I have had several tasks to complete in light of the Sept. 11 tragedy in order to reduce the impact of a potential security breach or disaster at my company. And after hours, I'm preparing for a security certification exam.
In my day job, I have user account audits under way, and we're about to implement group structures within our Windows NT domain to ease administration. This powerful NT feature lets us configure groups with different access privileges and place users into the groups that have the proper access profiles for their roles. That should make it easier to apply a consistent set of security rules across our user base.
Our CIO is in the process of executing what's called a "structured walk-through" of our disaster recovery plan. We'll do this by using checklists and running through different scenarios with key staff. If the structured walk-through is a success, we will proceed with a more realistic test using one of our hot sites.
As for physical security, the security guards down in the lobby seem to have an increased awareness of who's coming and going. And it seems that most employees are more aware of their surroundings and more diligent in questioning unusual behavior.
I decided about a month ago to start studying for the Certified Information Systems Security Professional (CISSP) certification offered by the International Information Systems Security Certification Consortium Inc. (ISC)2 in Framingham, Mass. The CISSP is well respected within the information security community and is a highly desired or even required certification in some industries. Every so often, I do a search of the employment Web sites for the CISSP, and the number of listings requiring that certification is increasing.
The CISSP exam consists of 250 multiple-choice questions. The exam covers 10 common bodies of knowledge (CBK), ranging from access control to cryptography and physical security. (ISC)2 says that security professionals with at least three years of experience should have the knowledge necessary to pass the exam. The problem is that, like most security professionals, I don't have three years of knowledge in every one of the CBKs.
My colleagues have asked why I've waited this long to get my CISSP certification. In the past, I've always thought that I didn't need a certification, that they were a waste of time and money, and that experience is far better that some acronym next to my name.
My experience with job applicants reinforced those perceptions. About four years ago, I interviewed a candidate for a security administrator position. His résumé included many acronyms, such as ones that stand for Microsoft Certified Systems Engineer, A+ and Certified Novel Administrator. He professed significant experience with Solaris administration and firewall installation and maintenance. He also claimed to have experience with security tools and other security applications, so I was excited to interview him.
When he arrived, I was duly impressed. He was about 30 years old and was dressed appropriately for the interview. However, as the interview progressed, I realized that this person had little real-world experience in security or systems administration. His certifications were all gained through crash courses intended to teach you what you need to know to pass the certification tests. I needed someone who could hit the ground running. I didn't have time to train anyone.
Since then, I've had similar experiences with other candidates. That's not to say that there aren't respectable certifications. The Cisco Certified Internetworking Engineer, which includes a hands-on lab test, is probably the most difficult. In my experience, individuals with this certification are generally well qualified and well versed in some facets of information security as well.
I decided to finally give in and take the CISSP exam after meeting several security professionals who have studied for it. I was impressed with their knowledge, and they had nothing but great things to say about the program.
I also considered the SANS Institute's Global Information Assurance Certification (GIAC) Program. SANS has always been a leader in security information and programs. Its certification covers a wide range of information security issues and is especially common in the government sector. It sounds a bit trivial, but I chose the CISSP over the GIAC exams based purely on popularity. For example, one job search engine produced almost 100 hits on CISSP vs. 14 hits for GIAC.
I gave myself two months to study for the exam, and I'm almost done. I spend at least four hours a day after hours and as much time as possible on weekends.
For reference material, I'm using three publications. I'm also using an excellent Web site, http://www.cccure.org, which contains reference materials and links that will help me pull together the many documents, presentations and programs I may need to prepare for the CISSP exam. I assembled a binder containing printed material from the Web site and am using it for study. For each of the 10 sections, I read one chapter each from the publications, then review the printed materials. Finally, I'm taking whatever practice exams I can get my hands on. After going through all 10 segments, I've gone back to study my weak areas: cryptography, security models and physical security. I also made flashcards to help with the more difficult concepts.
Do you have resources you're using to prepare for the CISSP or GIAC exams? If so, I welcome your suggestions in the Security Manager's Journal forum.
Security Manager's Bookshelf, Links
The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, by Ronald L. Krutz, Russell Dean Vines and Edward M. Stroz (Wiley, 2001). This is the best book for CISSP preparation. It contains a wealth of pure study information. There are no stories, few opinions and few real-world examples just what you need to know to effectively study for the exam, including a 200-page appendix and glossary.
Information Security Management Handbook, Fourth Edition, edited by Micki Krause and Harold F. Tipton (Auerbach Publications, 1999). This should be required reading. Unlike the Prep Guide, it contains many examples to help readers understand the concepts.
CISSP Exam Textbooks (theory and practice), by S. Rao Vallabhaneni (SRV Publications, 2001). I've heard of people studying only the SRV publications and passing the test, but I've found errors, and some sections are a bit confusing. However, if you haven't taken a multiple-choice test lately, the practice volume is a good option.www.isc2.org: Visit the (ICS)2 site for information on CISSP seminars and online study groups. I recommend joining its free mailing list, which generates about 15 messages per day.www.cccure.org: An excellent resource for CISSP preparation. Check out the study group and mailing list.www.cissps.com: If you're weak on cryptography, this site has an excellent reference.