Forwarded from: Dennis Kezer <dkezer@csc-dc.com> SANS seems to have completely missed the part that says technical people must also be certified in the vendor specific technologies they support. The CAPS are from the guidance, not from me. They wisely chose not to attempt to list these out as there are so many vendors out there such a list would be all but impossible to compile or maintain. C3.2.4.8.7. In addition to the baseline IA certification requirement for their level, IATs with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support as required by their employing organization. This requirement ensures they can effectively apply IA requirements to their hardware and software systems. -----Original Message----- Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications. DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer's office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors. "The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification," Paller said. "If all you've ever done is write policy, how would you know what to do to secure a Unix box?" <snip> Under DOD's directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said. Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said. To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said. Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Jan 09 2006 - 22:37:29 PST