[ISN] CISSPs - Do You Know Your Organization?

From: InfoSec News (isnat_private)
Date: Fri May 04 2001 - 03:11:59 PDT

  • Next message: InfoSec News: "[ISN] Open Source Security Testing Methods"

    By Anonymous
    3 May 2001.
    Provided in response to Cryptome's International License to Practice
    IT Security Worldwide.
    In 1989, a group of people associated with the not-for-profit
    Information System Security Association (ISSA), the for-profit
    Computer Security Institute (CSI), government agencies like the
    National Institute of Standards and Technology (NIST), and Idaho State
    University decided to form a consortium called the International
    Information System Security Certification Consortium (ISC)2. The
    organization had as its goal the professional certification of
    information system security practitioners around the world. These
    individuals were required to satisfy some basic requirements,
    including a minimum amount of time working in the computer security
    field and passing an examination based on a so-called Common Body of
    Knowledge (CBK).
    At first, applicants could apply for the Certified Information System
    Security Professional (CISSP) designation through a
    Waiver-for-Examination (WFE) process. These "grand fathered" CISSPs
    submitted detailed applications for approval by a committee of
    professional peers. This WFE program was, however, very poorly
    advertised outside the North America, so a number of professionals
    outside that region never have a chance to submit applications for the
    WFE process. Subsequent to the WFE-process, candidates for CISSP were
    required to take a 250-question examination administered by a private
    for-profit testing service.
    Very soon, several problems developed with the CISSP program and the
    activities of the (ISC)2 Board of Directors. In 1996, it became clear
    that the Board's certification goals were concentrating only on the
    United States and Canada.
    The genesis of the CISSP program also hinged on a very dubious
    contract negotiated by some of the founding principals of (ISC)2 and
    the United States Postal Service, a quasi-government entity. The
    composition of the CBK and the training curriculum and examination,
    therefore, took on a very U.S.-centric flavor. Initial complaints from
    Canada resulted in a Canadian annex being appended to the
    certification examination, however, the associated training remained
    largely U.S.-oriented, with heavy emphasis on U.S. government
    standards developed in the early 1980s by the U.S. National Security
    Agency (NSA).
    It also became clear by the end of the 1990s that some of the founders
    of the CISSP program were more interested in turning a profit than in
    refining and improving the content of either the examination or the
    training curriculum. Emphasis was placed on the quantity of people
    certified rather that on either the quality of the candidates, test,
    examination, and trainers.
    As the training and testing expanded into Finland, and very modestly
    to the United Kingdom, Ireland, and Denmark, it became more apparent
    that the CISSP was irrevocably tied to the United States environment,
    and more specifically to the requirements of the U.S. Government.
    In the Autumn of 1999 the (ISC)2 Board chose to establish even closer
    cooperation with organizations close to U.S. government and NSA.
    It is a pity, that so few CISSPs attend the Annual meeting. They
    should participate and closely follow what the organization and its
    Board is doing. They should ask questions concerning training,
    testing, trainers (only American), finances, officers, directors,
    elections, and (ISC)2 personnel hiring/firing policy. They may find
    the answers extremely interesting. For example, Who are the directors?
    How are they elected? What are their benefits? How are budgets
    derived? etc.
    The administration of (ISC)2 has been shifted within a for-profit
    company that is responsible for handling the certification
    examinations, throwing into question the Internal Revenue Service
    tax-exempt status of (ISC)2 as a not-for-profit organization. CISSPs
    should understand that their money is involved in this business --
    they are the stakeholders!
    There is a clear need for a truly international professional
    certification program, free of influences from either the U.S.
    Government or bodies like NSA. Since the United States is pushing the
    notions of Critical Infrastructure Protection and "offensive
    information warfare," there is a need for Europe to find information
    technology security solutions and safeguards that are in the interest
    of European citizens and institutions.
    A truly international professional certification would be highly
    beneficial to not only European IT security professionals but also to
    those in other countries who are increasingly involved in global
    electronic commerce and international operations.
    There have been several disturbing trends in Europe over the past few
    years that call for a high degree of trust in those who are
    responsible for protecting the security of critical information
    systems and networks. In a time when state-sponsored espionage and
    disruptions of critical information systems is becoming more of an
    issue, and all the traditional threats of organized crime, corporate
    fraud, and hacking are still critical problems, it is important that
    international IT security professionals remain above the fray of
    illegal and wanton state-sponsored activities aimed at penetrating
    computer systems and networks.
    The following are just a few examples of what has occurred in Europe
    since 1995:
    - British press reports of break-ins by non-European foreign
    intelligence services into the computer networks of the European
    Parliament. The penetrations were facilitated by security holes in the
    network operating protocols supplied by American firms.
    - International media reports of computer break-ins by U.S.
    intelligence into banks in European Union (EU) member Greece, EU
    candidate Cyprus and European Economic Area (EEA) member Switzerland.
    - German press reports of foreign intelligence eavesdropping of bank
    communications in EEA member Liechtenstein.
    - International press reports about the monitoring of European
    telecommunications from NSA stations at Menwith Hill, UK and Bad
    Aibling, Germany.
    - A verified report that the NSA was rigging network and cryptographic
    software in order to break into the networks of the European
    Commission and European Parliament.
    From a European (and EU) point of view it would seem more natural to
    organize and/or establish the Information Security Professional
    Certification framework in cooperation with an organization which has
    no "hidden" connections or control from any non-European government
    agency or intelligence service. The European Union "Echelon" Committee
    is about to conclude its report on NSA technical eavsedropping on the
    private lives of European citizens. European IT security professionals
    must ally themselves to their own nations and European employers, not
    the computer spymasters of the United States and organizations that
    are willing to do their bidding.
    The European Commission has both a requirement and an opportunity to
    start a real, international, and independent information security
    professional certification process free of control from the United
    States and its North American sycophant, Canada.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Fri May 04 2001 - 04:46:44 PDT