Category Archives: CISSP

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

My CISSP Journey, Part 7: Mentoring Others

In this series, I’ve described my experience with the CISSP, including studying for the exam, writing exam questions and books, and earning CPEs. In this final part, I describe my work in helping others learn about information security and earn the CISSP certification.

There are too few of us in the information security field. While I’m not going to argue the reasons or the size of the shortfall, each of us in the profession can do our part to ease the situation.

If you have the CISSP today, you are a role model to others who aspire to earn it someday independently. As a role model, others will see how you behave and conduct yourself according to the (ISC)² code of ethics. As I’ve said in my books, those of us in more senior positions in information security lead by example.

Image courtesy overlap (dot) net

We can help aspiring security professionals advance in many ways. Besides leading by example, we can take someone under our wing and mentor them as they try to discern their career direction and figure out how to achieve their goals.  We can organize or support a CISSP study group (something I’m doing at my place of employment today). We can teach a course on information security to those who want to pivot their career from IT into information security. We can help others study for the CISSP and help them understand the required concepts.

Over twenty years ago, my colleague Bob Maynard loaned me his personal notes for months (I did gratefully return them), and others answered questions on topics I was still learning.  Go and do so likewise: as one or more persons helped you earn your CISSP, make it a point to help others do the same.

Series recap:

Part 1: studying for and taking the exam

Part 2: writing CISSP exam questions.

Part 3: proctoring CISSP exams.

Part 4: writing a CISSP study guide.

Part 5: earning the CISA and other certifications.

Part 6: continuous education and CPE recordkeeping.

Part 7: mentoring others.

My CISSP Journey, Part 6: Earning and Recording CPEs

Like many professional certifications and designations, CISSP requires that certification holders complete a minimum number of continuous professional education (CPE) hours each year. This requirement makes sense to me, as the information security profession is still changing at a high rate. Were it not for this continuing education requirement, many who earn the CISSP and other certifications would quickly fall behind, and those who had earned the certifications would become irrelevant.

Today, (ISC)² requires CISSP holders to earn 120 CPEs in each three-year cycle and no fewer than 20 CPEs in any individual year. So this is an average of 40 CPEs, or forty hours of training, annually.

Many of us are fortunate enough to attend one or two conferences each year, and alone this would effectively satisfy the 40-hour requirement. But not all of us are so lucky: the rest of us have to earn our CPEs an hour at a time.

In earlier years (before 2005, in my estimation), this was a challenge, but no more. Today, each year, there are scores of opportunities to attend vendor product demos and free instructional sessions from (ISC)², ISACA, and other associations.  There are so many that you can pick and choose those that are of greatest interest to you.

The dark side to CPEs, if there is one, is that we are required to keep precise records of our CPEs. I suggest you create a spreadsheet that lists, line by line, each CPE event that you attend. More than that: (ISC)², ISACA, and others require that you retain evidence of your training. Some events will email you a certificate of completion, and others will provide a certificate download capability at the conclusion of an event. Some do not provide anything at all, so I make it a point to take a few screenshots of the event.

Sample CPE Listing

(ISC)², ISACA, and other associations will randomly audit members’ CPE records to see whether they are truthful in their claims. I was audited by ISACA many years ago, and while I had a good listing of events that I attended, I did a poor job of retaining evidence. Still, I passed the audit because I did have evidence for at least some of the events I attended. The audit put the fear of God in me, and ever since that time, I meticulously obtain and retain evidence for every event I attend. As the published author of several security and privacy-related exam guides in which I stress the importance of good CPE recordkeeping, I doubt that (ISC)², ISACA, or any other organization would cut me any slack at all. And so it should be.

In Part 7: paying it forward.

My CISSP Journey, Part 5: Earning the CISA

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials.  While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed!  I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more?  I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 4: Writing a Study Guide

In the earlier parts of this series, I describe my experience preparing for and taking the CISSP exam, and later when I had an opportunity to write exam questions and proctor exams. In this part, I tell the story of my chance to write certification study materials.

In part 1 of this series, I mentioned that there were no available books for self-study for the CISSP exam, but instead, I borrowed a colleague’s binder from his in-classroom training a few years before, in the late 1990s.

As today’s story begins, at this time, I had written three books: Solaris Security, Sun Certified System Administrator for Solaris 8 Study Guide, and Enterprise Information Security. In another part of the country, Wiley Publishing and an author were working on the first edition of CISSP For Dummies, a user-friendly study guide for the CISSP exam. The project was apparently behind schedule, and the acquisitions editor at the publishing company called me on the phone one day and asked if I’d be willing to help out.  We negotiated an agreement that survives to this day, in which I am co-author of CISSP For Dummies. Over the last nineteen years, we have published six editions of the book and will soon be working on the seventh edition.

The book covers all of the knowledge domains that a CISSP candidate is expected to know to pass the exam. I especially like the For Dummies style, as we write in a friendly, more casual style while still imparting the knowledge required.

Starting with the 5th edition published in 2016, CISSP For Dummies is the only CISSP study guide approved by (ISC)², and it says so prominently on the cover. This is an endorsement that is not included in any other CISSP study guide.

I genuinely felt like my writing career was going to be sustained, as I had by this time written major titles for three different publishers on two continents. Feeling like I was not writing up to my true potential, I hired a literary agent in 2006, who found more publishing opportunities for me. One of the first such opportunities was to write an academic study guide for the CISSP exam by a publisher that sells direct to colleges, universities, and vo-tech schools. In 2009, the first edition of CISSP Guide to Security Essentials was published. The instructor edition includes the book and explanations for the study questions in the book, along with a complete set of PowerPoint slides to be used for classroom or virtual classroom instruction.  CISSP Guide to Security Essentials was published in a second edition in 2015.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 1: The CISSP Exam

In the 1990s, my IT engineering and management career was thriving. I led a team of about 15 seasoned professionals and worked in a business unit where information security was a key objective. We rose to the challenge and brought several key capabilities into our work environment, including multi-factor authentication, encrypted remote access (via modem), firewalls, and hardened servers and workstations. My part of the enterprise fared quite well in penetration tests conducted by an outside firm.

Before this time, I had spent years in computer operations and more years in Unix and C-based software engineering, so my IT background was quite broad. This experience proved later to be a solid foundation for my pivot into security.

In 1998, I was looking for a good book on Solaris security but could find nothing at all. I called one of my publisher connections at Sun Microsystems Press and secured a book deal to write the book, Solaris Security. Writing this book proved to be a great learning opportunity to shore up my knowledge in various areas.

In 1999, I met a colleague, Bob Maynard, who had his CISSP certification. Before knowing Bob, I had not met anyone with this certification, and it intrigued me. I looked at the (ISC)² website and decided that I would pursue this certification.

There were no books in print in 1999 or 2000 on the CISSP certification. The only available training was directly from (ISC)², and it was expensive even then. But my colleague Bob had his giant three-ring binder from the course that he had taken the year before, and he agreed to let me borrow it for a few months. He said apologetically that he had written numerous notes on the pages, which I told him would add more value.

In 2000, the CISSP exam was offered only once per year in Seattle, and I had just missed it. I found an exam in November in Colorado Springs, and booked an air trip, and registered for the exam.

I pored over Bob’s CISSP course binder studiously for months, right up to the night before the exam. There were no practice exams of any kind, so I was unsure of whether I would pass.

The exam itself was arduous – and that’s about as nice as I can describe it. At that time, the proctor in the room would pass out the exam books, which were sealed and serial numbered, and we were instructed to make no mark of any kind in them. Next, the scantron sheets were handed to us, and we were directed to fill in our names and other information. As you may know, Scantron involves the use of a pencil and filling in little bubbles that are machine scanned. Your hand will become sore after filling in more than three hundred of these bubbles, but that’s not the worst of it.

Typical Scantron answer sheet

The exam questions are brutal. Rather than black-and-white, they explore shades of grey and challenge your intimate knowledge of the subject matter, which ranges from the desired height of security fences to hashing algorithms.  The CISSP test at that time consisted of 250 questions, with a six-hour time limit to answer them all. I used nearly all of the six hours, double-checking several of my answers. I turned in my exam sheet, not at all confident of my prospects for passing.

I drove back to the airport, turned in my rental car, and boarded my flight back to Seattle. I fell asleep on the plane before they shut the door, and the flight attendant had to rouse me in Seattle, where I was the last passenger to disembark the aircraft. I usually don’t sleep on airplanes; for me, this was an outward sign of my mental exhaustion after taking the exam.

In Part 2: writing CISSP exam questions.

In Part 3: proctoring CISSP exams.

In Part 4: writing a CISSP study guide.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

Controlling Access to Information and Functions

Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. After all, the organization that has acquired and set up the system has expended valuable resources to establish and operate the system. After undergoing this effort, one would think that the organization would wish to control who can access the information that it has collected and stored.

Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this:

  1. Reliably identify the subject (e.g., the person, program, or system)
  2. Find out what object (e.g., information or function) the subject wishes to access
  3. Determine whether the subject is allowed to access the object
  4. Permit (or deny) the subject’s access to the object
  5. Repeat

The actual practice of access control is far more complex than these five steps. This is due primarily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place. These same systems must also be able to quickly distinguish “friendly” accesses from hostile and unfriendly attempts to access—or even alter—this same information.

The success of an access control system is completely dependent upon the effectiveness of the business processes that support it. User access provisioning, review, and revocation are key activities that ensure only authorized persons may have access to information and functions.

— excerpt from an upcoming textbook on information systems security

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

I’m back, after a year off

Bookmark This (opens in new window)

After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo in Seattle and other cities. But, I needed time for my family and for me.

Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.

My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.

One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.

After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.

We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.

We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.

Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks.  Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.

While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISSP Study Group Formed

Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.

This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.

People who are interested in joining the group may go to the following URL:

http://groups.yahoo.com/group/CISSP-study/join

People who are already members may go to the group at this URL:

http://groups.yahoo.com/group/CISSP-study

The CISSP Study group will have the following features:

* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys

Only active members of the group may access these features.

Information that will be discussed in the forum include:

* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security

How to study for the CISSP examination

Bookmark This (opens in new window)

Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.

Download here (PDF)

Is the CISSP certification still relevant?

Bookmark This (opens in new window)

Some argue that, because more people have earned it, the CISSP certification is becoming less relevant.

The CISSP certification is not less relevant because more people are passing it – more people are passing it because there is a much higher demand for CISSP-certified professionals than at any time in the past. Information and business security are far more relevant than in the past, because more organizations are using information systems in increasingly-complex ways to support critical business processes.

In my opinion the growth of CISSPs is still not keeping up with the demand for such professionals. If anything, the certification is MORE relevant now than at any time before.

I disagree with the statement that it will become less relevant. On the contrary, as the number of people who earn the CISSP certification grows, the MORE relevant it will become! Say, for instance, 20 years from now, that 1/3 of all IT professionals have the certification. That would make CISSP *HIGHLY* relevant!

I think that maybe you are asking a completely different question. Today, having a CISSP gives relevance to the individual person who holds it. When CISSP is rare, having it makes the person more relevant. But if CISSP were to become plentiful, that would make the certification far more relevant.

Take MCSE. Lots of IT pros have it. The certification is *highly* relevant – so much so that it is practically a standard. A person who does *not* have the MCSE is not relevant. In many companies you can’t play in the game if you don’t have it. That sounds like high relevance to me.

Shortage of qualified security professionals continues

Bookmark This (opens in new window)

Security is a topic of great interest to IT professionals, business management, and the general public.  The wide proliferation of private information among organizations in the 1980s led to public outcry and the passage of privacy laws.  The explosion of e-commerce in the 1990s resulted in the theft of hundreds of millions of credit card numbers in thousands of security incidents that continue to this day.  Identity theft has also skyrocketed, largely because many organizations collect and store personal information and do not adequately protect it.  Many countries have passed additional data security laws intended to tighten up security and also require the disclosure of security breaches.  Things have only marginally improved since then.

These developments have led to a severe shortage of qualified information and business security professionals who are able to properly apply security controls required by applicable laws and regulations.  These professionals also need to be able to seek, identify, and mitigate other risks that could negatively affect organizations that collect and use sensitive information.

Introduction to an upcoming academic textbook on business and computer security

Career advice: how to begin a security career

Bookmark This (opens in new window)

Today a colleague from Melbourne wrote me and said,

Hi Peter,

Greetings from Melbourne, Australia.

It was refreshing to read your site esp your Christian perspective on the profession.

I’m after some career guidance if you don’t mind –
I have a Business Analyst background and am currently working in IT consulting for a company that specialises in custom app development and systems integration. I have taken a keen interest in Info Security and will sit the CISSP exam at the end of this year with the intention to certify as an ISC2 associate (until such time as I possess the relevant experience to be a CISSP)…

In terms of specialising in the Information Security field are there any particular areas where demand will be highest? (application, network,governance etc.) Also, what blend of technical/personal abilities will the profession require of its practitioners going forward… any insight you can provide will be much appreciated. Thank you.

Cheers,

(name)

* * * * * * *

Hi (name),

Thank you for your message and your kind comments.

If you were in the U.S., I could give you more precise perspective on what’s in demand.  But I have an idea.

I suggest you find a local chapter of ISSA and/or ISACA (the ‘owner’ of the CISA and CISM certifications) and sign up.  This will give you many networking opportunities to meet and know others in the information security profession.  Through your contacts and communications with local members, you should soon get a good idea of what’s in demand.

But I stress this: the best people in information security are those who already have technology experience, and begin to build expertise on the risks in that technology.  So I see you are in an app dev and integration firm.  I’ll presume that this is a field where you have good expertise.  So what I would suggest is that you begin to build your security experience by beginning to understand the risks around “safe coding” principles and the processes to ensure that the entire SDLC (systems development life cycle) includes procedures to ensure that the proper measures are taken to ensure that changes to software do not introduce vulnerabilities at any level.  So if s/w dev is your thing, you might pick up a copy of Michael Howard’s book, Writing Secure Code (or something close to that – a huge best seller).

For me, my career was in computer operations, systems administration, software engineering, and network engineering.  Then, it became my job to secure systems and networks, so I began to read all I could and made systems and networks secure.  Then, I branched out from there to better understand other sources of risk, like unauthorized intruders and secure coding.

So my advice is, begin to build security expertise in the area of technology where you are most familiar, and branch out from there.  Networking with others will help to broaden your knowledge about risk overall.

Hope this helps,

Peter

Integrity and intellectual property

Bookmark This (opens in new window)

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

What security professionals can learn from Eliot Spitzer

Bookmark This (opens in new window)

Eliot Spitzer, the [soon-to-be-former] governor of New York State has resigned due to his being involved in a highly publicized sex scandal.

Corporate security professionals, time to sit up and take notice. I’m talking to CISSPs, CISAs, CISMs, and those in positions of ISO, ISSO, CISO, as well as Manager / Director / VP of IT Security.

As I have opined before, we are obliged to lead our organizations by example, in terms of prescribing and demonstrating desired behavior of employees on the protection of all corporate assets, including information. Leading by example means working transparently, of working every hour as though others are watching.

Eliot Spitzer gave in to his carnal desires and indulged in prostitution because he thought that he could keep it hidden. But behavior is like pouring water onto a sponge: for a time the sponge will soak up the water, keeping its presence hidden; eventually, however, the water – like the illicit behavior – will overflow and be impossible to hide. But like a frog in boiling water, Gov. Spitzer probably indulged in small ways at first, but proceeded slowly until he was no longer in control of his behavior / addiction.

Security professionals, there are steps that you can take to avoid falling into a trap of undesired behavior:

1. Be accountable. Pick two or more peers with whom you can meet every week to discuss your activities. These individuals must be trustworthy and themselves above reproach.

2. When you feel the tug of undesired behavior, confide in these accountability partners. Then, listen to their advice; if it is sound, heed it.

3. When you partake in undesired behavior, confess it to your accountability partners. Listen to their counsel; if they are loyal and have personal integrity, they will not chastise you for your behavior but instead help you to get back onto the right track.

4. Keep no secrets. Tell your accountability partners everything that you do. Keep nothing back. Share even the deep recesses of your “thought life” – which is the kernel of future behavior.

While it will be convenient to select accountability partners from the workplace, you should not choose your superiors or your staff. Instead I recommend that you choose individuals in your organization who you do not work with routinely or, better yet, choose individuals who do not work in your organization.

You can only be accountable to others when you allow yourself to be accountable to you.

Some principles of behavior:

A. If you were an outsider and would judge or criticize your own behavior, spend more time seriously considering what you are doing, and get yourself onto a path of change.

B. Do not be afraid to ask for help.

C. Learn to forgive yourself for your mistakes.

D. Do not give up.

There is an old saying: “There is no such thing as a complete failure; they can always be used as a bad example.” Gov. Spitzer may be a bad example today, but his example should help others to be introspective and re-examine their own behavior.

Remember the security professional codes of ethics:

(ISC)²
ISACA
ASIS
CTIN
ISSA
GIAC
InfraGard
SANS
NCISS

Other postings:

CIA Triad also the basis for our ethical behavior

A call for character and integrity

Principles that guide the Christian security professional

Personal integrity the keystone in an information security career

Integrity begins within: security pros lead by example (Computerworld)

CISSP one of the hottest certs for 2008

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites CISSP as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “With CISSPs earning $94,070 a year on average, it’s easy to see why Trapp puts this one on the list. (Note that the exam costs $500, lasts up to six hours, and includes 250 multiple choice questions.”

CISSP for Dummies, 2nd editionLink to full article here.

Study for the CISSP certification with the best-selling CISSP study guide, CISSP for Dummies, here.

CISSP’s role in regulation

Bookmark This (opens in new window)

The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are “softer” areas that are somewhat removed from security itself.

However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.

From an upcoming article on the adequacy of the CISSP certification in today’s new regulation-centric security environment