Probably no one was more surprised than the management of the International Information Systems Security Certifications Consortium, (ISC)2, when 16-year-old Indian high school student Namit Merchant took and passed the rigorous Certified Information Security Systems Professional (CISSP) exam last year.
Even before Merchant sat for the exam, (ISC)2 had been laying the groundwork for tightening the requirements for the industry's best-known professional credential. Effective January 2003, CISSP applicants will need a four-year degree or four years of work experience, which is significantly more stringent than the current three-year experience prerequisite.
The change is a step in the right direction. If the CISSP is to remain the standard-bearer of security certifications, then (ISC)2 must properly police applicants to ensure that only the most qualified achieve this mark of excellence. At the very least, the new requirements should reduce the likelihood that (ISC)2 will certify any more teenagers. (This is good news for Merchant, since it will likely mean he'll hold the title of youngest CISSP for a long time.)
The problem is that (ISC)2 doesn't have the infrastructure necessary to verify every applicant's professional or educational history, meaning that some less-scrupulous candidates will likely slip through the cracks.
Let's not presume that all verification oversights will be malicious. The existing CISSP certification requirements are: (1) agree to the (ISC)2 Code of Ethics, (2) pass the examination and (3) have three years of direct security experience in one or more of the 10 domains. The first two requirements are simple to manage -- have the candidate sign the Code of Ethics pledge and take the test. But verifying qualifications is a significant undertaking.
Full verification has been done in the past. Before there was a CISSP exam, (ISC)2 granted certifications to professionals under its "grandfathering" program based solely on their experience. Those grandfathered professionals were the ones who created the original Common Body of Knowledge (CBK) and the first CISSP examination. Since only a small number of people were grandfathered, a committee of volunteers were able to handle the workload.
But with thousands of applicants from around the world every year, a single committee obviously can't verify the thousands of CISSP applications (ISC)2 receives each year. Currently, the application, verification, test scheduling and recertification processes are contracted to (ISC)2 Services, a branch of Scholder Measurement Technologies (SMT), the testing company that maintains and scores the CISSP and Systems Security Certified Practioner (SSCP) exams. But Scholder isn't responsible for doing verifications.
The monumental verification problem doesn't mean (ISC)2 should abandon its high standards. Instead, it should embrace other complementary controls that will improve its ability to verify CISSP candidates' qualifications.
Spot-checking is one possible way to balance the cost and requirements of verification, but it isn't ideal. Auditors may find the occasional embellishment by applicants, but there's still a high probability that many unqualified people will escape screening.
Sponsorship is a practical verification method that requires minimal effort on (ISC)2's part. Every CISSP is required to abide by the Code of Ethics, so (ISC)2 can reduce some of the burden of vetting applicants by having CISSPs validate a candidate's eligibility. It's unlikely that a member in good standing will risk losing his or her credential by sponsoring an unqualified applicant. Besides, it's much easier to look up an existing CISSP than it is to verify an applicant's education and work history.
Changing the way experience is reported can also help. The current CISSP application form does request employment information, but is devoid of the contact information necessary for background checks. Collecting job description and verification contacts, number of years experience and the percentage of security work performed would help candidates to properly assess their "direct work" experience and facilitate verification. Job descriptions and percentages can be compared against industry norms and contact information can be used to verify the security component of each listed position.
These measures aren't perfect, but they could improve the vetting process and reduce the number of applications that (ISC)2 would have to verify. The organization's effort to uphold and enhance the value of the CISSP is certainly commendable. Hopefully, (ISC)2 will follow up its more stringent requirements with even more definitive verification practices.
About the author: William Stackpole, CISSP, is an active (ISC)2 volunteer and a former chair and current member of the CISSP Test Development Committee.