With a CISSP certification, you will be seen as a security professional of proven ability who has successfully met a predefined standard of knowledge and experience.
Things have changed, however, and today corporations and other organizations are desperate to recruit talented and experienced security professionals to help protect the resources they depend on to run their businesses and to remain competitive. With a CISSP certification, you will be seen as a security professional of proven ability who has successfully met a predefined standard of knowledge and experience that is well understood and respected throughout the industry. By keeping this certification current, you will demonstrate your dedication to staying abreast of security developments.
The CISSP certification helps companies identify which individuals have the ability, knowledge, and experience necessary to implement solid security practices, perform risk analysis, identify necessary countermeasures, and help the organization as a whole protect its facility, network, systems, and information. The CISSP certification also shows potential employers you have achieved a level of proficiency and expertise in skill sets and knowledge required by the security industry. The increasing importance placed on security in corporate success will only continue in the future, leading to even greater demands for highly skilled security professionals. CISSP certification shows that a respected third-party organization has recognized an individual's technical and theoretical knowledge and expertise, and distinguishes that individual from those who lack this level of knowledge.
Understanding and implementing security practices is an essential part of being a good network administrator, programmer, or engineer. Job descriptions that do not specifically target security professionals still often require that a potential candidate have a good understanding of security concepts as well as how to implement them. Due to staff size and budget restraints, many organizations can't afford separate network and security staffs. But this doesn't mean they don't believe security is vital to their organization.
Thus, they often try to combine knowledge of technology and security into a single role. With a CISSP designation, you can put yourself head and shoulders above other individuals in this regard.
The CISSP Exam
To meet the certification requirements of a CISSP, you must have one of the following:
• Five years professional experience in two (or more) of the domains within the Common Body of Knowledge (CBK).
• Four years experience in two (or more) of the ten domains, and a four-year college degree or master's degree in information security from a National Center of Excellence.
• At least three years experience in two (or more) of the ten domains and a four year college degree or master's degree in information security from a National Center of Excellence, plus a professional certification from the following list (candidates are permitted a waiver of one year of experience for any credential on the approved credentials list):
• CERT Certified Computer Security Incident Handler (CSIH)
• Certified Business Continuity Planner (CBCP)
• Certified Computer Crime Investigator (Advanced) (CCCI)
• Certified Computer Crime Prosecutor
• Certified Computer Examiner (CCE)
• Certified Fraud Examiner (CFE)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Internal Auditor (CIA)
• Certified Protection Professional (CPP)
• Certified Wireless Security Professional (CWSP)
• CompTIA Security+
• Computer Forensic Computer Examiner (CFCE)
• GIAC Security Essentials Certification (GSEC)
• GIAC Certified Firewall Analyst (GCFW)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Windows Security Administrator (GCWN)
• GIAC Certified UNIX Security Administrator (GCUX)
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Information Security Officer (GISO)
• GIAC IT Security Audit Essentials (GSAE)
• GIAC Security Expert (GSE)
• GIAC Certified ISO-17799 Specialist (G7799)
• GIAC Security Leadership Certification (GSLC)
• GIAC Systems and Network Auditor (GSNA)
• GIAC Certified Security Consultant (GCSC)
• Microsoft Certified Systems Administrator (MCSA)
• Microsoft Certified Systems Engineer (MCSE)
• Master Business Continuity Planner (MBCP)
• System Security Certified Practitioner (SSCP)
Consult www.isc2.org for a complete list and description of requirements for your CISSP certification.
Because the CISSP exam covers the ten domains making up the CISSP CBK, it is often described as being "an inch deep and a mile wide," a reference to the fact that many questions on the exam are not very detailed in nature and do not require you to be an expert in every subject. However, the questions do require you be familiar with many different security subjects.
The CISSP exam is comprised of 250 multiple-choice questions, and you have six hours to complete it. The questions are pulled from a much larger question bank to ensure the exam is as unique as possible for each entrant. In addition, the test bank constantly changes and evolves to more accurately reflect the real world of security. The exam questions are continually rotated and replaced in the bank as necessary. Each question has four answer choices, only one of which is correct. Only 225 questions are graded, while 25 are used for research purposes. The 25 research questions are integrated into the exam, so you won't know which go towards your final grade. To pass the exam, you need a minimum raw score of 700 points out of 1,000. Questions are weighted based on their difficulty; not all questions are worth the same number of points. The exam is not product- or vendor-oriented, meaning no questions will be specific to certain products or vendors (for instance, Windows 2000, Unix, or Cisco). Instead, you will be tested on the security models and methodologies used by these types of systems.
(ISC)2 has also added scenario-based questions to the CISSP exam. These questions present a short scenario to the test taker rather than asking the test taker to identify terms and/or concepts. A scenario-based question would be worded something like "John returned from lunch and found that the company's IDS indicated that a critical server has had continuous ICMP traffic sent to it for over 45 minutes, which is taking up 85% of the server's CPU resource. What does John need to do at this point?"
The goal of the scenario-based questions is to ensure that test takers not only know and understand the concepts within the CBK, but also can apply this knowledge to real life situations. This is more practical because in the real world, you won't be challenged by having someone come up to you and ask, "What is the definition of collusion?" You need to know how to detect and prevent collusion from taking place, in addition to knowing the definition of the term.
The International Information Systems Security Certification Consortium (ISC)2 process for earning credentials will change as of October 2007. In order to obtain this credential, candidates for any of the (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2 certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification, such as the CISSP, SSCP, or CAP. This sponsor will vouch for your years of experience.
After passing the exam, you will be asked to supply documentation, supported by a sponsor, proving that you indeed have this type of experience. The sponsor must sign a document vouching for the security experience you are submitting. So, make sure you have this sponsor lined up prior to registering for the exam and providing payment.
You don't want to pay for and pass the exam, only to find you can't find a sponsor for the final step needed to achieve your certification.
The reason behind the sponsorship requirement is to insure that those who achieve the certification have real-world experience to offer companies. Book knowledge is extremely important for understanding theory, concepts, standards, and regulations, but it can never replace hands-on experience. Proving you have practical experience supports the relevance of the certification.
Afterward, a small sample group of individuals selected at random will be audited after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates' stated sponsors and contacts to verify that the test taker's related experience is true.
What makes this exam challenging is that most candidates, although they work in the security field, are not necessarily familiar with all ten CBK domains. If a security professional is considered an expert in vulnerability testing or application security, for example, she may not be familiar with physical security, cryptography, or security practices. Thus, studying for this exam will broaden your knowledge of the security field.
(ISC)2 attempts to keep up with changes in technology and methodologies brought to the security field by adding a large number of new questions to the test question bank each year. These questions are based on current technologies, practices, approaches, and standards. For example, the CISSP exam given in 1998 did not have questions pertaining to wireless security, but present and future exams will.
Other examples of material not on past exams include security governance, instant messaging, phishing, botnets, VoIP, and spam. Though these subjects weren't issues in the past, they are now -- and in the case of botnets, VoIP, and spam, they will be in the future.
The test is based on internationally accepted information security standards and practices. If you look at the (ISC)2 web site for test dates and locations, you may find, for example, that the same test is offered this Tuesday in California and next Wednesday in Saudi Arabia.
If you do not pass the exam, you have the option of retaking it as soon as you like.
(ISC)2 used to subject individuals to a waiting period before they could retake the exam, but this rule has been removed. (ISC)2 keeps track of which exam version you were given on your first attempt and ensures you receive a different version for any retakes.
(ISC)2 also provides a report to a CISSP candidate who did not pass the exam, detailing the areas where the candidate was weakest. Though you could retake the exam soon afterward, it's wise to devote additional time to these weak areas to improve your score on the retest.
This was first published in December 2007