CXO

Build Your Skills: CISSP tests more than systems security expertise

Requirements of the CISSP certification are analyzed


Few IT professionals I've met wish to remain in their current position forever. Most of them aspire to assume additional responsibilities, even management tasks. Although most IT certifications test your technical skills, there are exceptions. Some, such as CompTIA's IT Project+ accreditation, test your knowledge of business processes and management expertise.

The International Information Systems Security Certifications Consortium, Inc., or (ISC)², offers a security certification that tests both skill sets—technical aptitude as well as business savvy. Thus, you can use the (ISC)²'s Certified Information Systems Security Professional (CISSP) program to bolster your technical skills while also paving the way for a promotion to management.

What is (ISC)²?
Founded in 1989, (ISC)² is a not-for-profit consortium dedicated to:
  • Maintaining topics of importance, known as a Common Body of Knowledge, for IT security.
  • Certifying IT professionals with a recognized international IT security standard.
  • Overseeing training seminars and certification exams.
  • Enforcing continuing education and certification credential requirements.

(ISC)² isn't a membership body. You can't join. (ISC)² is governed by a board of directors elected by individuals who have earned (ISC)² certification. The consortium earns operating funds by conducting Common Body of Knowledge training seminars and charging fees to take its exams. The organization also charges its certified professionals annual maintenance fees.

Despite being headquartered in Framingham, MA, the organization works to ensure that its certifications don't possess a North American or United States bias. The group consists of IT professionals from more than 60 countries. As a measure of the organization's international strength, members of Interpol's European Working Party on Information Technology Crime will attend a five-day training and certification program hosted by (ISC)² in Europe this month.

CISSP requirements
Before you can try to earn CISSP certification, you must make sure that you qualify to take the CISSP exam. The CISSP accreditation is for IT professionals with information security experience. Candidates are required to have a minimum of three years of experience in one or more of the 10 topic areas that the exam covers.

Beginning in January 2003, the experience requirements will change. CISSP candidates will be required to have four years of real-world experience in one or more covered topic areas. Alternatively, candidates with three years of experience and a college degree or equivalent life experience, as determined by the CISSP, will qualify. The heightened requirements will not be retroactive and won't affect current CISSPs or those professionals attempting the CISSP exam in 2002.

Should the CISSP's experience requirements prove too demanding, you may want to look into (ISC)²'s certification for less experienced IT professionals. The Systems Security Certified Practitioner (SSCP) accreditation is targeted at IT professionals with just one year of experience. (More on that in a moment.)

The CISSP exam
The CISSP exam covers the following 10 IT security subjects, which (ISC)² refers to as test domains:
  • Access Control Systems and Methodology
  • Applications and Systems Development
  • Business Continuity Planning
  • Cryptography
  • Law, Investigation and Ethics
  • Operations Security
  • Physical Security
  • Security Architecture and Models
  • Security Management Practices
  • Telecommunications, Network and Internet Security

The CISSP exam itself consists of 250 multiple-choice questions, and you're given six hours to complete it.

The test isn't cheap. The exam fee is $450 if the test is scheduled at least three weeks in advance. If the exam is scheduled within 21 days of the actual testing date, the cost rises to $550. If you miss the exam, you're required to pay an additional $100 rescheduling fee.

The fees don't end once the CISSP certification is earned, either. CISSPs should be prepared to keep paying and keep working.

Maintaining CISSP certification
CISSPs can't coast after earning certification. Instead, (ISC)² requires that its certified professionals pay an annual maintenance fee of $85. CISSPs must also meet the accreditation's continuing education requirements by earning 120 Continuing Professional Education (CPE) credits every three years. CISSPs who fail to accumulate the necessary 120 CPE credits must recertify.

You can earn CPE credits by:
  • Attending educational conferences and seminars.
  • Joining association chapters and attending association meetings.
  • Visiting vendor presentations.
  • Completing college courses.
  • Providing security training.
  • Publishing security articles and books.
  • Serving on industry boards.
  • Performing volunteer work.
  • Undertaking self-study training.

The SSCP exam
The SSCP exam consists of 125 multiple-choice questions, and you're given three hours to complete this test. Instead of testing IT security professionals on 10 topics of focus, only seven test domains are covered:
  • Access Controls
  • Administration
  • Audit and Monitoring
  • Risk, Response and Recovery
  • Cryptography
  • Data Communications
  • Malicious Code/Malware

If the SSCP exam is scheduled more than three weeks in advance, the test fee is $295. If it's scheduled within 21 days of the actual testing date, the cost rises to $395. The same $100 rescheduling fee that applies to the CISSP test also applies to the SSCP exam.

Maintaining SSCP certification
SSCPs, like CISSPs, are required to maintain their certifications. An annual maintenance fee also applies to SSCPs, although the SSCP charge is only $65. While SSCPs must also earn CPE credits every three years, only 60 CPE credits are needed to maintain SSCP certification.

Eckel's take
Earning security certification is one method that IT professionals can use to keep their security skills sharp, and marketable. By earning CISSP accreditation, IT pros, particularly network administrators, can also lay the groundwork for promotion later in their careers. Because the CISSP exam breaks away from testing just system administration skills and also encompasses staffing, risk management, and other IT management techniques, it helps IT professionals with solid technical skills begin proving their abilities to manage IT operations.

Editor's Picks