which Security Cert?

gre_soul

hello im thinking of getting a security cert, which one of the below is worthwhile doing or does it matter all that much?

Security Professional (CIW)
http://www.ciwcertified.com/exams/1d0470.asp?comm=CND&llm=3

Comptia Security+
http://www.comptia.org/certification/security/


BTW did anyone attend this : http://boards.ie/vbulletin/showthread.php?t=205208

test999

The only cert worth squat is the CISSP qualification the rest of them are for noobs. To get the CISSP you have to sit a six hour (no breaks) exam.

I went to the meeting, it was vaguely interesting. Only about 50% of the speakers had a clue unfortunately. The only guy worth mentioning was Eoin Phlem, a CISSP who's working on the BOI/HP IT deal.

gre_soul

thanks for useful info test999

hmmm

The CISSP has an experience requirement, it's not meant to be an entry level cert. SSCP is the entry level cert from ISC2 - wouldn't touch this though. The gold standard for "security management" now is CISM from ISACA.

Depends what you want to get into in security - what is it you want to do?

test999

The CISM has an experience requirement, it's not meant to be an entry level cert.

Do you want to be a techical security body or a paper/policies/procedures security body?

What do you do at the moment?

tck

CISM does look for 'business-oriented' as it says from the site,

SSCP > CISSP looks a good way to go (for techies anyways)

test999

tck wrote:

SSCP -> CISSP looks a good way to go (for techies anyways)

Better to go with the associate CISSP certification.

(ISC)2 Associate Program: This program lets individuals who don’t yet meet experience requirements pass the CISSP exam, then qualify when experience criteria are satisfied. See www.isc2.org/cgi/content.cgi?category=84#cat07

Are there any CISSP's or CISM's (or CISA's) on boards?

puzzles

Actually yes...I am the aforementioned phlegm - well my name's actually Fleming but I don't take offence easily! cough cough!

test999

Hello Eoin!

I spelled your second name that way to flush you out. pardon the pun.

I was thinking of doing the CISM, currently deciding on which books to study.

...perhaps you could recommend some materials??

I sent this email to Owen in ISACA...

I found this book "The CISM Prep Guide : Mastering the Five Domains of Information Security Management" by Krutz & Vines, published Q1 '03 (now dated perhaps?)
http://www.amazon.com/exec/obidos/ASIN/0471455989/qid=1104933864/sr=2-1/ref=pd_ka_b_2_1/103-7542553-4927056

and "Certified Information Security Manager (CISM) Review Manual 2005 English Edition" by ISACA (pub date is Q3 '05)
http://www.isaca.org/Template.cfm?Section=Security&template=/ECommerce/ProductDisplay.cfm&ProductID=553

would it be workable to study the first book, and use the second book occasionally as a reference, if the first book didn't provide enough coverage? I'm not looking for cheat sheets, just a unified source of reliable/uptodate information so I can study effectively.

How quickly is the CISM curriculum moving? ISACA make out their 2005 is new and improved.

Static M.e.

Personnally I wouldnt go with the CISSP, well not yet anyway, it has a very strict policy on who it lets take the exam, you MUST have 5 years (or so) security work experiance, of course certain other qualifications allow you less than 5 years etc etc

The main question you need to answer is where you are starting from ?
just starting in security \ want to start in security \ years at it, want certs etc ? Giving more information on what you want to acheive would help choosing some good certs for you.

Personnally I think the CISSP is far to theory oriented rather than technical and make no mistake about it is a TOUGH exam ! also the requirements to even take the exam are quite off puting.

For more technical exams SANS is definatly the way to go, but they wouldnt be the first Sec. exams I would do. The SANS exam course's are really good, quite pricey tho. but they teach you loads ! I have some of the SANS books that im reading at the moment and I find them very good.

Just getting into Security I would go for the Comptia Sec + just for the sake that it will teach you alot of broad theory and it is very easy to progress after it.

Just my 2 cents worth

conor-mr2

Im recently CISA certified. Its a nice one to have But Id go with what Static said if you want the technical experience go for SANS.

test999

@Conor, hello!

Which books did you study or were you grandfathered in?

Do you still drive an MR2? nice car, na or turbo? (OT, sorry)

What other certs do you have?

conor-mr2

Have a computer science degree and then got the book and cd from Isaca.org themselves. They were more than enough required to pass the exam.

Yup its a turbo alrite. Might be selling to get a Supra though. Ill c!!!

Im doing the Network+ right now. Easy enough. Then the Linux+. After that Im hoping my job will pay for the Sans Certs!!

Eventually Ill do the CISSP

puzzles

I guess what cert you go for depends on what you want (and what stage you are at in your career).

I can only speak from personal experience so I will give you the reasons why I certified and why (plus some that I am planning to do).

ISC2

CISSP - the first certification I did - yes I know that's the wrong order but I came from a background of Systems admin and needed a piece of paper to wave in the faces of people that didn’t believe that I_got_it in terms of how to secure a system/company/environment.

Advantages - the OH factor - as in oh you're a CISSP - good recognition.

Good overview of everything - wide but shallow.

Disadvantages - Tough exam and entry criteria.

Concentrations - no - I am not asking you to concentrate - I can't be that boring- these are what you do if you already have a cissp - you have 3 choices - specializing in where you want to "go"

Architecture - Pretty Pictures
Engineering - Mechanics
Management - Ensuring that the Architecture guys produce the pretty pictures in such a way that the engineers do_not_get_upset.

ISSAP -Architecture - no point unless you want to spend your life a viseo jockey. If you have passed the CISSP you will pass this.

Advantages: people who love viseo will come to love you too.
Disadvantages: see advantages.

ISSEP - Engineering - no point unless you are -

a) american
b) have an interest in working for the NSA
c) have an amazing short term memory - not taking the piss but this was developed for the NSA so if you do it and pass, go to www.nsa.gov and then think seriously about why you did this exam.

If the answers for a,b,c are yes - you belong there (if you would like an abrupt career change) you have my admiration and I have yet to meet anyone who passed this first time.

Advantages: Pass? Black helicopters will be over your house soon.

Disadvantages: CISSP is tough? This is a bastard.

ISSMP - the management qualification -

Fair game if you have worked in any sort of management position in a company.

Advantages: Gives you a fair overview of what people "want"
Disadvantages: Gives you fair overview of what people "want"

ISACA's

CISA - Spend any time in IT and you start to wonder how auditors think - this particular cert. gives you an enormous advantage if you do audit yourself or have to face off external auditors - otherwise it's almost useless. If you don't do either of these two things fogettaboutit - audit is not the same as infosec. - we need each other but it's very like the secret police needing another secret police- we co-operate but we are often at loggerheads.

Advantages - If you are audit facing - do this
Disadvantages - If you aren’t its a waste of time.

CISM- Going to do this year so I don't know yet but I suspect the approach is buy and read ISACA's prep. guide a lot and it should be fine - remember this is an audit organization so they are not into surprises.

Advantages? Is a bit of a buzzword at the moment
Disadvantages ? New and not well recognized outside of the security community.

I am going to do the CISM and the Law Soc’s Diploma in E-Commerce this year - the way things are going a good grasp of the law is critical for security work - if you don't have it then you won't be in practice soon.


Soon we will be Lawyers.

BigEejit

Sorry for dragging up an old thread but i am wondering if anyone here has a SANS qualification .... they certainly know how to charge (see here ) .. so its most likely that you would have to get your company to pay for it (fat chance where I am)... does it need a lot of security experience?