Certified Information Systems Security Professional (CISSP) is becoming an important industry accreditation for professionals working in IT security. But what does it involve and is it worthwhile? Mark Harris, chief information security officer at ASPACE Solutions, chose to do the intensive seven-day crash course and reflects on the experience.
CISSP certification has grown rapidly over the last few years to become one of the most recognised and respected accreditation schemes for IT security professionals. Awarded by the International Systems Security Certification Consortium, often referred to as (ISC)2, CISSP is the only globally-recognised, vendor-independent, certification programme. To date, more than 20,000 people have successfully made the grade.
Having spent over seven years working in the IT security sector, the idea of having an industry-recognised professional accreditation was very attractive. Furthermore, when I applied for the job of CISO at Aspace Solutions that specialises in delivering identification and verification systems for secure multi-channel banking, certification was a mandatory requirement.
Like an increasing number of IT security companies, my employer Aspace Solutions views CISSP accreditation as fundamental to ensure a candidate's knowledge of general IT security principles and practices is at an acceptable level.
CISSP – The fundamentals
One of the key objectives of the CISSP course is to give candidates a more rounded view of IT security so that they can demonstrate a broad knowledge of customer issues and concerns.
The subjects that form the core of the CISSP course follow the (ISC)2 Common Body of Knowledge (CBK), which is a comprehensive compilation of IT security information collected internationally. The 10 domains of the CBK are:
Security Management Practices
Security Architecture and Models
Access Control Systems and Methodology
Application Development Security
Telecommunications, Network and Internet Security
Business Continuity Planning
Law, Investigations and Ethics
Even before attempting CISSP, a candidate must prove to an independent assessor that they have at least four years of professional information security experience in one or more of the CBK domains, or three years of experience plus a bachelor's degree. After that, it's simply a case of passing a six hour exam with 250 questions.
To prepare for the exam, candidates can spend six months reading and digesting CISSP books and literature then cramming for two weeks immediately prior to the exam, or attend one of the accelerated learning programmes, which involve an intensive off-site week's 'boot camp' course followed by the exam.
The short sharp shock
On the basis of getting it over with quickly – I decided to choose the latter option.
Having checked out the choice of training providers and booked up with the Training Camp (www.trainingcamp.co.uk) at a cost of £3,500, I duly arrived at the country retreat-style training centre near Newbury. A nice part of the country, but any ideas I had of slipping out for a bit of sightseeing were rapidly dispelled.
Enrolment was on Sunday evening and I gathered, with the other 10 or so unsuspecting hopefuls, for dinner and a beer in the bar. The typical CISSP candidate is hard to pigeonhole. I was joined by IT and security managers from banks, financial services organisations and manufacturing companies, and people like me from security solutions providers. Also present were individuals who were there to further their education or retrain for a change of job direction.
Relaxing at the bar, nursing a beer after dinner, we were given our schedule for the week: day two to day six: breakfast (7-9am), lectures (9am-1pm), lunch followed by more lectures (2-6pm), dinner (6:30-7:30pm), group study (7:30-10:30pm), personal study (10:30pm -12am)!
Day seven: exam, six hours, 10am - 4pm, then home – I suddenly felt the need for a shot of something stronger!
I managed to convince myself that, while it might look quite daunting, for many of us accustomed to the pressures of working in a busy commercial environment it was just like putting in a particularly heavy week. However, little did I know that the timetable did not reflect the true intensity of the six days that lay ahead.
Death by PowerPoint
After breakfast on day two, we were presented with two large tomes of information that mirrored exactly what the lecturer was to present. In fact most of it was page after page of PowerPoint slides! Our lecturer looked like a man on a mission and we soon cracked ahead at pace, furiously scribbling notes on our copies of the presentations.
Comfort breaks and time to top up with strong coffee were frequent as we struggled to commit information – some familiar, some new – to our rapidly filling memories. Lunch provided a brief respite from the PowerPoint onslaught, but all too soon we were back at our desks reeling with information overload.
The lecturer – who turned out to have a US military background – tried hard to inject a bit of general interest and humour into topics such as IP stacks and encryption algorithms. Not easy at the best of times but every little helped as we tried to process the reams of information.
Over dinner there was little conversation, we were all feeling a bit numb with shock. Fortunately, this was followed by a group study session that gave us our first chance to reflect on the day and open up a real discussion. In fact, these turned out to be one of the most valuable sessions we had every day.
However, what did cause some concern was an introduction to the contextual structure of the exam that we were to face at the end of the week. We all took a mock exam on what we had learnt that day, comprising 50 multiple-choice questions and we were all pretty confident – until the answers were discussed. Realisation dawned that there was not just one correct answer, they all could be correct. It's deciding which is the most correct that gets the points. This caused a mixture of consternation, irritation, concern and considerable debate as we sat around the bar during 'personal study' time to discuss individual questions. For example, one such question was:
Q: What is the BEST method of storing user passwords for a system?
(A) Password-protected file.
(B) File restricted to one individual.
(C) One-way encrypted file.
(D) Two-way encrypted file.
(Answer is C)
This first night I got to bed at around 1.00am, an early night as it turned out, and dreamt of running down an endless road being chased by PowerPoint slides!
The next four days followed the same pattern: slides every 45 seconds with quick-fire commentary, as our blood pressures continued to rise and confidence continued to drain away. The lecture room became our prison and the bar our only oasis.
As the week progressed, it became clear that everyone on the course had a specialist subject. For me, the section on cryptography was relatively straightforward but learning more about the history of cryptography was also enlightening. Out of the 10 domains, some 'core' sections such as Access Control Systems and Methodology were given more weight (and marks in the exam) than others such as Telecommunications and, much to my personal dismay, Cryptography.
Sunday morning on day seven arrived and we entered the examination room to be met by a large number of candidates who had chosen the longer home-study option. They all looked so damned smug and fresh and their eyes were not red rimmed from lack of sleep, nor did they have the haunted look of people driven mad by six days of incessant PowerPoint torture. Maybe they'd had the right idea after all.
The last exams I had sat were at university but at least then they were not six hours long. But, as with any exam, if you know the material and understand how the questions work, you will usually be OK. The main challenge was probably spotting the deceptive, if not difficult, trick questions. After the exam, everyone was pretty shattered as we said our goodbyes and headed home.
A week later, the letter came through that told me that it had all been worthwhile and that I had passed, along, as it turns out, with all the other people on the course. On reflection, it may have been death by PowerPoint but with a solid basic knowledge, the intensive, short-sharp week filled in more cracks than any amount of books could have done. Of course, we came out of the experience with a copy of 'CISSP for Dummies', just in case.
So, I can now put the initials CISSP on my business card. That is good for my own credibility and professional standing and also that of my employer, ASPACE Solutions. In a wider sense, it has also helped to give me a more thorough understanding of a diverse range of security issues facing companies and, not least, has been very thought provoking.
I believe that CISSP certification will eventually become a standard company requirement for an employee in the IT security sector. As of now, it is not mandatory, but the knowledge that the CISSP course brings, along with the certification gives a company confidence of the candidate's IT security background and their knowledge base. Oh, and CISSP is not just for Christmas: you also have to gain 120 CISSP credit points over a three-year period, achieved through continual professional development.
For more information about ASPACE Solutions, visit www.aspacesolutions.com