Certified Information Systems Security Professional
Encyclopedia
Certified Information Systems Security Professional (CISSP) is an independent information security certification
governed by International Information Systems Security Certification Consortium (ISC)². (ISC)² is a self-declared Nonprofit organization but is not a Charitable Organization under the applicable Internal Revenue Service Code.
As of September 17, 2011, (ISC)² reports 75,814 members who hold the CISSP certification in 134 countries. In June, 2004, the CISSP was the first information security credential accredited by ANSI
ISO/IEC Standard 17024:2003 accreditation, and, as such, has led industry acceptance of this global standard and its requirements. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories. The CISSP has been adopted as a baseline for the U.S. National Security Agency
's ISSEP program.
topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy
-- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."
The CISSP CBK is fundamentally based on the CIA triad, the core information security and assurance tenets: confidentiality
, integrity
and availability
, and attempts to balance the three across ten areas of interest, which are also called domains. The ten CBK domains are:
CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc.., all in areas covered by the CBK. This is more easily achieved than it seems since "attending" a webinar qualifies. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.
The CISSP certification exam has been criticized for its vague questions, as well as the amount of study required to become certified. In the past, critics have also cited the way that the exam's questions are focused on the U.S., although (ISC)² took steps to internationalize the questions in the late 2000s.
Certification
Certification refers to the confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit...
governed by International Information Systems Security Certification Consortium (ISC)². (ISC)² is a self-declared Nonprofit organization but is not a Charitable Organization under the applicable Internal Revenue Service Code.
As of September 17, 2011, (ISC)² reports 75,814 members who hold the CISSP certification in 134 countries. In June, 2004, the CISSP was the first information security credential accredited by ANSI
American National Standards Institute
The American National Standards Institute is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international...
ISO/IEC Standard 17024:2003 accreditation, and, as such, has led industry acceptance of this global standard and its requirements. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories. The CISSP has been adopted as a baseline for the U.S. National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
's ISSEP program.
History
In the mid-1980s a need arose for a standardized certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this. The International Information Systems Security Certification Consortium or "(ISC)²" formed in mid-1989 as a non-profit organization with this goal.Certification subject matter
The CISSP curriculum covers subject matter in a variety of Information SecurityInformation security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy
Taxonomy
Taxonomy is the science of identifying and naming species, and arranging them into a classification. The field of taxonomy, sometimes referred to as "biological taxonomy", revolves around the description and use of taxonomic units, known as taxa...
-- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."
The CISSP CBK is fundamentally based on the CIA triad, the core information security and assurance tenets: confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
and availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
, and attempts to balance the three across ten areas of interest, which are also called domains. The ten CBK domains are:
- Access ControlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Categories and Controls
- Control Threats and countermeasures
- Application Development SecurityApplication securityApplication security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...
- Software Based Controls
- Software Development Lifecycle and Principles
- Business ContinuityBusiness continuity planningBusiness continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...
and Disaster RecoveryDisaster recoveryDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
Planning- Response and Recovery Plans
- Restoration Activities
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
- Basic Concepts and Algorithms
- Cryptography standards and algorithms
- Signatures and Certification
- Cryptanalysis
- Information Security GovernanceInformation Security GovernanceInformation Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management.- Applicable Frameworks :*- See also :...
and Risk ManagementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Policies, Standards, Guidelines and Procedures
- Risk Management Tools and Practices
- Planning and Organization
- Legal, Regulations, InvestigationsInvestigationsInvestigations may refer to:* Griffin Investigations, the most prominent group of private investigators specializing in the gambling industry* "Investigations" , the 36th episode of the television series Star Trek: Voyager...
and ComplianceComplianceCompliance can mean:*In mechanical science, the inverse of stiffness*Compliance , a patient's adherence to a recommended course of treatment...
- Major Legal Systems
- Common and Civil Law
- Regulations, Laws and Information Security
- Operations SecurityOperations securityOperations security is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate...
- Media, Backups and Change Control Management
- Controls Categories
- Physical (Environmental) SecurityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
- Layered Physical Defense and Entry Points
- Site Location Principles
- Security Architecture and DesignComputer security modelA computer security model is a scheme for specifying and enforcing security policies.A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all....
- Principles and Benefits
- Trusted Systems and Computing Base
- System and Enterprise Architecture
- TelecommunicationsCommunications securityCommunications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the United States Department of Defense culture, it is often referred to by the abbreviation...
and NetworkNetwork securityIn the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
Security- Network Security Concepts and Risks
- Business Goals and Network Security
Requirements
Candidates for the CISSP must meet several requirements:- Possess a minimum of five years of direct full-time security work experience in two or more of the ten (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a Master's degree in Information Security, or for possessing one of a number of other certifications from other organizations. A candidate not possessing the necessary five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination. The Associate of (ISC)² for CISSP designation is valid for a maximum of six years from the date (ISC)² notifies the candidate of having passed the exam. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.
- Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.
- Answer four questions regarding criminal history and related background.
- Pass the CISSP exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple choice, consisting of 250 questions with four options each, to be answered over a period of six hours. 25 of the questions are experimental questions which are not graded.
- Have their qualifications endorsed by another CISSP in good standing. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.
Ongoing certification
The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam; however, the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. Currently, to maintain the CISSP certification, a member is required to earn and submit a total of 120 CPEs by the end of their three-year certification cycle and pay the Annual Membership Fee of US$85 during each year of the three-year certification cycle before the annual anniversary date. With the new changes effective 30 April 2008, CISSPs are required to earn and post a minimum of 20 CPEs (of the 120 CPE certification cycle total requirement) and pay the AMF of US$85 during each year of the three-year certification cycle before the member’s certification or recertification annual anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc.., all in areas covered by the CBK. This is more easily achieved than it seems since "attending" a webinar qualifies. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.
Value
In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly, and ranked CISSP concentration certifications as the top best paid credentials in IT.The CISSP certification exam has been criticized for its vague questions, as well as the amount of study required to become certified. In the past, critics have also cited the way that the exam's questions are focused on the U.S., although (ISC)² took steps to internationalize the questions in the late 2000s.