Re: [SAGE] CISSP Certification Penetration?

["Mark C. Langston" <mark@bitshift.org>]

On Tue, Mar 02, 2004 at 01:17:01PM -0700, Jeff Tyler wrote:
> 
> Look again Mark, it's 4 years direct experience or 3 years direct
> experience plus a degree.  Both require vetting by a CISSP or
> "another certified professional".  Again, speaking as one who has
> "stood up" for candidates I'm pretty picky.  Protecting my property
> value ;-)
> 


Apologies.  You are correct, it's 3+degree (or 2 + MA).
However, checking ics2.org, it's not even "certified professional", but
simply "qualified professional" (quoted from isc.org):

  ...another qualified professional with knowledge of information systems or
  an officer of the candidates corporation can be used to validate the
  candidate's professional experience.

> 
> Not sure I follow that, there is still a strong personal experience
> requirement.  I'm not saying that an unqualified person can not get
> a CISSP, given the existence of boot camps and the like there is
> always the danger that a few folks who test well and know little
> can slip through but I think on the whole that we defend the
> certification pretty well.


Well, it would seem that all it takes to get a CISSP is 3 years' work
experience in IT and another employee with any cert willing to sign your 
endorsement form.

So, while it keeps the fresh-from-school crowd from getting CISSPs, 
it doesn't prevent most others.

It's true that an audit, if executed rigorously, would help, but 
I'm guessing the percentage of candidates audited is very small indeed.
Even then, how does one fact-check a resume full of failed dot-coms?

-- 
Mark C. Langston                                    Sr. Unix SysAdmin
mark@bitshift.org                                       mark@seti.org
Systems & Network Admin                                SETI Institute
http://bitshift.org                               http://www.seti.org