Few certifications in the security space have the cache and respect as does the CISSP, or Certified Information Systems Security Professional. Those five letters tell the world the holder knows security.
One reason the certification garners so much respect is the degree of difficulty of the exam, in addition to the continuing education and experience required in order to keep the designation. The CISSP exam is administered by the nonprofit International Information Systems Security Certifications Consortium Inc., based in Framingham, Mass.
"The most difficult test I have ever sat for, bar none," said Mark Hall, manager for Americas IS security and business recovery at Interface Americas in LaGrange, Ga. "I was physically exhausted after the test."
Just a few years ago, only people within security really knew about the certification. Now, many people in IT and even in human resources know about it, as security becomes more of a hot career.
In a nutshell, becoming a CISSP requires a grade of 70% or better on a 250-question exam, as well as having three years of security experience or its equivalent. The certification is not for beginners or those new to security.
Candidates are tested in the 10 areas that make up the Common Body of Knowledge, including:
- Access control systems and methodology
- Applications and systems development
- Business continuity planning
- Law, investigation and ethics
- Operations security
- Physical security
- Security architecture and models
- Security management practices
- Telecommunications, network and Internet security
Realistically, CISSP holders will only be expert in two or maybe three of these areas.
"I may not know all the intricate details of swipe card systems, but I do know the considerations and policies one would need to think about when setting up such a system," said Montreal-based security consultant Jeff Posluns, who holds a CISSP.
The exam, which can take up to six hours, requires the taker to have security experience. Exam questions are specifically worded so takers wouldn't be able to rely on knowledge gleaned from books.
"If you're real good at reading and memorizing, it won't help you much [if you don't also have experience]," said Peter H. Gregory, co-author of CISSP for Dummies and a consultant with the Woodinville, Wash.-based HartGregory Group.
Here are two sample questions from Gregory's book, which he co-wrote with Lawrence Miller:
An encryption algorithm that uses a key that is the same length as the message is known as a:
A. Running Key Cipher
B. Stream Cipher
C. Block Cipher
D. One-Time Pad
The purpose of security awareness is:
A. To make workers aware of security risks and proper security procedures
B. To make would-be intruders aware of the site's security controls
C. To give risk managers as much information as possible
D. To understand Risk Management reports
The questions to the above questions are "D" and "A." The first question highlights a common technique in CISSP question: the use of distractors. Question writers include plausible sounding but fake choices like "Running Key Cipher" to catch the uninformed, said Gregory, who holds a CISSP.
Beside passing the test, CISSP candidates must also have at least three years of security experience or its equivalent. Generally, such people come up through the ranks as system or network administrators, system architects or IT auditors. Many tend to have the word "security" in their job titles.
IT managers can qualify for the certification. A manager who spends half his time on security, however, would need six years of experience, Gregory said.
The International Information Systems Security Certifications Consortium is raising the bar a bit, as the requirement is increasing to four years next year, and three years for those who hold a college degree, he said.
The work doesn't end once someone becomes a CISSP. Holders must abide by a code of ethics. They must also either complete 120 continuing education credits by attending classes, writing CISSP exam questions or presenting at conferences every three years, or take the test again.
There is more to being a CISSP than bragging rights. A holder needs to be an "ambassador of computer security," Hall said. "I find myself sharing tips and best practices with folks whenever I can."
Gregory, for example, has written example questions. The organizers of the certification actually test such questions by including them on the exam. The 25 questions don't count against the taker but help organizers make sure questions are fair. "You can't have experts writing questions in a vacuum," Gregory said.
This is the first installment of SearchSecurity.com's Certification Spotlight. The series will explore the requirements and benefits of individual security certification. Future editions will explore other certifications.