RE: CISSP Question

I'm sorry but I must disagree with this analogy - When I was in the service (US Army, 6 years) there was no job specialty of 'Gateguard', rather we were Military Policemen (and women to be politically correct) - trained in many aspects of investigations, collecting evidence, physical security, personal protection, communications (both radio and using code books), and so on. It would be very unlikely that someone would spend their entire 4 year enlistment as a gateguard but even if they did the military requires all enlisted personnel to undergo an annual skill qualification test (SQT) in their occupation to ensure they maintain this knowledge. Those people who do pull guard duty (for a day, week, or maybe even a few weeks) are also trained on how to search for bombs or other suspicious materials, and in general assist in securing the people who live/work on a military/government installation. Obviously the more sensitive the installation/base the more training/experience someone receives. Many of the job functions of these 'gateguards' are related to various domains within the CISSP.

But if others want to believe this why stop at the military? Why not claim that lawyers should not be 'fit' to study/sit for the exam, after all they 'only' sit in an office all day preparing briefs, arguing court cases, prosecuting/defending people, etc. Just because they (possibly) focus on violations of Intellectual Property, or Industrial Espionage should not matter. After all, 'Law' is only one of the domains.

As for the 'gateguard' resetting passwords and trying to pass this off as managing a huge network, I would agree that this is unethical and possibly fraudulent but again why is this restricted to the 'gateguards'? What about the IT guy/gal who maintains a network for a small airport on the US/Canadian border yet claims to operate all IT resources for a multi-national firm? This is true yet gives the impression of a much larger responsibility than is reality.

It is my guess that the people who are ranting against the 'gateguards' and their "right" to become a CISSP have very limited (or complete lack of) knowledge about the various duties/training received by the people in the military. Maybe you should try walking/patrolling a mile or fence in our combat boots before making judgements.

Thank You,

Lee Kelly, CISSP
Former Military Police NCO
Physical Security Certified
Personal Protection NCOIC
Patrol Supervisor

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Simmons, James
Sent: Wednesday, May 02, 2007 5:16 PM
To: Florian Rommel
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: CISSP Question

Well I can say from experience that a lot of aspiring military computer people are using that. A 4 year enlistment. Standing guard duty, firefighting, and then they reset passwords all day with little else experience. But of course on a resume/job sheet, it is easy to make it sound like you are single handedly running the entire network of 1000+ users. And for $2000 you too can attend a crash course to prep you for the test.

I find it funny/sad that there is an IT certification industry, and a "help you pass <cough>cheat</cough> an IT certification" industry.


J.A. Simmons V
EDS - Navy Marine Corps Intranet (NMCI)
Information Assurance Engineer
3980 Sherman St. | San Diego, CA 92110
Office: 1 + 619 817 3821 | Fax: 1 + 619 817 3780

-----Original Message-----
From: Florian Rommel [mailto:frommel@xxxxxxxxx]
Sent: Wednesday, May 02, 2007 1:34 PM
To: Simmons, James
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: CISSP Question

Touché James. Well done you pointed the one thing out that I have been thinking about for a while as well. However in 99% I would say a person that has been on Guard duty for 4 years won't have much interest in a CISSP and then , if he should get it, will have to do quite some catching up to do.
Most employers will find it rather weird that he or she was doing guard duty
for 4 years and got a CISSP :)

I do think though that this is a viable loophole for anyone that wants to exploit it that way. I do think it is a little far fetched because you still have to show that your job included some of the actions on the list.

Good point though, I like it. Wonder what ISC2 has to say about this and how many people have used that or a similar loophole already.



On 5/2/07 10:57 PM, "Simmons, James" <jsimmons@xxxxxxx> wrote:

So here is a thought for everyone.

To qualify for CISSP, you should have at least four years of
experience in one of the ten domains. Of which includes Physical
Security. So with a bit of cramming, your gun cleaning, gate guard of
4 years can be a qualified CISSP with next to minimal experience in Information security.
And as per the ISC2 webpage, to qualify experience you need to have
done some of the included actions.

Reactions anyone?

P.S. I am not saying that all gate guards are incapable of being good CISSP's.
I am just pointing out an all too common scenario.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Florian Rommel
Sent: Wednesday, May 02, 2007 10:53 AM
To: Nicolas villatte; krymson@xxxxxxxxx;
Subject: Re: CISSP Question

I agree with Nicolas here. I definitely wouldn't endorse a Desktop
Jockey with
4 years of experience. I already filed once a complaint because I know
a guy who, because he has some certifications and has worked as a pc
support, thinks he is qualified to take the exam. His "boss/ partner
in crime" was ready to sign off on it. I know for some people a
certification like the CISSP doesn't mean much but that still
shouldn't mean anyone can get in. I had my work experience fully
documented by all my previous employers before I took the exam.

Security experience in any of the 10 domains for 4 years doesnt mean
that during those 4 years you should have done something security
related at some point it means that your position was directly security related.


On 5/2/07 9:47 AM, "Nicolas villatte" <Nicolas.Villatte@xxxxxxxxx> wrote:

Not really, because 5% of your time involved in security during 4
years would give you barely 2 months of experience. I don't know any
CISSP who would endorse such a candidate.

"Applicants must have a minimum of four years of direct full-time
security professional work experience in one or more of the ten
domains of the (ISC)² CISSP® CBK®."





Sr. Security Management Specialist

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of krymson@xxxxxxxxx
Sent: mardi 1 mai 2007 14:14
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: CISSP Question

Just a quick add, don't overthink the 4 years' experience requirement.
You need that experience in any one (or more) of the 10 domains.
Honestly, if you're a desktop support jockey for 4 years and you do
some sort of security as part of your work (do you manage passwords
and/or respond to spyware incidents?), you can still qualify.
Realistically, anyone with 4 years'
experience in IT.