Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  



Shon Harris Training

Shon's Corner

Library of Documents

Forum Postings

Recommended Podcasts

CISSP's Blogs

MISC Menu

ISO 17799/ISO 27001

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 905
Comments: 30

OCSIG

Security Books

Top10 Downloads

Top10 Links

Who's Online

There are currently, 75 guest(s) and 19 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Five Things ISC2 can do to improve the CISSP certification
Posted on Monday, 10 November 2008 @ 21:14:35 EST
Contributed by cdupuis | Topic: ISC2 Org

Today there was a good question asked on linkedin at:

http://www.linkedin.com/answers?viewQuestion=&questionID=358240&askerID=23753864&trk=advq&goback=.hom.mid_836787175

The question from James McGovern was:

What are five things that ISC2 needs to do in order to improve the credibility of the CISSP credential?

CISSP is viewed as an introductory credential that covers the surface of the ten domains. What do you think ISC2 should do to make CISSP even better?

Fees?
Transparency?
Depth?
Others?

I felt compelled to provide an answer to the question.  Unfortunately the LinkedIn comment system does not allow for more than 4000 character which was not enough for my reply.   So see my full comment below:

Good day James,

This is really a great question that should have been asked by ISC2 from their members and other people who are not members a VERY LONG time ago.  However, I am not dreaming.

ISC2 has and still is unable to communicate efficiently.  One day they are a member organization and the next day they are not.  This communication problem is not something new, it has been reported at many occasions and by many people in the past.  However, things does not seems to improve much over the years.  We will see what 2009 reserves for us.

Here are a few things that ISC2 can do to make themselves more transparent and to improve the image of the CISSP certification:

1.  START ACTING LIKE A CERTIFICATION BODY

The relation between ISC2 (the non profit side) and their training arm is dubious at best and as close as you can get to a conflict of interest without getting into one.  When any certification body becomes a training entity often time that entity will loose their focus on what is the most important which is the certification itself. 

Instead of having their sales people talk thrash about other people training offer they should start publishing a clear and transparent process on how a training institution can become a recognized training institution under ISC2 approbation process, the recognition should not be based on the fact they are using the ISC2 courseware and sharing profit with ISC2 but on a fair evaluation of the training material and an evaluation to see how it matches with the exam objectives and how well it is presented and delivered. 

Unfortunately this does not exist and this is why it makes me sad that their sales people are talking thrash about other companies training material when they know nothing about their courseware and the delivery of the material.  I am talking from a very recent experience that happened to me here.  I can challenge any of the salesman at ISC2 to get out of their cubicle and they can sit in my class, then they can judge me and my training.  Until then it does not reflect very well on them, if the only way you can sell seats in your classes is by talking trash about others, your courseware must be in dire need of updates.

EXAM AVAILABILITY

More transparency has to exists on that side as well.  It is often time VERY HARD if not IMPOSSIBLE to get an exam schedule for the students that a training institution has in their classrooms.  Even if the adequate number of students is there to justify running such an exam.  Even if there are plenty of proctors that can supervise it for free.  It does not make sense to face such rebuttal.

Denying or making access to the exam hard this way, only affect the students and the certification as a whole.  It is time to stop playing games.  Why is it possible for ISC2 to deliver exams when it is combined with their own training classes but not when it is a third party training class.  It does not make sense and I cannot see the fair reason as to why some people are getting denied access to the exam.

Lately I receive dozens of messages from people in places such as India where exams are not regularly conducted and they were telling me that the exams coming up are sold out and they must wait until next year to attempt the exam.  This is not what I call customer service. 

If the number of registration and the demand justify having a second exam room for the exam then be it.  Any other business that would act this way would loose their customers and this is what will happen if ISC2 does not start looking after their customers better.  They are the sole choice today but that could change very quickly in the near future.

THE FAMOUS COMMON BODY OF KNOWLEDGE

I have grown sick and tired over the years of hearing about the unseen CBK.  Everyone refer to it but nobody has ever seen the official version of it published as a document by ISC2. 

The current candidate information bulletin is totally useless as a tool to prepare for this exam.  Why can't I get a good guide from ISC2 that will tell the student how to prepare for this exam and what are the exam objectives they will be tested against and to what depth they will be tested.  The student need to know the details of each domains, not a few high level bullets as it is presented in the candidate bulletin. 

It is time that ISC2 start offering copies of the CBK to anyone who wishes to get a copy for free as a PDF file.  DHS has just released their EBK and they are doing the right thing.  A secret CBK has no value as far as I am concerned. 

The DHS CBK will be updated every two years.  How much changes have you seen on the CISSP CBK in the past six years ????

NOBODY should have to register and then be harassed by the sales people in order to get a copy of the CBK.  The CBK has to be publicly available to all in its entirety.  WHY do you need to force people to register for a document that should be PUBLIC anyway.  Collecting only the email address would be more than enough if you wish to let them know about updates.

I agree with keeping the master copy on the ISC2 site but it should not require registration.  The only reason that registration is used at this moment is to pass the info to their sales people which allow them to talk thrash about other being UNOFFICIAL training.  Considering there is no way to get somone courseware authorize then why are they using such tactics.  CompTIA will certified courseware from other training entities and they have a well document process to do so.  Why is ISC2 not doing the same thing.  Thinking only them can produce quality courseware for the CBK is futile at best.

In summary the CBK is in dire needs of an update.  It is time to get the OLD and OUTDATED topics that NOBODY uses today out and make room for some relevant and up to date content.  There is so much happening in security every one year that doing updates only every 3 to 4 years is not enough.

CPE

The acronym CPE has become synonymous with Continuous Payment Econosystem

CPE should not mean $$$$

CPE activities should be offered to the members as a benefit and not as money making activities.  Why can't we get online and live seminars for FREE?  Whey can't I get a conference of great quality for FREE?  If the Defcon, OWASP, and many other organizations that are MEMBER ORIENTED can do it, WHY can't ISC2 do the same?

If our organization had no money in the bank I would understand but with many millions in the bank it is time that some of this money be spent for the benefit of the members as it was gathered in the most part from the members.  A couple of years ago there was over 15 millions in the bank.  Today that number might even be higher.  What for...

I need 20 CPE per year!   WOW, what a challenge!   Half of those can be obtained by subscribing to Security Magazines.  Does this really prove my continuous education, most likely not.

The WHOLE CPE system has to be revised to add value to it, to show that the CPE submitted are in fact related to being a CISSP.  Such a system would be very complex, would require human intervention,  a random audit once in a while is not enough to keep the CPE as a valid gauge of one professional development.

WHAT METRIC DO THEY USE TO GAUGE SUCCESS

Over and over again I hear officials brag about having reach 50K members,  60K members, and even more today.  What does this number prove if we as a group don't impact the security community and influence it.

Gauging success by the total number of people who have received their certification over the past 12 months is certainly NOT a valid matric.  If I remember correctly this is how many of the well respected and valued certifications out there have lost their value. 

You need to show more than number.  You need to be look at as leaders and a community who is playing a very active role in all facets of security.

I am still waiting for an official at ISC2 to come out with some other metrics and the ability to demonstrate the impact that ISC2 has on the security community overall.  What is the support that ISC2 has provided to their membership over the past 12 months.  How they have helped "JOE the security guy" in his daily job after he became certified.

Start giving me significant metrics.

MAINTENANCE FEES

When I first got certified over ten years ago the maintenance fees were 85$ USD back then.  I could understand that with 12 CISSP's in Canada it was necessary to charge that much money to keep the site up and running, to give me acces to the web submission form for my CPE's, etc... etc...

However, today we have over 60,000 members and I do not understand why I still have to pay the same price.

Normally offer and demand will drive prices down.  Does ISC2 need to collect more than 5 Millions dollars in maintenance fees every year to give me that service today. 

The certification world is the ONLY place where I have seen price that never get affected by the offer and demand.  It is the only place where I have seen prices go up as there was more demand.  Exams that used to be $250 are now over $500.  WHY?

Considering the exams are being run by volonteers, considering the production cost per person for the exam greatly decreases as the number of exam offered increases, I fail to understand WHY it cost so much.

If really an organization was concerned about the good of the common wealth and improving security overall, they would also make all effort to ensure the certification path is accessible and affordable.

There is no need to pay that much for a certification.  If at least people were still getting a nice wood mounted plaque with their certificate on it that would justify some of the cost.  However the opposite happened, we are being charged more for less as the volume increases.

I must be in the wrong line of business....

CLEMENT WHY ARE YOU MAD?

First let me tell you that I am not mad at all,  I am writing this with an ironic smile on my face,  I am simply very disappointed to see how much energy is wasted on futility versus being used for us the members and us as a priority.

Will the points above change in the near future, I doubt it.

I think a new organization will see the light before we can turn the current organization around.

I know I am an idealistic with my sharing for free ideas but there are still people out there who REALLY believe in helping others and they also believe in doing it openly without money being their main objective.

Best regards to all

Thanks for reading my rant

Take care

Clement

P.S.  PLEASE CLICK HERE OR ON THE comments LINK BELOW TO LET US KNOW YOUR OPINION AS WELL

 

Login

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Related Links

· CCCure.Org
· More about ISC2 Org
· News by boss
Most read story about ISC2 Org:
Certification Webcasts

Article Rating

Average Score: 5
Votes: 5

Average Score

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad

Options

"Five Things ISC2 can do to improve the CISSP certification" | Login/Create an Account | 11 comments | Search Discussion
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Five Things ISC2 can do to improve the CISSP certification (Score: 1)
by USMCIAMgr on Wednesday, 12 November 2008 @ 11:33:38 EST
(User Info | Send a Message)

Clement,

   You are rght on the money with your comments.  I would add to them by stating that it is not only the CISSP, but the concentration exams offered by ISC2 that need addressing.  I took and passed the ISSMP exam, but I had to take the ISC2 CBK overview ($995) to really prepare for the exam.  There is exactly ONE book on the open market, The CISSP and CAP Prep Guide Platinum Edition by Ronald Krutz and Russell Vines, that has any material that can be used to prepare for the ISSMP.  For a certification that has been around for about 3 years, that is unacceptable.  The cost of taking the ISSMP is $495, so the total cost came to $1490, all of which went to ISC2.  Fortunately my employer paid for it, but as a member of ISC2 who is paying dues, I would like to know how much money is in the bank and what is it being used for.  A yearly statement that goes to all members showing how the test fees, dues, and training course monies are spent or not spent would bring openness that does not exist today.
   Let me close by saying thanks to Clement and everyone on CCCure for keeping this site as the place to go for anyone preparing for the CISSP exam.

Mike




Re: Five Things ISC2 can do to improve the CISSP certification (Score: 1)
by side_winder on Monday, 10 November 2008 @ 22:36:29 EST
(User Info | Send a Message)

Good day,

I have to agree here with Clement on many of his comments. If the ISC2 does not make changes they run the risk of falling from the Gold Standard of security certifications. Many still find value it this certification and I still hold it highly but how long before the conflict of interest between the certification body and their business of offering classes cause the loss of value? We worked hard to study to pass the exam and now that is being diminished by ISC2 treating the CBK as a state secret. I was very impressed with the EBK and think that it really covers our profession a lot better than the CBK does. And I too agree that a regularly scheduled update should be a mandate. The CISSP certification was certified by ISO and as such the CBK should be openly available to all not just a select few.

Anyway, great post Clement. I'm proud to know you and to be an avid supporter of CCCURE.

Kind Regards,

James




Re: Five Things ISC2 can do to improve the CISSP certification (Score: 1)
by Eyen1 on Tuesday, 11 November 2008 @ 09:01:11 EST
(User Info | Send a Message)

Clement you are so right. I obtain the CISSP for a couple of reason. Its the De Facto Standard. But like any De Facto Standard it does NOT mean it is the best option. I am disappointed also in the Certification Machine that ISC2 has become. A whole industry on training people for the CISSP only devaluates the value of the certification.

Not have updated relevant CBK is sad and shameful. I have to update my database certification every major release occurring about every 2-3 years. The changes in IA are much faster than creating a whole new release of a database. So why hasn’t there been a published CBK that is updated?

Heck I am going to go work on getting the CISM . . .  there is more value with certification and a better organization backing it.

 

 

 




Re: Five Things ISC2 can do to improve the CISSP certification (Score: 1)
by cwdrake on Tuesday, 11 November 2008 @ 09:31:09 EST
(User Info | Send a Message)

Clement,

I think you misunderstand the phrase "Common Body of Knowledge".  As in other professions, a "Common Body of Knowledge"  is not a static thing that can be documented.  It is a continuously evolving system of knowledge encompassing all currrent topics related to information security.  Because of this, it cannot simply be written as a document, but must be referred to as categories or "domains" just as (ISC)2 has done.  This is also why experience is such an important part of the CISSP certification.  Becuase to learn and understand this Common Body of Knowledge, you must be involved in it, not just study some list of static information.

Regards,

-Craig
CISSP, MCSE




My experience with the SSCP etc (Score: 1)
by afruss on Monday, 24 November 2008 @ 22:00:45 EST
(User Info | Send a Message)

Hi, I agree with most of what has been said above, but I have much more critisism for the the SSCP qualification and book.

The SSCP qualification.

It is a liteweight qual, calling them practitioners instead of professionals (arrgh).

 

The ISC2 SSCP book is a travesty.

It has no release date/version number etc, so utterly opaque for errata and discussion.

It has serious case of wordheadingitis with many places that the levels are corrupted.

It is quite boring (understandable given the material)

The cryptography section says that you go to the CA for a certificate (not to sign YOUR certificate), now I agree that the difference is petty, but to conflate / confuse this in a Cryptography section is criminal.

Suffers from copy-paste mania, extremely unclear where various subjects appear.

About the CPE's, I think that is a great way to do things, the certification stays current as long as you work at it a little. Compares well with my experience of Oracle and Java certs, which are pointless to re-certify. It's great that ongoing focus on the certification is emphasised.

CPE's require clear guidance about what is included and what is not. It is obnoxious to have an audit hanging over your head, that agressive wording is terrible. It should be simple and straightforward. is Reading every issue of Bruce Schniers Cryptogram 1hour per issue or not? What about Security Now? The subject area of material is often broader than the certification, please don't eliminate the non-security portion of CPE's.

The new CSSLP seems to resolve some of the problems, and as a developer it seems to be a better fit than the CISSP or SSCP. The CBK is clear and straightforward except for the odd "Secure Software Concepts" domain which seems to be a catch-all for other subjects that aren't strictly in a phase of the SDLC. The cost of $650US is very steep, and it isn't clear if these are supposed to be 'thought leader' CSSLP's or just general ones. The professional experience seems to be more explicit than the CISSP and more restrictive in that the task has to be "Professional". I don't have security responsibilities, but I have more expertise than anyone in my team of 10 developers.

Price has too come down for the certifications.

Also add more tests around the world, I am waiting for a CISSP in NZ, the last one in June was cancelled and there still hasn't been a new one scheduled. No wonder there is only 1 SSCP in NZ (we have 3.5m people with english and westernised). Maybe this is due to the  training programme corruption I hear about above and in the linked in answers.

Andrew




I have to disagree. Was:Five Things ISC2 can do to improve the CISSP certification (Score: 1)
by JimMolini on Friday, 12 December 2008 @ 19:52:31 EST
(User Info | Send a Message)

Clement,

You’ve been posting and participating in the CISSP process for a long time, so you have every right to your opinions, but as an (ISC)2 advisory board member and someone who has been volunteering for the organization for a long time, I wanted to respond to some of the issues you raise.  Just so everyone knows, I’m not an employee of (ISC)2.  Like most people, I’m a volunteer and I don’t get paid for any of my work with the organization.

1.  Start Acting Like a Certification Body

Although I wouldn’t mind if (ISC)2 got out of the training business, there are a number of people who say that training keeps other costs lower.  So as a dues paying member, I’m happy if (ISC)2 educational programs keep those dues reasonable.  (ISC)2 also meets some fairly strict “church and state” standards from ANSI to keep the certification side separate from the education side.  They have to be re-accredited annually.

In the old days, they also did training to make sure that people got responsible instructors and unbiased information to help with certification.  Today, it’s less of an issue with so many people doing the training, but as a member, I’m happy that they don’t have to fund all of their operations from my AMFs.

2.  Exam Availability

This one is a problem from time to time.  I worked as a volunteer on exam administration for about seven years and I agree that the scheduling process could be improved.  However, most of the organizations that successfully schedule an exam make the request several months in advance and follow up with paid invoices for the those exam candidates.  Sometimes I’ve seen the training company want to proctor the exam, which is a clear violation of the conflict of interest regulations they have for exam management.   To avoid this, the schedulers will separately call out for exam administrators from a known pool of proctors to see who they can find.   Sometimes this works well for the hosting organization, sometimes it doesn’t.  I think we need more volunteers at (ISC)2 to improve this process.

3.  The CBK

The CBK is built by volunteers and is not something that you can publish in a book.  The other document you reference is published at great expense by a large government agency.  It costs them millions of dollars every year to prepare and maintain this book.  As a volunteer organization, (ISC)2 can’t afford to spend this much money publishing something like that.  Anyway, a book like this is out of date as soon as it’s published, so I’m not sure how valuable another encyclopedia would be for the profession.

4.  CPEs

CPEs are required for most professional certification organizations.  I am pretty sure you can’t get the certification process ANSI-certified if there isn’t some form of required professional development after obtaining the certification.  And CPEs are needed – information security is too fast-changing an industry not to require continuing education.   

Regarding the cost of attaining CPEs, I went back to (ISC)2 and found the following additional examples of free stuff that members can use to maintain CP

Read the rest of this comment...




Re: Drxchhju (Score: 1)
by FanelaRomania on Sunday, 28 December 2008 @ 15:50:35 EST
(User Info | Send a Message)
nissan 350z with turbo for sale [593.barrauto3.345.pl] | truck trader nissan frontier 4x4 [433.barrauto2.345.pl] | dvd and monitor for 2007 nissan armada [31.barrauto3.345.pl] | nissan skyline tunado para gta san andreas pc [560.barrauto5.345.pl] | nissan titan 2008.5 xe crew cab [849.barrauto2.345.pl] | parts 1991 nissan stanza mats [921.barrauto7.345.pl] | ski rack for nissan pathfinder of san jose [895.barrauto3.345.pl] | factory repair manual for o nissan maxima [701.barrauto3.345.pl] | 2005 nissan sentra 30 000 miles anderson nissan [452.barrauto6.345.pl] | 1996 nissan truck used tailgate [662.barrauto5.345.pl] | fast 2 furious nissan skyline picture [197.barrauto5.345.pl] | 1988 nissan maxima 3000 [586.barrauto5.345.pl] | 91 nissan 240sx rb20 [805.barrauto2.345.pl] | mpg of nissan primera diesel [929.barrauto2.345.pl] | 95 nissan maxima body kits [557.barrauto5.345.pl] | aftermarket gauges for 1998 nissan 240sx [576.barrauto3.345.pl] | nissan auto dealers in slo county [800.barrauto4.345.pl] | nissan 300zx performance intakes [894.barrauto6.345.pl] | nissan terrano wide wheels [85.barrauto8.345.pl] | spoiler for a 2007 nissan altima [978.barrauto6.345.pl] | nissan x-trail the ukraine [109.barrauto7.345.pl] | 2002 nissan sentra turbo [821.barrauto6.345.pl] | transeje nissan sentra 94 [434.barrauto4.345.pl] | 1991 nissan 300zx tt [483.barrauto6.345.pl] | nissan rogue spare parts [53.barrauto8.345.pl] | 1996 nissan altima pictures [443.barrauto3.345.pl] | tune up kit for nissan xterra v6 [943.barrauto5.345.pl] | nissan skyline r34 gt turing cars [361.barrauto3.345.pl] | nissan altima oem chrome wheels [581.barrauto1.345.pl] | nissan navara d40 wiring circuit [26.barrauto4.345.pl] | 2008 nissan titan new shocks [297.barrauto3.345.pl] | where are the sparkplugs for a 2003 nissan altima located [181.barrauto4.345.pl] | delears in la nissan 350z 2003 [460.barrauto5.345.pl] | 1990 nissan 240sx gauge cluster [328.barrauto5.345.pl] | inside white nissan 350z [742.barrauto8.345.pl] |



All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


 

 


Page Generation: 0.40 Seconds