CIT 694Introduction

CISSP

• Certified Information Systems Security Professional

• “The credential for professionals who develop policies and procedures in information security.”

• The CISSP is a very popular among information security professionals.– >94,000

(ISC)2

• Certification from (ISC)2

– International Information Systems Security Certification Consortium

• “the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. We are recognized for Gold Standard certifications and world class education programs.”

Obtaining CISSP Certification

• Four years of professional experience with a college degree.

• Pass examination. • Agree to a code of ethics.• Submit your résumé with an endorsement by

someone who has a CISSP certification and is familiar with your work.

Charles Frank, CISSP

• Passed the CISSP examination in November 2010

• Obtained the CISSP in March 2011.• Renewed in March 2014.

CISSP Ten Domains

1. Access Control 2. Business Continuity and Disaster Recovery3. Cryptography 4. Information Security Governance and Risk Management 5. Legal, Regulations, Investigations and Compliance 6. Operations Security 7. Physical and Environmental Security 8. Security Architecture and Design 9. Software Development Security 10. Telecommunications and Network Security

Textbook

Shon Harris Book

• Chapter 2-11 cover the 10 domains• Study Guide for the CISSP exam

We’re Specialized

• Information security professionals are specialized.

• Professors are strong in the domains related to their discipline. – Computer Science: Application Security– Computer Information Technology: Network

Security– Information systems : Information Security

Governance and Risk Management

Me

• Computer science professor – Teach Computer Security– Research Secure Software Engineering

• Background emphasized technology as the way to address security.

• Develop a broader view and a deeper understanding of information security.

Preparation

• Read Shon Harris’ CISSP All-in-One Exam Guide (1,160 pages – now 1383)

• (ISC)2 ten week online course– $1,995 – Good review – Insufficient to pass the exam– Insights into CISSP test gamesmanship

CISSP Exam

• $599• Six hours• Challenging Exam.• Tests applying knowledge rather than memorization of

terms or facts• 250 multiple choice questions

– All four selectable answers might have some degree of correctness

– Need to pick the best answer. • Average 86 seconds per question. • >= 70% to pass

Test Taking Approach

1. Read each question carefully, underlining key words.

2. Review the question, focusing on the key words.

3. Select the best answer 4. Move on

Recertification

• Required every three years. • Earn 120 continuing professional education

(CPE) hours • Minimum of 20 CPEs each year • Annual maintenance fee of $85.

CPEs

• Professional association chapter meeting– OWASP– ISSA– InfraGard

• Listen to webcast or podcast– Gary McGraw’s Silver Bullet– OWASP Podcasts– Vendor webcasts

CPEs

• Publish a security paper– Thank you InfoSecCD

• Attend a security conference– DerbyCon – Louisville• 16 hours of participation

– InfoSecCD

CPEs

• Read information security book (5 CPEs)– It takes more than 5 hours to read a book– Do you always want to read the whole book?

• Read an information security magazine– IEEE Security and Privacy– ISSA Journal– Do you always want to read the whole magazine?

CPEs

• Recording CPEs are easily done on the (ISC)²® website

• Rare random audit– Email documentation

• Six months, earned 140 CPEs• 120 CPEs over three years minimal indicator of

keeping up-to-date in the dynamic field of information security.

Critique: (ISC)2 Revenue

• Cost– (ISC)2 Training course $1,995 (to $2,495)– (ISC)2 CISSP Study Book $69.95– Test $599– Annual Maintenance Fee $85

• (ISC)2 is generating revenue from this certification

• (ISC)2 regularly sends me email marketing CISSP preparation materials.

(ISC)2 Defense

• All revenue and expenses are balanced and invested for the benefit of our membership. It is important to note that (ISC)2 is a highly successful organization that has not raised the costs to membership since our inception, while continually increasing member benefits.”

Cost Issue

• An employer should consider whether the CISSP certification is cost effective in educating key employees in information security.

• If an employer does not pay, this places a significant financial burden on the applicant employee.

Knowledge not Credentials

• “What you know and can do is more important than a certification.”

• Is a college degree important?– Bill Gates

DerbyCon

• Penetration Testers, Social Engineers, Hackers• They do their penetration tests for CISSPs• We are the Ninjas. They are the bureaucrats.• Do you know more than a CISSP?

Gary McGraw

• Information security “leaves plenty of room for hacks and hucksters.”

• “A CISSP certification is an indicator that someone has mastered a common body of practical security knowledge”.

Reality

• In a highly competitive job market, certifications can make a professional more marketable.

• CISSP has become a fairly standard requirement for getting one’s résumé to be looked at.

Salary

• (ISC)2 sponsored survey found the average salary for a professional with an (ISC)² certification is $106,900.

• DerbyCon speaker.– CISSP in corner office driving a BMW

Personal Benefits

• Broadened my security prospective in areas such as governance.

• Obtaining CPEs required me to spend time on professional development.

• CBK provided curriculum guidance to educate my students.

• Credibility within the local information security community.

Conclusion

• CISSP does not guarantee that you will be a quality professional.

• A Ph.D. does not guarantee you will be a quality professor.

• CISSP certification validates that you have broad security knowledge.

• Maintaining the CISSP requires professional development.