Category Archives: CISSP

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

Advertisements

Controlling Access to Information and Functions

Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. After all, the organization that has acquired and set up the system has expended valuable resources to establish and operate the system. After undergoing this effort, one would think that the organization would wish to control who can access the information that it has collected and stored.

Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this:

  1. Reliably identify the subject (e.g., the person, program, or system)
  2. Find out what object (e.g., information or function) the subject wishes to access
  3. Determine whether the subject is allowed to access the object
  4. Permit (or deny) the subject’s access to the object
  5. Repeat

The actual practice of access control is far more complex than these five steps. This is due primarily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place. These same systems must also be able to quickly distinguish “friendly” accesses from hostile and unfriendly attempts to access—or even alter—this same information.

The success of an access control system is completely dependent upon the effectiveness of the business processes that support it. User access provisioning, review, and revocation are key activities that ensure only authorized persons may have access to information and functions.

— excerpt from an upcoming textbook on information systems security

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

I’m back, after a year off

Bookmark This (opens in new window)

After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo in Seattle and other cities. But, I needed time for my family and for me.

Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.

My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.

One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.

After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.

We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.

We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.

Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks.  Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.

While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISSP Study Group Formed

Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.

This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.

People who are interested in joining the group may go to the following URL:

http://groups.yahoo.com/group/CISSP-study/join

People who are already members may go to the group at this URL:

http://groups.yahoo.com/group/CISSP-study

The CISSP Study group will have the following features:

* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys

Only active members of the group may access these features.

Information that will be discussed in the forum include:

* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security

How to study for the CISSP examination

Bookmark This (opens in new window)

Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.

Download here (PDF)