This month, I'm going in two directions at once. I have had several tasks to complete in light of the Sept. 11 tragedy in order to reduce the impact of a potential security breach or disaster at my company. And after hours, I'm preparing for a security certification exam.
In my day job, I have user account audits under way, and we're about to implement group structures within our Windows NT domain to ease administration. This powerful NT feature lets us configure groups with different access privileges and place users into the groups that have the proper access profiles for their roles. That should make it easier to apply a consistent set of security rules across our user base.
Our CIO is in the process of executing what's called a "structured walk-through" of our disaster recovery plan. We'll do this by using checklists and running through different scenarios with key staff. If the structured walk-through is a success, we will proceed with a more realistic test using one of our hot sites.
As for physical security, the security guards down in the lobby seem to have an increased awareness of who's coming and going. And it seems that most employees are more aware of their surroundings and more diligent in questioning unusual behavior.
I decided about a month ago to start studying for the Certified Information Systems Security Professional (CISSP) certification offered by the International Information Systems Security Certification Consortium Inc. (ISC)2 in Framingham, Mass. The CISSP is well respected within the information security community and is a highly desired—or even required—certification in some industries. Every so often, I do a search of the employment Web sites for the CISSP, and the number of listings requiring that certification is increasing.
 |
|
|
|
The CISSP exam consists of 250 multiple-choice questions. The exam covers 10 common bodies of knowledge (CBK), ranging from access control to cryptography and physical security. (ISC)2 says CISSP candidates must "have a working knowledge of all 10 domains of the CBK" but "a minimum of three years' cumulative experience in one or more of the 10 CBK domains."
Why Now?
My colleagues have asked why I've waited this long to get my CISSP certification. In the past, I've always thought that I didn't need a certification, that they were a waste of time and money, and that experience is far better that some acronym next to my name.
My experience with job applicants reinforced those perceptions. About four years ago, I interviewed a candidate for a security administrator position. His resume included many acronyms, such as ones that stand for Microsoft Certified Systems Engineer, A+ and Certified Novel Administrator. He professed significant experience with Solaris administration and firewall installation and maintenance. He also claimed to have experience with security tools and other security applications, so I was excited to interview him.
When he arrived, I was duly impressed. He was about 30 years old and was dressed appropriately for the interview. However, as the interview progressed, I realized that this person had little real-world experience in security or systems administration. His certifications were all gained through crash courses intended to teach you what you need to know to pass the certification tests. I needed someone who could hit the ground running. I didn't have time to train anyone.
Since then, I've had similar experiences with other candidates. That's not to say that there aren't respectable certifications. The Cisco Certified Internetworking Engineer, which includes a hands-on lab test, is probably the most difficult. In my experience, individuals with this certification are generally well qualified and well versed in some facets of information security as well.
I decided to finally give in and take the CISSP exam after meeting several security professionals who have studied for it. I was impressed with their knowledge, and they had nothing but great things to say about the program.
I also considered the SANS Institute's Global Information Assurance Certification (GIAC) Program. SANS has always been a leader in security information and programs. Its certification covers a wide range of information security issues and is especially common in the government sector. It sounds a bit trivial, but I chose the CISSP over the GIAC exams based purely on popularity. For example, one job search engine produced almost 100 hits on CISSP vs. 14 hits for GIAC.
I gave myself two months to study for the exam, and I'm almost done. I spend at least four hours a day after hours and as much time as possible on weekends.
For reference material, I'm using three publications. I'm also using an excellent Web site, http://www.cccure.org, which contains reference materials and links that will help me pull together the many documents, presentations and programs I may need to prepare for the CISSP exam. I assembled a binder containing printed material from the Web site and am using it for study. For each of the 10 sections, I read one chapter each from the publications, then review the printed materials. Finally, I'm taking whatever practice exams I can get my hands on. After going through all 10 segments, I've gone back to study my weak areas: cryptography, security models and physical security. I also made flashcards to help with the more difficult concepts.
Do you have resources you're using to prepare for the CISSP or GIAC exams? If so, I welcome your suggestions in the Security Manager's Journal forum.