Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [CISSP-D] Anyone want to start a new topic?

from [Moira Merriman] Network Security [Permanent Link]
Subject: RE: [CISSP-D] Anyone want to start a new topic?
Date: Fri, 11 Mar 2005 06:20:22 -0600 
Dave Wrote: What is three to four years of experience in Information
Security?   I am not a pure play security professional.  Many aspects of my
job involve security but that isn't all I do.  What qualifies?  What doesn'
t?  Why not?

      I am also curious to see what types of experiences are rejected during
a CISSP audit. I obtained my cert with a background in dmz design, firewall
management, risk assessments, single sign on application development & a
couple of years as a security advisor.



Dave Wrote:  Recently someone mentioned business drivers as part of a
security discussion.  Have you guys ever felt pressure to secure a
successful production network?  How do you find the balance point, security
v.s. productivity?


      In my present job there is often pressure to secure  a system which
has been running fine for over 9 years without incident. Some times it can
be a very hard sell to explain to a business owner(s) of such systems that
they really need to apply security controls to it. The best balance I have
found is to perform risk assessments and become very competent at
facilitated risk assessment discussions or workshops.



      I will usually begin a risk assessment with presentation material on
what types of incidents have occured on a similar production network in
other companies (make it realistic!) and then use a computer aided risk
assessment template to help the business make a decision.



      For technical issues - e.g. applying encryption to production data or
network: I still follow the same approach. In the risk assessment you weigh
the decision of adding overhead vs. securing the network or data together
with the business. This sets the expectation up front that they may
experience a decrease in performance while meeting the compensating controls
objectives. It is the business owners of the network who will complain if it
slows down, or will need to pay for additional bandwidth, so if they are
part of the decision process that is key!



Dave Wrote: What areas of the CBK are you most comfortable with?  Most of us
probably blurt out the "Telecommunications and Network Security" but what
else?   Anything you want to learn more about?



    Before I took the exam I was most comfortable with Info security
management, Ops security & Security architecture and models. After preparing
for the exam I am comfortable with most of the CBK areas.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [CISSP-D] hi, krishna mohan
Next by Date:  RE: [CISSP-D] Re: [securitytech] CISA -- was: CISSP, is it respected?, Henry Guzman
Previous by Thread:  [CISSP-D] Experience, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  RE: [CISSP-D] Anyone want to start a new topic?, Dave Sims
Indexes:  [Date] [Thread] [Top] [All Lists]