DoD 8570.1 ISSEP coming?

Honestly, you probably could get away with a Security+ for a while (if your already in a govt security position) because the 8570.01M indicates the need for a Security+ at the very least at IAM 1.

But if your position actually requires you to take an IAM roles at the Field Operating Agency enlcave systems or some other MAJCOM equivalent level than you should go for the CISSP. The DoD is talking about requiring an **Information System Security Engineering Professional certification, ISSEP (a certification that actually requires the CISSP to even take the test) for enclave systems.

This table is taken straight from the DoD 8570.01M:

from tao security

More on the 8570:
http://iase.disa.mil/eta/index.html#8570training

**Notes: The 8570 FAQ mentions that “Future updates to the Manual will incorporate specialized elements of the IA workforce. Chapters on System Architecture and Engineering and Computer Network Defense Service Providers have been drafted and are currently entering the formal DoD staffing process.” I haven’t been able to find the new 8570 Draft that refers to ISSEP, ISSAP (specialized CISSP) but I’ve been seeing it in slides and at briefing for about a year now.

Here is what is being proposed. This would actually affect me (I may have to get an ISSEP or ISSAP). Security+ will not cut it if this passes in the next DoD 8570 Draft.

Chapter 10: Information Systems Security Architects/Engineers
Level IASAE I IASAE II IASAE III
Certs CISSP CISSP ISSEP
ISSAP
Chapter 11: CND Service Providers
Role CND Analyst CND
Infrastructure
Support CND Incident Responder CND
Auditor CND SP Manager
Certs GCIA MCSA Security
SSCP GCIH
CSIH CISA
GSNA CISSP-SSMP
CISM

Ref: www.disa.mil/conferences/2007/briefings/iatool_training.ppt (slide 19 from DISA Conference)

Popularity: 8% [?]

Certified Ethical Hacker Cert and Certified Pen Testing Expert

I'm going to go for the Certified Ethical Hacker Cert and eventually the Certified Pen Testing Expert Certification.  That is the direction that I'd like to go with my Information Security Career. 

As of right now, I have a CISSP.  I do a lot of Security Testing Evaluations and Authorization Agreement, Security Policy type work.  It pays well but I think Pen Testing would be more fun.  After getting the CISSP, I seriously considered going after the ISSEP, Information System Security Engineering Professional cert, which I heard was harder than the CISSP… I don't see how that is possible.

The CEH is a 125 question test that I've heard mixed reviews about.  I've taken the bootcamp and I love the material.  Its all hardcore hacking.  Not simply how to use Cane & Abel or NMap but how to code malware with notepad, methods of SQL injection, and firewall attacks.  I learned a lot.  It also scared the piss out of me.  If your already a hacker or hardcore pent tester than the class would be nothing more than a refresher.  Intermediates with pentesting will have a real treat.  Beginers will be decapitated.

I guess CPTE, Certified Pen Testing Expert is the lastest one.  From what I've read, it looks like it is a step up from the CEH.  Here is some more info on the CPTE.  From what I've read the CPTE is INSANE.  It looks like a practical exam completed in the presents of a pentesting expert.  It includes SQL injections, gathering data, compiling hacker applications, and FRICKING Lockpicking… I AM NOT READY. 

Popularity: 4% [?]

The ISSEP: Information System Security Engineering Professional (ISSEP) certification

 

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to.”

System Security Engineers tasks:
  Discover Information Protection Needs
  Define system Security Requirements
  Design System Security Architectures
  Develop Detailed Security Design
  Implement System Security
  Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
  System Security Engineering
  Certification and Accreditation
  Technical Managment
  U.S. Government Information Assurance Regulations 

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
www.nsa.gov
www.isc2.org

 

Popularity: 6% [?]