With experience requirements for certs like CISSP, is there a general rule-of-thumb of what constitutes acceptable experience?
Actually, ISC-squared is pretty specific on this subject. Your three years of relevant on-the-job experience must pertain directly to one or more of the 10 domains in the CISSP Common Body of Knowledge (CBK):
- Access Control Systems & Methodology
- Applications & Systems Development
- Business Continuity Planning
- Law, Investigation & Ethics
- Operations Security
- Physical Security
- Security Architecture & Models
- Security Management Practices
- Telecommunications, Network & Internet Security
Here's what it says on the site about those requirements:
"Have a minimum three years of direct full-time security professional work experience in one or more of the ten test domains of the information systems security Common Body of Knowledge (CBK). Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, or that which requires IS security knowledge and involves direct application of that knowledge."
Also, on Jan. 1, 2003 these requirements change; see https://www.isc2.org/cgi-bin/content.cgi?page=157 for more info.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Qualification assessment for the CISSP
Ask the Expert: How to obtain hands-on experience in security
Ask the Expert: The advantages of work-related security experience