CIT 694 Introduction CISSP • Certified Information Systems Security Professional • “The credential for professionals who develop policies and procedures in information security.” • The CISSP is a very popular among information security professionals. – >94,000 (ISC)2 • Certification from (ISC)2 – International Information Systems Security Certification Consortium • “the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. We are recognized for Gold Standard certifications and world class education programs.” Obtaining CISSP Certification • Four years of professional experience with a college degree. • Pass examination. • Agree to a code of ethics. • Submit your résumé with an endorsement by someone who has a CISSP certification and is familiar with your work. Charles Frank, CISSP • Passed the CISSP examination in November 2010 • Obtained the CISSP in March 2011. • Renewed in March 2014. CISSP Ten Domains 1. 2. 3. 4. Access Control Business Continuity and Disaster Recovery Cryptography Information Security Governance and Risk Management 5. Legal, Regulations, Investigations and Compliance 6. Operations Security 7. Physical and Environmental Security 8. Security Architecture and Design 9. Software Development Security 10. Telecommunications and Network Security Textbook Shon Harris Book • Chapter 2-11 cover the 10 domains • Study Guide for the CISSP exam We’re Specialized • Information security professionals are specialized. • Professors are strong in the domains related to their discipline. – Computer Science: Application Security – Computer Information Technology: Network Security – Information systems : Information Security Governance and Risk Management Me • Computer science professor – Teach Computer Security – Research Secure Software Engineering • Background emphasized technology as the way to address security. • Develop a broader view and a deeper understanding of information security. Preparation • Read Shon Harris’ CISSP All-in-One Exam Guide (1,160 pages – now 1383) • (ISC)2 ten week online course – $1,995 – Good review – Insufficient to pass the exam – Insights into CISSP test gamesmanship CISSP Exam • • • • $599 Six hours Challenging Exam. Tests applying knowledge rather than memorization of terms or facts • 250 multiple choice questions – All four selectable answers might have some degree of correctness – Need to pick the best answer. • Average 86 seconds per question. • >= 70% to pass Test Taking Approach 1. Read each question carefully, underlining key words. 2. Review the question, focusing on the key words. 3. Select the best answer 4. Move on Recertification • Required every three years. • Earn 120 continuing professional education (CPE) hours • Minimum of 20 CPEs each year • Annual maintenance fee of $85. CPEs • Professional association chapter meeting – OWASP – ISSA – InfraGard • Listen to webcast or podcast – Gary McGraw’s Silver Bullet – OWASP Podcasts – Vendor webcasts CPEs • Publish a security paper – Thank you InfoSecCD • Attend a security conference – DerbyCon – Louisville • 16 hours of participation – InfoSecCD CPEs • Read information security book (5 CPEs) – It takes more than 5 hours to read a book – Do you always want to read the whole book? • Read an information security magazine – IEEE Security and Privacy – ISSA Journal – Do you always want to read the whole magazine? CPEs • Recording CPEs are easily done on the (ISC)²® website • Rare random audit – Email documentation • Six months, earned 140 CPEs • 120 CPEs over three years minimal indicator of keeping up-to-date in the dynamic field of information security. Critique: (ISC)2 Revenue • Cost – (ISC)2 Training course $1,995 (to $2,495) – (ISC)2 CISSP Study Book $69.95 – Test $599 – Annual Maintenance Fee $85 • (ISC)2 is generating revenue from this certification • (ISC)2 regularly sends me email marketing CISSP preparation materials. (ISC)2 Defense • All revenue and expenses are balanced and invested for the benefit of our membership. It is important to note that (ISC)2 is a highly successful organization that has not raised the costs to membership since our inception, while continually increasing member benefits.” Cost Issue • An employer should consider whether the CISSP certification is cost effective in educating key employees in information security. • If an employer does not pay, this places a significant financial burden on the applicant employee. Knowledge not Credentials • “What you know and can do is more important than a certification.” • Is a college degree important? – Bill Gates DerbyCon • • • • Penetration Testers, Social Engineers, Hackers They do their penetration tests for CISSPs We are the Ninjas. They are the bureaucrats. Do you know more than a CISSP? Gary McGraw • Information security “leaves plenty of room for hacks and hucksters.” • “A CISSP certification is an indicator that someone has mastered a common body of practical security knowledge”. Reality • In a highly competitive job market, certifications can make a professional more marketable. • CISSP has become a fairly standard requirement for getting one’s résumé to be looked at. Salary • (ISC)2 sponsored survey found the average salary for a professional with an (ISC)² certification is $106,900. • DerbyCon speaker. – CISSP in corner office driving a BMW Personal Benefits • Broadened my security prospective in areas such as governance. • Obtaining CPEs required me to spend time on professional development. • CBK provided curriculum guidance to educate my students. • Credibility within the local information security community. Conclusion • CISSP does not guarantee that you will be a quality professional. • A Ph.D. does not guarantee you will be a quality professor. • CISSP certification validates that you have broad security knowledge. • Maintaining the CISSP requires professional development.