Should I Accept New ISC(2) Certification Agreement?
Today I received an email from the International Information Systems Security Certification Consortium, Inc., ISC(2), that read, in part:
"The purpose of this notice is to provide information regarding the status of your (ISC)² certification.
Our records indicate that your anniversary date is near and your Annual Maintenance Fees are current. As you are aware, a total of 120 Continuing Professional Education (CPE) credits, of which at least 80 must be Type 'A' credits, are required to be submitted during each three year certification period in order to maintain your credential. Our records indicate that, based upon your CPE submissions to date, you are not on track to meet your recertification requirements at the end of the three year period. We urge you to pay close attention to this matter to avoid the expiration of your CISSP credential."
OH NO! Time for me to log in to the ISC(2) Web site to record in some of the hundreds of CPEs I haven't logged. However, as soon as I entered my credentials, I see this:
Certification Agreement
IT IS IMPERATIVE THAT YOU CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS. IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS CONTAINED IN THIS AGREEMENT, INDICATE BY SELECTING THE "ACCEPT" BUTTON AT THE BOTTOM OF THIS AGREEMENT. IF YOU DO NOT ACCEPT ALL OF THE TERMS AND CONDITIONS CONTAINED HEREIN, INDICATE BY SELECTING "DECLINE". IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, YOU SHALL NOT OBTAIN CERTIFICATION AND YOU MAY NOT USE THE CISSP, SSCP or CAP LOGOS.
This Certification Agreement ("Certification Agreement") is entered into as of the date set forth ("Effective Date") on the Application Agreement ("Application Agreement") by and between the undersigned ("Certification Candidate") and the International Information Systems Security Certification Consortium, Inc. "(ISC)²".
This doesn't look so great. As I read through the text (which you can retrieve as a .pdf here, I find this section (all emphasis additions are mine):
6. CONFIDENTIALITY.
6.1 Certification Candidate agrees that to the extent (ISC)² previously disclosed or currently or subsequently discloses to the Certification Candidate, or the Certification Candidate learns from (ISC)², information relating to (ISC)²'s Exams, products or sensitive aspects of (ISC)²'s business (including without limitation, computer programs, names and expertise of employees and consultants, know-how, business, financial, customer and product development plans, forecasts, questions, answers, worksheets, computations, drawings, diagrams, length and/or number of Exam segments and/or questions, or any communication, including verbal communication regarding or related to the Exam, the identity of Exam administrators, and other Exam takers, price and cost data, price and fee amounts, pricing and billing policies, marketing techniques, future plans and potential strategies of (ISC)² which have been or are being discussed), such information shall be deemed the confidential property of (ISC)² ("Proprietary Information"). Certification Candidate recognizes and acknowledges that (ISC)²'s Proprietary Information (and the confidential nature thereof) is critical to (ISC)²'s business and that (ISC)² would not enter into this Agreement without assurance that its Proprietary Information and the value thereof will be protected as provided in this Section and elsewhere in this Agreement.
6.2 Certification Candidate agrees (i) to hold (ISC)²'s Proprietary Information in confidence as a fiduciary and to take all reasonable precautions to protect such Proprietary Information, (ii) not to use such Proprietary Information at any time during or following the term of this Agreement, except as contemplated by this Agreement, and (iii) that to not disclose, publish, disclose, reproduce or transmit any Proprietary Information to any third party, in any form, including without limitation, verbal, written, electronic or any other means for any purpose.
Are they serious? What am I supposed to do with this confidential and proprietary information from the front matter of the CISSP Prep Guide?
"The Examination The examination questions are from the CBK and aim at the level of a three to five-year practitioner in the field. It consists of 250 English language questions, of which 25 are not counted..."
I am honestly considering clicking the "do not accept" button. I wonder if this blog post will upset ISC(2) enough to revoke my CISSP anyway?
2.2 Certification Revocation. (ISC)² may, at its sole discretion, revoke a Certification Candidate's certification under the following circumstances:
...edited...
2.2.5 Upon (ISC)²'s determination at its sole discretion that Certification Candidate has acted in any manner contradicting the (ISC)² Code of Ethics, that sullies or reflects poorly on the Mark, or involves any form of dishonesty or the giving of a false statement...
What should I do? Have you accepted this new "agreement?"
"The purpose of this notice is to provide information regarding the status of your (ISC)² certification.
Our records indicate that your anniversary date is near and your Annual Maintenance Fees are current. As you are aware, a total of 120 Continuing Professional Education (CPE) credits, of which at least 80 must be Type 'A' credits, are required to be submitted during each three year certification period in order to maintain your credential. Our records indicate that, based upon your CPE submissions to date, you are not on track to meet your recertification requirements at the end of the three year period. We urge you to pay close attention to this matter to avoid the expiration of your CISSP credential."
OH NO! Time for me to log in to the ISC(2) Web site to record in some of the hundreds of CPEs I haven't logged. However, as soon as I entered my credentials, I see this:
Certification Agreement
IT IS IMPERATIVE THAT YOU CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS. IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS CONTAINED IN THIS AGREEMENT, INDICATE BY SELECTING THE "ACCEPT" BUTTON AT THE BOTTOM OF THIS AGREEMENT. IF YOU DO NOT ACCEPT ALL OF THE TERMS AND CONDITIONS CONTAINED HEREIN, INDICATE BY SELECTING "DECLINE". IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, YOU SHALL NOT OBTAIN CERTIFICATION AND YOU MAY NOT USE THE CISSP, SSCP or CAP LOGOS.
This Certification Agreement ("Certification Agreement") is entered into as of the date set forth ("Effective Date") on the Application Agreement ("Application Agreement") by and between the undersigned ("Certification Candidate") and the International Information Systems Security Certification Consortium, Inc. "(ISC)²".
This doesn't look so great. As I read through the text (which you can retrieve as a .pdf here, I find this section (all emphasis additions are mine):
6. CONFIDENTIALITY.
6.1 Certification Candidate agrees that to the extent (ISC)² previously disclosed or currently or subsequently discloses to the Certification Candidate, or the Certification Candidate learns from (ISC)², information relating to (ISC)²'s Exams, products or sensitive aspects of (ISC)²'s business (including without limitation, computer programs, names and expertise of employees and consultants, know-how, business, financial, customer and product development plans, forecasts, questions, answers, worksheets, computations, drawings, diagrams, length and/or number of Exam segments and/or questions, or any communication, including verbal communication regarding or related to the Exam, the identity of Exam administrators, and other Exam takers, price and cost data, price and fee amounts, pricing and billing policies, marketing techniques, future plans and potential strategies of (ISC)² which have been or are being discussed), such information shall be deemed the confidential property of (ISC)² ("Proprietary Information"). Certification Candidate recognizes and acknowledges that (ISC)²'s Proprietary Information (and the confidential nature thereof) is critical to (ISC)²'s business and that (ISC)² would not enter into this Agreement without assurance that its Proprietary Information and the value thereof will be protected as provided in this Section and elsewhere in this Agreement.
6.2 Certification Candidate agrees (i) to hold (ISC)²'s Proprietary Information in confidence as a fiduciary and to take all reasonable precautions to protect such Proprietary Information, (ii) not to use such Proprietary Information at any time during or following the term of this Agreement, except as contemplated by this Agreement, and (iii) that to not disclose, publish, disclose, reproduce or transmit any Proprietary Information to any third party, in any form, including without limitation, verbal, written, electronic or any other means for any purpose.
Are they serious? What am I supposed to do with this confidential and proprietary information from the front matter of the CISSP Prep Guide?
"The Examination The examination questions are from the CBK and aim at the level of a three to five-year practitioner in the field. It consists of 250 English language questions, of which 25 are not counted..."
I am honestly considering clicking the "do not accept" button. I wonder if this blog post will upset ISC(2) enough to revoke my CISSP anyway?
2.2 Certification Revocation. (ISC)² may, at its sole discretion, revoke a Certification Candidate's certification under the following circumstances:
...edited...
2.2.5 Upon (ISC)²'s determination at its sole discretion that Certification Candidate has acted in any manner contradicting the (ISC)² Code of Ethics, that sullies or reflects poorly on the Mark, or involves any form of dishonesty or the giving of a false statement...
What should I do? Have you accepted this new "agreement?"
Comments
There are a few reasons:
1. The main thing that interested me about the certification were the code of ethics and the requirement for professional experience. In real life, I have never heard of a single case where either have been enforced, and several cases where they have been violated, rendering them useless.
2. The CPE system is both hard to use (as evidenced by the fact that both of us have literally hundreds of CPEs that we have not entered) and seems more geared towards advertising and promoting seminars than measuring 'ongoing work in the field'.
3. The certification is, in some circles, actually considered a negative - in other words one is thought to be less technically capable than if one did not have the certification at all.
In other words, it seems that, worse than having no positive value, it may have a negative one.
Your post here only emphasises the decision I'd already made.
I've been an info security professional for the last 10 years at a Fortune Global 10 company. Various people have tried to get me to take the exam for years but I've resisted.
Quick poll, how many of us will every have the chance to design a secure data hosting facility? What's that? None you say? So how does it do me any good to know that some schmoo has decreed that a 10 foot tall perimeter fence is necessary? Why not 12? Why no barb wire? How many of us will have the chance to decide on Halon* or CO2, and why should we go with CO2 like the course recommends?
IMHO it is a paper certification and cheesy continuing education requirements.
I also know several people who got the certification while they were out of work for a year or two. Cuz yeah, those are the qualified and talented people I want working for me.
Finally, I will admit that having 'CISSP' in your resume will get you past the first round of circular filings by the departmental secretary. I hope the rest of the resume and personal contacts will get me around that hurdle, should it be necessary.
* And yes, I worked around Halon in the service and saw all of the training films. It isn't toxic until it hits 900 degrees F. - at which point you have other problems.
www.oseh.umich.edu/haloappa.pdf
Sorry for the rant, blame it on donut Friday. :)
I fear that the prestige is now dilute by the vast number of certified.
Every certifications that I know of, progress folling the Gartner Hype Cycle. It appear that CISSP is now in the disillusionment phase. I hope it will move on to the slope of enlightenment. So many don't...
As for your question, Yes I have clicked on accept the agreement even if I don't really agree with all the terms. Then again, what difference does that make? How many CISSP have infriged the Agreement or the code of ethics? Too much to count I'd say.
I have high standards of ethics and I stand by it. In face of contradiction, incoherence or plain stupidity, I use my good judgement and go on.
In reality if the certification is not a requirement in your job, then why bother. Is it just to have the letters after your name. In some way maybe it does reflect the fact that you have the experience, but I imagine there are a number of people with the cert and no real world experience. I could be wrong on this, since I have not done any studying for the cert at this time.
I think that a person in your position, would not need any certifications especially in InfoTec Security. IMHO experience speaks louder than certs. Of course in the end the decision is solely yours to make.
G'Day,
Roger
I will not deny though, that a cert (even one I may not respect highly after 3-5 years experience) does help one out when still in the infancy of their career.
The CISSP is a joke. The world has changed and is changing too fast for that cert. Technical and non-technical issues have come up that it doesn't address. Worthless.
I wouldn't even use it to "get past HR" in the resume pile. If you are a good security professional word of mouth will take you places. If you are looking for a foot in the door, take a job as a sysadmin, network eng, etc. and make your way to the top like the rest of us CISSP-lapsing prima donnas.
How standard is that clause, and others like it?
Personally I wouldn't use this as a reason to decline a CISSP certification or drop an existing one ... there are so many other good reasons!
If you don't want a CISSP then don't take one.
BTW the website you enter the CPE information on is dead simple to use so if the author has "hundreds" of credits he "forgot" to enter...he really has no excuse.
BTW the language he highlights in the agreement seems designed to combat "brain dump" type sites for those who wish to cheat on the exam.
OUT
We can all moan and groan about what it has become but how many of us have invested time and effort to help ISC2 increase the standard(s)?
As far as the initial question goes - Richard illustrates some valid points - The fact that the number of questions being deemed a "secret" that can not be discussed by CISSP's is ridiculous. How many of you remember the "Puzzle Palace" book and the stir it caused in the government - "secret" words that can't be confirmed or denied (I know there was much more too it - simply generalizing for a moment). In the end even the government recognized that you can't stop people from uttering the phrases top secret or even god forbid spoke, umbra, etc... it is an unenforceable rule that serves no purpose.