.
• It sometimes tests on outdated information (for instance, the CISSP exam as of 2006 still sometimes asks questions about 10BASE2 Ethernet, which has not been widely used since the 1990s).
• The test is formulated so that candidates are asked to choose the best answer from among a group, rather than an actual correct answer. Some feel that this is a form of "trick" question, and really just tests attention to detail, rather than the subject matter.
• Some questions given on CISSP tests, and information in the CBK® itself, may be technically inaccurate, skewed, or incomplete. For instance, the Official (ISC)2 Guide to the CISSP Exam, based on the CBK®, says that all host-based intrusion detection systems work by reading audit logs -- completely ignoring the fact that the most common such system used today is probably Tripwire, which does not read audit logs. Critics charge that inaccuracies and wild blanket statements such as this are too common within the CBK®.
• The requirement to be sponsored by another CISSP means that the qualification is not entirely knowledge- and competence-based, but also involves knowing someone willing to provide sponsorship, effectively keeping it within the 'club' (however, if you do not know a CISSP willing to sponsor you, (ISC)2 allows a senior level (CIO, CTO, CSO) manager to attest to your background and experience in a written statement).

[edit] See also

• Information Security Forum

[edit] External links

• (ISC)²
• (ISC)² Definition of a Professional
• Security Information, News, CISSP Discussion and White Papers
• Free CISSP Practice Tests
• (cccure.org)
• Free CISSP Resources
• CISSP Core Principles
• National Centers of Academic Excellence in Information Assurance Education
• CSO Online - Undercover