CIT 694 Introduction

CISSP Certified Information Systems Security Professional “The credential for professionals who develop policies and procedures in information security.” The CISSP is a very popular among information security professionals. – >94,000

(ISC)2 Certification from (ISC) 2 – International Information Systems Security Certification Consortium “the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. We are recognized for Gold Standard certifications and world class education programs.”

Obtaining CISSP Certification Four years of professional experience with a college degree. Pass examination. Agree to a code of ethics. Submit your résumé with an endorsement by someone who has a CISSP certification and is familiar with your work.

Charles Frank, CISSP Passed the CISSP examination in November 2010 Obtained the CISSP in March Renewed in March 2014.

CISSP Ten Domains 1.Access Control 2.Business Continuity and Disaster Recovery 3.Cryptography 4.Information Security Governance and Risk Management 5.Legal, Regulations, Investigations and Compliance 6.Operations Security 7.Physical and Environmental Security 8.Security Architecture and Design 9.Software Development Security 10.Telecommunications and Network Security

Textbook

Shon Harris Book Chapter 2-11 cover the 10 domains Study Guide for the CISSP exam

We’re Specialized Information security professionals are specialized. Professors are strong in the domains related to their discipline. – Computer Science: Application Security – Computer Information Technology: Network Security – Information systems : Information Security Governance and Risk Management

Me Computer science professor – Teach Computer Security – Research Secure Software Engineering Background emphasized technology as the way to address security. Develop a broader view and a deeper understanding of information security.

Preparation Read Shon Harris’ CISSP All-in-One Exam Guide (1,160 pages – now 1383) (ISC)2 ten week online course – $1,995 – Good review – Insufficient to pass the exam – Insights into CISSP test gamesmanship

CISSP Exam $599 Six hours Challenging Exam. Tests applying knowledge rather than memorization of terms or facts 250 multiple choice questions – All four selectable answers might have some degree of correctness – Need to pick the best answer. Average 86 seconds per question. >= 70% to pass

Test Taking Approach 1.Read each question carefully, underlining key words. 2.Review the question, focusing on the key words. 3.Select the best answer 4.Move on

Recertification Required every three years. Earn 120 continuing professional education (CPE) hours Minimum of 20 CPEs each year Annual maintenance fee of $85.

CPEs Professional association chapter meeting – OWASP – ISSA – InfraGard Listen to webcast or podcast – Gary McGraw’s Silver Bullet – OWASP Podcasts – Vendor webcasts

CPEs Publish a security paper – Thank you InfoSecCD Attend a security conference – DerbyCon – Louisville 16 hours of participation – InfoSecCD

CPEs Read information security book (5 CPEs) – It takes more than 5 hours to read a book – Do you always want to read the whole book? Read an information security magazine – IEEE Security and Privacy – ISSA Journal – Do you always want to read the whole magazine?

CPEs Recording CPEs are easily done on the (ISC)²® website Rare random audit – documentation Six months, earned 140 CPEs 120 CPEs over three years minimal indicator of keeping up-to-date in the dynamic field of information security.

Critique: (ISC)2 Revenue Cost – (ISC)2 Training course $1,995 (to $2,495) – (ISC)2 CISSP Study Book $69.95 – Test $599 – Annual Maintenance Fee $85 (ISC)2 is generating revenue from this certification (ISC)2 regularly sends me marketing CISSP preparation materials.

(ISC)2 Defense All revenue and expenses are balanced and invested for the benefit of our membership. It is important to note that (ISC)2 is a highly successful organization that has not raised the costs to membership since our inception, while continually increasing member benefits.”

Cost Issue An employer should consider whether the CISSP certification is cost effective in educating key employees in information security. If an employer does not pay, this places a significant financial burden on the applicant employee.

Knowledge not Credentials “What you know and can do is more important than a certification.” Is a college degree important? – Bill Gates

DerbyCon Penetration Testers, Social Engineers, Hackers They do their penetration tests for CISSPs We are the Ninjas. They are the bureaucrats. Do you know more than a CISSP?

Gary McGraw Information security “leaves plenty of room for hacks and hucksters.” “A CISSP certification is an indicator that someone has mastered a common body of practical security knowledge”.

Reality In a highly competitive job market, certifications can make a professional more marketable. CISSP has become a fairly standard requirement for getting one’s résumé to be looked at.

Salary (ISC)2 sponsored survey found the average salary for a professional with an (ISC)² certification is $106,900. DerbyCon speaker. – CISSP in corner office driving a BMW

Personal Benefits Broadened my security prospective in areas such as governance. Obtaining CPEs required me to spend time on professional development. CBK provided curriculum guidance to educate my students. Credibility within the local information security community.

Conclusion CISSP does not guarantee that you will be a quality professional. A Ph.D. does not guarantee you will be a quality professor. CISSP certification validates that you have broad security knowledge. Maintaining the CISSP requires professional development.