http://cryptome.org/cissp-who.htm
By Anonymous
3 May 2001.
Provided in response to Cryptome's International License to Practice
IT Security Worldwide.
In 1989, a group of people associated with the not-for-profit
Information System Security Association (ISSA), the for-profit
Computer Security Institute (CSI), government agencies like the
National Institute of Standards and Technology (NIST), and Idaho State
University decided to form a consortium called the International
Information System Security Certification Consortium (ISC)2. The
organization had as its goal the professional certification of
information system security practitioners around the world. These
individuals were required to satisfy some basic requirements,
including a minimum amount of time working in the computer security
field and passing an examination based on a so-called Common Body of
Knowledge (CBK).
At first, applicants could apply for the Certified Information System
Security Professional (CISSP) designation through a
Waiver-for-Examination (WFE) process. These "grand fathered" CISSPs
submitted detailed applications for approval by a committee of
professional peers. This WFE program was, however, very poorly
advertised outside the North America, so a number of professionals
outside that region never have a chance to submit applications for the
WFE process. Subsequent to the WFE-process, candidates for CISSP were
required to take a 250-question examination administered by a private
for-profit testing service.
Very soon, several problems developed with the CISSP program and the
activities of the (ISC)2 Board of Directors. In 1996, it became clear
that the Board's certification goals were concentrating only on the
United States and Canada.
The genesis of the CISSP program also hinged on a very dubious
contract negotiated by some of the founding principals of (ISC)2 and
the United States Postal Service, a quasi-government entity. The
composition of the CBK and the training curriculum and examination,
therefore, took on a very U.S.-centric flavor. Initial complaints from
Canada resulted in a Canadian annex being appended to the
certification examination, however, the associated training remained
largely U.S.-oriented, with heavy emphasis on U.S. government
standards developed in the early 1980s by the U.S. National Security
Agency (NSA).
It also became clear by the end of the 1990s that some of the founders
of the CISSP program were more interested in turning a profit than in
refining and improving the content of either the examination or the
training curriculum. Emphasis was placed on the quantity of people
certified rather that on either the quality of the candidates, test,
examination, and trainers.
As the training and testing expanded into Finland, and very modestly
to the United Kingdom, Ireland, and Denmark, it became more apparent
that the CISSP was irrevocably tied to the United States environment,
and more specifically to the requirements of the U.S. Government.
In the Autumn of 1999 the (ISC)2 Board chose to establish even closer
cooperation with organizations close to U.S. government and NSA.
It is a pity, that so few CISSPs attend the Annual meeting. They
should participate and closely follow what the organization and its
Board is doing. They should ask questions concerning training,
testing, trainers (only American), finances, officers, directors,
elections, and (ISC)2 personnel hiring/firing policy. They may find
the answers extremely interesting. For example, Who are the directors?
How are they elected? What are their benefits? How are budgets
derived? etc.
The administration of (ISC)2 has been shifted within a for-profit
company that is responsible for handling the certification
examinations, throwing into question the Internal Revenue Service
tax-exempt status of (ISC)2 as a not-for-profit organization. CISSPs
should understand that their money is involved in this business --
they are the stakeholders!
There is a clear need for a truly international professional
certification program, free of influences from either the U.S.
Government or bodies like NSA. Since the United States is pushing the
notions of Critical Infrastructure Protection and "offensive
information warfare," there is a need for Europe to find information
technology security solutions and safeguards that are in the interest
of European citizens and institutions.
A truly international professional certification would be highly
beneficial to not only European IT security professionals but also to
those in other countries who are increasingly involved in global
electronic commerce and international operations.
There have been several disturbing trends in Europe over the past few
years that call for a high degree of trust in those who are
responsible for protecting the security of critical information
systems and networks. In a time when state-sponsored espionage and
disruptions of critical information systems is becoming more of an
issue, and all the traditional threats of organized crime, corporate
fraud, and hacking are still critical problems, it is important that
international IT security professionals remain above the fray of
illegal and wanton state-sponsored activities aimed at penetrating
computer systems and networks.
The following are just a few examples of what has occurred in Europe
since 1995:
- British press reports of break-ins by non-European foreign
intelligence services into the computer networks of the European
Parliament. The penetrations were facilitated by security holes in the
network operating protocols supplied by American firms.
- International media reports of computer break-ins by U.S.
intelligence into banks in European Union (EU) member Greece, EU
candidate Cyprus and European Economic Area (EEA) member Switzerland.
- German press reports of foreign intelligence eavesdropping of bank
communications in EEA member Liechtenstein.
- International press reports about the monitoring of European
telecommunications from NSA stations at Menwith Hill, UK and Bad
Aibling, Germany.
- A verified report that the NSA was rigging network and cryptographic
software in order to break into the networks of the European
Commission and European Parliament.
>From a European (and EU) point of view it would seem more natural to
organize and/or establish the Information Security Professional
Certification framework in cooperation with an organization which has
no "hidden" connections or control from any non-European government
agency or intelligence service. The European Union "Echelon" Committee
is about to conclude its report on NSA technical eavsedropping on the
private lives of European citizens. European IT security professionals
must ally themselves to their own nations and European employers, not
the computer spymasters of the United States and organizations that
are willing to do their bidding.
The European Commission has both a requirement and an opportunity to
start a real, international, and independent information security
professional certification process free of control from the United
States and its North American sycophant, Canada.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Fri May 4 07:02 CDT 2001