[ISN] Web extra: DOD, orgs: SANS survey findings not dire

Tue Jan 10 01:32:54 EST 2006

Forwarded from: Dennis Kezer <dkezer at csc-dc.com>

SANS seems to have completely missed the part that says technical
people must also be certified in the vendor specific technologies they
support. The CAPS are from the guidance, not from me.  They wisely
chose not to attempt to list these out as there are so many vendors
out there such a list would be all but impossible to compile or
maintain.

C3.2.4.8.7.  In addition to the baseline IA certification requirement
for their level, IATs with privileged access MUST OBTAIN APPROPRIATE
COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s)
they support as required by their employing organization.  This
requirement ensures they can effectively apply IA requirements to
their hardware and software systems.

-----Original Message-----

Paller said he is especially worried because the Defense Department
requires its frontline information assurance employees to have those
nontechnical certifications.

DOD officials are confident in their choice of certifications, said Bob
Lentz, director of information assurance in the DOD chief information
officer's office. The department has codified security competencies for
its IT security employees under Directive 8570.1, "Information Assurance
Training, Certification, and Workforce Management." Frontline security
employees must have certifications from CompTIA or (ISC)2 but not SANS
or vendors.

"The key error is that [DOD officials] took security managers who never
had hands-on security experience to design a security certification,"
Paller said. "If all you've ever done is write policy, how would you
know what to do to secure a Unix box?"

<snip>

Under DOD's directive, someone with CISSP certification could get any
technical or managerial position, even though CISSP should not qualify
people for technical positions because it is more analytical, Ashworth
said.

Officials might have chosen CISSP because many people hold that
certification, which could make it easier for DOD to fill positions,
Ashworth said.

To improve frontline security, DOD and certification vendors must create
progressively harder, platform-specific security tests to evaluate
low-level security employees, Paller said.

Once they do, Paller predicts that the rest of the government and
industry will follow suit, improving security for everyone.