Jump to content

Certified Information Systems Security Professional

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 157.238.209.10 (talk) at 01:56, 19 August 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Certified Information Systems Security Professional (or CISSP) is a vendor-neutral certification governed by the International Information Systems Security Certification Consortium ((ISC)2). It is considered one of the premiere security certifications.

According to its sponsor (ISC)2 (http://www.isc2.org), applicants for the CISSP must have one of the following to qualify:

  • A minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the Common Body of Knowledge
  • Three years of direct full-time of the Common Body of Knowledge with a four-year college degree.

A Master's Degree in Information Security from a National Center of Academic Excellence (CAE) can substitute for one year toward the four-year requirement.

Applicants pay a fee of $499 and submit to a lengthy 6 hour multiple-choice exam that it is not computer based and is under intense supervision to prevent cheating. The certification test consists of 250 questions to be answered over six hours. The CISSP test includes information from 10 different domains which comprise the Common Body of Knowledge. Once the test is completed, the applicant waits several weeks to receive an email from International Information Systems Security Certification Consortium ((ISC)2) informing them of their pass or fail results. If the results are pass, the applicant must then request to be "sponsored" by another individual holding the certification in good standing. Simply passing the written exam does not immediately grant an individual CISSP status, the applicant must submit other, qualifying information as well as the sponsorship information before being considered. After consideration, then the applicant is informed of their status as a CISSP or is denied.

The CISSP has been described as covering Information Security topics "A mile wide, and an inch deep." The certification demonstrates a wide range of expertise in a variety of topics as listed below.

The Common Body of Knowledge includes:

For experienced information security professionals with an International Information Systems Security Certification Consortium ((ISC)2) credential in good standing, (ISC)² Concentrations demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current Concentrations for CISSPs include the:

  • ISSAP, Concentration in Architecture
  • ISSEP, Concentration in Engineering
  • ISSMP, Concentration in Management

Criticism

Although the CISSP is widely considered to be the de facto certification for information security professionals, it has also been criticized for some parties:

  • Being an "inch deep and a mile wide" means that the test has little or no depth, and passing it may prove only that a person is good at memorizing facts and passing examinations.
  • It sometimes tests on outdated information (for instance, the CISSP exam as of 2006 still sometimes asks questions about 10BASE2 Ethernet, which has not been widely used since the 1990s).
  • The test is formulated so that testees are to choose the best answer from among a group, rather than an actual correct answer. Some feel that this is a form of "trick" question, and really just tests attention to detail, rather than the subject matter.
  • Some questions given on CISSP tests, and information in the Common Body of Knowledge itself, is technically inaccurate, skewed, or incomplete. For instance, the Official (ISC)2 Guide to the CISSP Exam, based on the CBK®, says that all host-based intrusion detection systems work by reading audit logs -- completely ignoring the fact that the most common such system used today is probably Tripwire, which does not read audit logs. Critics charge that inaccuracies and wild blanket statements such as this are too common within the CBK®.


See also