Certified Information Systems Security Professional

From Wikipedia, the free encyclopedia

Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (ISC)2. It is considered one of the premiere Information Security certifications. The (ISC)2 has certified over 45,000 information security professionals in more than 120 countries. CISSP was the first certification to earn the ANSI accreditation to ISO/IEC Standard 17024:2003, a global benchmark for assessing and certifying personnel. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.[1] The certification is also endorsed by the U.S. National Security Agency (NSA). The CISSP is often viewed as the standard for information security professionals in government and industry.

Contents

[edit] Common Body of Knowledge domains

The CISSP credential demonstrates a wide range of expertise in a variety of information security topics. The CISSP examination is based on ten domains which comprise the (ISC)2 Common Body of Knowledge® (CBK), which are generally accepted as a compendium of industry best practices for information security, including:

[edit] Requirements

Applicants for the CISSP must meet several requirements:

  • Qualify for the examination by:
    • Asserting they possess a minimum of four years of professional experience in the information security field or three years plus a college degree. (Additionally, a Master's Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.)
    • Complete the Candidate Agreement, attesting to the truth of his or her assertions regarding professional experience and legally commit to adhere to the CISSP Code of Ethics.
    • Successfully answer four questions regarding criminal history and related background.
  • Pass the rigorous CISSP exam with a scaled score of 700 points or greater. The exam consists of 250 questions to be answered over six hours. The applicant is advised in about four to six weeks by email from (ISC)2 of their results.
  • Once a candidate has been notified they have successfully passed the CISSP examination, they are required to have their qualifications endorsed by a CISSP before the credential can be awarded. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry. If a CISSP is not available, another qualified professional with knowledge of information systems or an officer of the candidate's corporation can validate the candidate's professional experience. (A number of candidates who pass the CISSP examination and submit endorsements are randomly subjected to audit and required to submit additional information and are investigated to verify their qualifications and other assertions.)

Individuals who achieve the CISSP are required to complete 120 Continuing Professional Education (CPE) units over a period of 3 years in order to maintain the certification. CPE's can be earned several ways, including attending seminars, achieving additional certifications or degrees, publishing work related to information security. If a CISSP does not maintain 120 CPEs in 3 years, he/she will need to retake the CISSP exam in order to maintain active status.

Highly experienced information security professionals with an (ISC)2 credential in good standing, can progress to meet requirements for (ISC)2 Concentrations to demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current concentrations for CISSPs include the:

  • ISSAP, Concentration in Architecture
  • ISSEP, Concentration in Engineering
  • ISSMP, Concentration in Management

IT professionals with the CISSP credential are in high demand. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation. They found that:

“the top five certification programs all reported average salaries of more than $100,000. Two programs from the International Information Systems Security Certification Consortium (ISC)2 led the list, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing $116,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning $111,870.”[2]

[edit] Criticism

Although the CISSP is widely considered to be the de facto certification for information security professionals, it has been criticized by some parties:

  • The CISSP has been described as covering information security topics a mile wide, and an inch deep. Critics mean that the test has insufficient depth. This lack of depth concern is a common criticism of IT general certifications.
  • The CISSP questions, some believe, are too difficult and unfair. The fact that there is so much knowledge crammed in a 250 question test makes the exam extremely difficult to pass in the time allotted.
  • Others have observed that the exam sometimes includes dated information. Critics suggest that although organizations still use legacy technology, the exam should focus only on current technologies.
  • The CISSP test is formulated so that candidates are asked to choose the best answer from among a group of correct answers. Some feel these are "trick" questions that unnecessarily distract capable candidates.
  • Others charge that some questions on CISSP tests and information in the CBK® may be technically inaccurate or incomplete.
  • Some have found items on the exam are remarkably difficult. They believe questions assume too much technical knowledge, require extensive knowledge of formulas, focus on obscure facts, or involve complex calculations.

Those responding to these and other criticisms point out that the CISSP is the internationally recognized "Gold Standard" for certifying information security professionals.

[edit] See also

[edit] External links

[edit] References

  1. ^ U.S. Government, DoD 8570.01-M. Retrieved March 23, 2007.
  2. ^ http://www.certmag.com/images/CM1205_Figure1.htm