Introduction

advertisement
CIT 694
Introduction
CISSP
• Certified Information Systems Security
Professional
• “The credential for professionals who develop
policies and procedures in information
security.”
• The CISSP is a very popular among information
security professionals.
– >94,000
(ISC)2
• Certification from (ISC)2
– International Information Systems Security
Certification Consortium
• “the global, not-for-profit leader in educating
and certifying information security
professionals throughout their careers. We
are recognized for Gold Standard certifications
and world class education programs.”
Obtaining CISSP Certification
• Four years of professional experience with a
college degree.
• Pass examination.
• Agree to a code of ethics.
• Submit your résumé with an endorsement by
someone who has a CISSP certification and is
familiar with your work.
Charles Frank, CISSP
• Passed the CISSP examination in November
2010
• Obtained the CISSP in March 2011.
• Renewed in March 2014.
CISSP Ten Domains
1.
2.
3.
4.
Access Control
Business Continuity and Disaster Recovery
Cryptography
Information Security Governance and Risk
Management
5. Legal, Regulations, Investigations and Compliance
6. Operations Security
7. Physical and Environmental Security
8. Security Architecture and Design
9. Software Development Security
10. Telecommunications and Network Security
Textbook
Shon Harris Book
• Chapter 2-11 cover the 10 domains
• Study Guide for the CISSP exam
We’re Specialized
• Information security professionals are
specialized.
• Professors are strong in the domains related
to their discipline.
– Computer Science: Application Security
– Computer Information Technology: Network
Security
– Information systems : Information Security
Governance and Risk Management
Me
• Computer science professor
– Teach Computer Security
– Research Secure Software Engineering
• Background emphasized technology as the
way to address security.
• Develop a broader view and a deeper
understanding of information security.
Preparation
• Read Shon Harris’ CISSP All-in-One Exam
Guide (1,160 pages – now 1383)
• (ISC)2 ten week online course
– $1,995
– Good review
– Insufficient to pass the exam
– Insights into CISSP test gamesmanship
CISSP Exam
•
•
•
•
$599
Six hours
Challenging Exam.
Tests applying knowledge rather than memorization of
terms or facts
• 250 multiple choice questions
– All four selectable answers might have some degree of
correctness
– Need to pick the best answer.
• Average 86 seconds per question.
• >= 70% to pass
Test Taking Approach
1. Read each question carefully, underlining key
words.
2. Review the question, focusing on the key
words.
3. Select the best answer
4. Move on
Recertification
• Required every three years.
• Earn 120 continuing professional education
(CPE) hours
• Minimum of 20 CPEs each year
• Annual maintenance fee of $85.
CPEs
• Professional association chapter meeting
– OWASP
– ISSA
– InfraGard
• Listen to webcast or podcast
– Gary McGraw’s Silver Bullet
– OWASP Podcasts
– Vendor webcasts
CPEs
• Publish a security paper
– Thank you InfoSecCD
• Attend a security conference
– DerbyCon – Louisville
• 16 hours of participation
– InfoSecCD
CPEs
• Read information security book (5 CPEs)
– It takes more than 5 hours to read a book
– Do you always want to read the whole book?
• Read an information security magazine
– IEEE Security and Privacy
– ISSA Journal
– Do you always want to read the whole magazine?
CPEs
• Recording CPEs are easily done on the (ISC)²®
website
• Rare random audit
– Email documentation
• Six months, earned 140 CPEs
• 120 CPEs over three years minimal indicator of
keeping up-to-date in the dynamic field of
information security.
Critique: (ISC)2 Revenue
• Cost
– (ISC)2 Training course $1,995 (to $2,495)
– (ISC)2 CISSP Study Book $69.95
– Test $599
– Annual Maintenance Fee $85
• (ISC)2 is generating revenue from this
certification
• (ISC)2 regularly sends me email marketing
CISSP preparation materials.
(ISC)2 Defense
• All revenue and expenses are balanced and
invested for the benefit of our membership. It
is important to note that (ISC)2 is a highly
successful organization that has not raised the
costs to membership since our inception,
while continually increasing member
benefits.”
Cost Issue
• An employer should consider whether the
CISSP certification is cost effective in
educating key employees in information
security.
• If an employer does not pay, this places a
significant financial burden on the applicant
employee.
Knowledge not Credentials
• “What you know and can do is more
important than a certification.”
• Is a college degree important?
– Bill Gates
DerbyCon
•
•
•
•
Penetration Testers, Social Engineers, Hackers
They do their penetration tests for CISSPs
We are the Ninjas. They are the bureaucrats.
Do you know more than a CISSP?
Gary McGraw
• Information security “leaves plenty of room
for hacks and hucksters.”
• “A CISSP certification is an indicator that
someone has mastered a common body of
practical security knowledge”.
Reality
• In a highly competitive job market,
certifications can make a professional more
marketable.
• CISSP has become a fairly standard
requirement for getting one’s résumé to be
looked at.
Salary
• (ISC)2 sponsored survey found the average
salary for a professional with an (ISC)²
certification is $106,900.
• DerbyCon speaker.
– CISSP in corner office driving a BMW
Personal Benefits
• Broadened my security prospective in areas
such as governance.
• Obtaining CPEs required me to spend time on
professional development.
• CBK provided curriculum guidance to educate
my students.
• Credibility within the local information
security community.
Conclusion
• CISSP does not guarantee that you will be a
quality professional.
• A Ph.D. does not guarantee you will be a
quality professor.
• CISSP certification validates that you have
broad security knowledge.
• Maintaining the CISSP requires professional
development.
Download