From: Les Bell <[EMAIL PROTECTED]>
> Ahem! Five years experience for CISSP, although one year
> can be credited for a Master's degree from an NSA-accredited
> security program
Apparently you didn't read:
"at least three (3) years of experience (with credentials)"
It used to be four (4) total, so I was commenting on those
people who have the CISSP based on that. I'm well aware
they more recently increased that to five (5).
BTW, I have no idea where you got the "Master's/NSA" non-sense.
* One year waiver of the professional experience
requirement based on a candidate’s education
Candidates can substitute a maximum of one year
of direct full-time security professional work
experience described above if they have a four-year
college degree OR Advanced Degree in information
security from a U.S. National Center of Academic
Excellence in information Security (CAEIAE) or
regional equivalent.
Doesn't sound like a "Master's" degree. It sounds like
an advanced/certified degree outside of a traditional,
four (4) year degree, as recognized by the CAEIAE.
Unless there is another, 1+1 year equivalent option I
don't know about, and then my three (3) year (with
crendentials) comment would still apply for the new,
five (5) year requirement.
> and one year for certain other certifications.
BTW, the RHCE now meets this with the new RHEL 5/SELinux
inclusion. It was just announced at Summit 2008.
> Actually, it's more of a management certification; I
> always explain it as a certification for those who are
> going to have to talk up to senior management and talk
> down to other security professionals and technicians,
> translating between the two. Security architecture is
> specifically addressed in the ISSAP concentration,
> which is an add-on to the CISSP. The CISSP is very
> high-level and the exam is designed to test broad
> knowledge, judgement, values and experience (which is
> why so many find it difficult).
I'll re-phrase, "architect/management type/level" knowledge.
It's not as much "systems-centric" focus in comparison to
the SSCP. Your point is noted.
> I have written and teach a 5-day CISSP review/prep class,
> btw.
I might take it if I can ever get time off from 100% utilization.
I was just informed recently that my employer is not going to
let me accrue any more vacation time, because I never seem to
get to take it, or training for that matter (all while barking
why I don't have my RHCA yet ;).
> Disagree here; for example, development is only one part of
> one of the ten domains (Application Security).
Yes, I know. My point was that development *IS* one of the
CISSP domains outside of concepts covered in the SSCP. ;)
I don't think you realize, but 100% of what I'm saying is
actually accurate and true, under the context and
clarifications I'm making (and people think I am too
verbose! ;).
Starting with your very first "Ahem!" I should have realized
that you were going to take issue with how I said something,
and not the reality that what I said was still accurate.
> However, I agree with the general tenor of your argument.
I appreciate that.
> On the other hand, hardly anyone knows or cares about the
> SSCP - there are over 35,000 CISSP's in the US alone,
> for example, but only 608 SSCP's.
Again, in my prior analogy, I would argue the same ratio of
MBA v. MSIE, or BA/BS Business versus BSIE for that matter.
Of course, when people really "don't get it," I just say,
"it's a MBA with applied, advanced calculus throughout for
risk and microeconomics with a focus on technology management."
To engineers, we have trouble describing systems of interaction
without using advanced calculus. That's not arrogance or ego
talking, that's a long-standing issue I've had with everything
-- from phony environmental studies to risk assessment.
That meta-discussion aside. ;)
> My advice is to design the objectives with real-(Linux)-
> world requirements in mind, and only later worry about
> how this maps to either the CISSP or SSCP CBK's.
And my argument is that the seven (7) domains of the SSCP
CBK make a great template on ensuring we're covering all
aspects of system security. They map very, very well in
my prior investigation back in 2004-2005 when I first
suggested it.
E.g., Microsoft's MCSA/MCSE:Security specialties only
cover portions of three (3). It's absolutely pathetic, and
they left out over 75% of system security concepts, and
virtually half of the domains altogether. That's largely
because they don't offer those solutions, but Linux does.
My point wasn't for marketing or to say "my way dammit."
It was to day, "here's a great template for mapping the
real-world objectives/tasks in Linux." It makes you think,
"oh, what can Linux do for securing this concept of
system/service?" It's not merely the fact that I couldn't
find something that didn't fall into it but, unlike the
CISSP, every domain and concept under each domain in the
SSCP reminded me of a real-world Linux task that I have
done and should know how to implement for system/service
security.
Feel free to disagree with me, but that's what I came to
realize back in 2004-2005, when I was studying both the
CISSP and SSCP CBK back in 2004-2005 (I had a client
really big on the certification).
--
Bryan J Smith Professional, Technical Annoyance
[EMAIL PROTECTED] http://www.linkedin.com/in/bjsmith
------------------------------------------------------
I'm a PC, but Linux -- Windows: Life Without Firewalls
_______________________________________________
lpi-examdev mailing list
[email protected]
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
