NSA, ISC(2) To Create New Security Cert
3/5/2003 -- Last week the International Information Systems Security Consortium (ISC(2)), proprietor of the CISSP security certification, announced that they have signed a five-year contract with the National Security Agency (NSA) to develop and administer a new credential for IT professionals that want to work for the NSA, either as employees or outside contractors.
The certification, called the Information Systems Security Engineering Professional (ISSEP), will cover aspects unique to "the technical knowledge required of government information systems security engine," including processes and government regulations, ISC(2) said.
To obtain the ISSEP, candidates will be required to have four years of IT security experience and hold the CISSP.
A press release announcing the new title does not say whether all IT professionals who work with the NSA will be required to obtain the certification, or if it will be optional.
According to the press release, the ISSEP is still in the early stages of development. NSA will be providing subject matter experts to help develop the title's curriculum, and ISC(2) will build and manage the exam and program.
The organizations gave no timeline for the launch of the new title.
More information on this announcement can be found here.  -B.N.
|
There are 10  user Comments for “NSA, ISC(2) To Create New Security Cert”
|
|
Page 1 of 1
|
| 3/5/03: Totally With You from NY says: |
I have to completely agree with you. I have been a Lead Security Engineer (deploying Firewalls, hardening systems, Setting up IDS, etc) as well as doing all the policy work, DRP, BCP, etc. I have 3 GIAC certs, no CISSP. CISSP is for me later when I get more into managment. I have met CISSP's that beg me to help them configure a freakin PIX for Gods sake. I mean, whatever man. Really. Anyway, I think that the only true certs out there that will make a difference is the GIAC certs (those are pretty involved) and the CCIE Security. Everything else is paper-chase. If you aint got the Skills, then why would you become a Security geek for the NSA. I would hope that the NSA would have CCIEs and other engineers on staff to set the stuff up, and then have all their Managers get the CISSP or the ISSEP, IPSec, whatever. Lets give it a rest already with the paper chase, lets get some SHOW ME HOW TO DO IT certs like Novell's CDE, Cisco's CCIE... Damn, even Citrix just came out with a Lab exam. |
| 3/5/03: Anonymous says: |
As someone that did CompuSec(may as well show my age) engineering for the Air Force for 10 years (NSA and DIA were my accrediting agencies) I can say that I agree with the idea. 1. Day to day, year to year, project to project, the piece of hardware that is to be used changes. The needs don't really change - threats, yes; Bad Guy techniques, yes; needs, NO. 2. I spent half my time training my contractors how to do their jobs so they would last against the Day-After-Tomorrow problems. They could handle today's threats and technologies, but no idea on how to adress a problem that hjadn't happened yet. 3. Boys and Girls, Mommies and Daddies, the Fed systems last for decades. Other than the computer operators, it is ALL engineering management. |
| 3/6/03: Anonymous says: |
As a former outside contractor for the NSA in computer security I really fail to see what good this cert is going to have there. The people that really know security there are going to chuckle over this cert forever. |
| 3/6/03: Anonymous says: |
That's mean the CISSP is not meet the industries need. CISSP is only just a paper! No practical use! So we have develop another certification to meet the practical requirement! Shame on CISSP!! |
| 3/6/03: Concerned Individual says: |
Seems my first post was removed as being highly critical of another "highly regarded" certification attempt which meets zero needs. I do agree in part with "Totally with you" and not surprised by our Air Force CompuSec veteran postings. Having supported NSA and DOD installations, which included the Air Force, Marines and Navy, as well as countless Civilian and Federal, State, and Local agencies, the addition of the CISSP requirement means nothing. One of the Anonymous postings hit it on the head with my original posting, those that are in the trenches at NSA installations will laugh at this certification. IMHO, those that think this certification will help them obtain more political gain within the Puzzle Palace will still be the bane of humor within the real rank and file. I propose the start of a new certification which the NSA might find more interesting. Certified White Hat Hacker (CWHH). This certification will consist of a management exam, an analysis exam, and then a lab portion. The management exam will consist of how to sell management on why we need security, the pros and cons, and be able to provide project management skills to all phases of security life cycle management. An portion of the exam should include professional responsibility and accountability. The analysis portion would be an exam based on real-world experience in penetration testing and intrusion detection, prevention and recovery. There would be a lot of historical reference, but there would be an important multiple essay area which talked through a scenario and you were required to identify all the areas which contained a problem. You would be required to identify, assess, propose recommendations (which would could include culture changes), prepare the "sell" to upper management (who might believe in "security by obscurity" as the real answer to their success, to a recovery if they were attacked (Maybe something similar to a response to a Code Red - NIMDA hit on an organization). The final phase would be a proctored lab exam by the trench warriors that would measure their ability to truly perform their "certifiable skills" much like the CCIE (I believe they still have a 90% first time failure rate). I wonder if our Air Force CompuSec individual was a blue suit. Having been on both sides of the fence, hearing about training contractors to do he work and then criticize that they never learned how to think out of the box in discovering additional threats makes it more interesting in how he values a certification that might end up being "required" by the NSA for employment or work. How well did his training provide in the CompuSec world and for the protection of AF assets? This is not an attack on him or her in any regard, but a critical point I have had over the years regarding management who are more interested in public image than in trench work. How many engineers, trenchers out there had to hold managements hands and explain what was happening, how they were dealing with the problem, all the time while they were trying to stop the problem and recovery services and keep service continuity going and their manager were looking like "deer in headlights". Having spoken with the NSA regarding issues and problems with the Cisco hardening guides since the pre-release days of the guide, this certification will be another folly of management to justify their own position and not the protection of the United States Information Assets. |
| 3/12/03: Sad story for IT techies says: |
Reading the posts on this topic, recalling other similar discussion in the past, clearly indicates again why IT staffers never make it into policy making positions at govt or commercial organizations. If you really want to improve the choice, design, deployment and management of IT in organizations, then you must have respect at the policy making level - usually mid- to upper mgt. Continuous gear-head talk about this cert and that cert, this gizmo and that gizmo only works to dry the concrete around your feet as you stay down in ranks instead of rising to the point of constructive influence for IT in your organization. So lay off on the critical stuff regarding non-gizmo certifications. College degrees are paper, but without one you get nowhere fast. |
| 3/12/03: Concerned Individual says: |
I agree with Sad Story in general principles... however, if you read the article with a clearly, you would notice this certification is regarding engineering and the particular "technical knowledge required"... this is a gear head level certification.... |
| 3/18/03: Anonymous says: |
gee, someone in the gov. heard of cissp and decided to write a job description based on it. no surprise there. mo' money again! |
| 3/19/03: corporate security advisor says: |
I have been seeing and listening to a lot of talk about the paper certifications. I am interested in who would 'pay' for a hands-on security certification. I was the technical lead for a Regional CERT for the US Military where I had 22 security 'engineers' working for me. Unfortunately, I had to train them on what to do and how to do it. Over the last 3 years I have built a fairly intense lab testing environment that I can bring to a location for consulting and testing. But, like the CCIE, the price of such hands on examinations is expensive at $1000+/day. And the skill sets are intensive: Most enterprises have heterogenous networks consisting of UNIX, Microsoft, IDS, Firewalls and host based security applications. IF the NSA and ISC2 are serious enough to build a hands-on portion of the examination, would the 'you', the potential canidates, be willing to pay the price? I figure a good security consultant can recover the $1000 in a day's fees. Is the paper chase, at $450 for the CISSP, really any cheaper? |
| 4/15/03: Reflections from the field says: |
I would gladly pay the price for a hands-on lab if the certification was a true testament to my security skill set and management abilities. During the past 6 months, I have been interviewing "name recognized" security firms with all the credentials from here to eternity. Each and everyone of these firms failed miserably in the pre-assessment demonstration and their orals. Their CISSP's who are noteworthy authors, made very obvious mistakes in their assessment of a test environment during pre-award selection. Their mistakes were a demonstration of general security knowledge and exploits, not of someone who has the ability to design, implement, maintain and protect a secure environment. To all future and current security consultants, if you cannot identify the deficiencies in your design (which exist in all environments including the one system sitting in a concrete, steel encased box in the middle of the pacific ocean), then you are, and always be displaying an unethical attitude.... as they say, buyer beware, and that includes the true value who are going to get and give your client's with your CERTIFICATIONS.... even CCIE's make a lot of mistakes in their designs....... |
|
|
|
|
