Re: [ISN] Web extra: DOD, orgs: SANS survey findings not dire

From: InfoSec News (isn@private)
Date: Mon Jan 09 2006 - 22:32:54 PST

Forwarded from: Dennis Kezer <>

SANS seems to have completely missed the part that says technical
people must also be certified in the vendor specific technologies they
support. The CAPS are from the guidance, not from me.  They wisely
chose not to attempt to list these out as there are so many vendors
out there such a list would be all but impossible to compile or

C3.  In addition to the baseline IA certification requirement
for their level, IATs with privileged access MUST OBTAIN APPROPRIATE
they support as required by their employing organization.  This
requirement ensures they can effectively apply IA requirements to
their hardware and software systems.

-----Original Message-----

Paller said he is especially worried because the Defense Department
requires its frontline information assurance employees to have those
nontechnical certifications.

DOD officials are confident in their choice of certifications, said Bob
Lentz, director of information assurance in the DOD chief information
officer's office. The department has codified security competencies for
its IT security employees under Directive 8570.1, "Information Assurance
Training, Certification, and Workforce Management." Frontline security
employees must have certifications from CompTIA or (ISC)2 but not SANS
or vendors.

"The key error is that [DOD officials] took security managers who never
had hands-on security experience to design a security certification,"
Paller said. "If all you've ever done is write policy, how would you
know what to do to secure a Unix box?"


Under DOD's directive, someone with CISSP certification could get any
technical or managerial position, even though CISSP should not qualify
people for technical positions because it is more analytical, Ashworth

Officials might have chosen CISSP because many people hold that
certification, which could make it easier for DOD to fill positions,
Ashworth said.

To improve frontline security, DOD and certification vendors must create
progressively harder, platform-specific security tests to evaluate
low-level security employees, Paller said.

Once they do, Paller predicts that the rest of the government and
industry will follow suit, improving security for everyone.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Mon Jan 09 2006 - 22:37:29 PST