3 May 2001. Thanks to Anonymous. Provided in response to Cryptome's International License to Practice IT Security Worldwide.

CISSPs - Do You Know Your Organization?

By Anonymous

In 1989, a group of people associated with the not-for-profit Information System Security Association (ISSA), the for-profit Computer Security Institute (CSI), government agencies like the National Institute of Standards and Technology (NIST), and Idaho State University decided to form a consortium called the International Information System Security Certification Consortium (ISC)2. The organization had as its goal the professional certification of information system security practitioners around the world. These individuals were required to satisfy some basic requirements, including a minimum amount of time working in the computer security field and passing an examination based on a so-called Common Body of Knowledge (CBK).

At first, applicants could apply for the Certified Information System Security Professional (CISSP) designation through a Waiver-for-Examination (WFE) process. These "grand fathered" CISSPs submitted detailed applications for approval by a committee of professional peers. This WFE program was, however, very poorly advertised outside the North America, so a number of professionals outside that region never have a chance to submit applications for the WFE process. Subsequent to the WFE-process, candidates for CISSP were required to take a 250-question examination administered by a private for-profit testing service.

Very soon, several problems developed with the CISSP program and the activities of the (ISC)2 Board of Directors. In 1996, it became clear that the Board's certification goals were concentrating only on the United States and Canada.

The genesis of the CISSP program also hinged on a very dubious contract negotiated by some of the founding principals of (ISC)2 and the United States Postal Service, a quasi-government entity. The composition of the CBK and the training curriculum and examination, therefore, took on a very U.S.-centric flavor. Initial complaints from Canada resulted in a Canadian annex being appended to the certification examination, however, the associated training remained largely U.S.-oriented, with heavy emphasis on U.S. government standards developed in the early 1980s by the U.S. National Security Agency (NSA).

It also became clear by the end of the 1990s that some of the founders of the CISSP program were more interested in turning a profit than in refining and improving the content of either the examination or the training curriculum. Emphasis was placed on the quantity of people certified rather that on either the quality of the candidates, test, examination, and trainers.

As the training and testing expanded into Finland, and very modestly to the United Kingdom, Ireland, and Denmark, it became more apparent that the CISSP was irrevocably tied to the United States environment, and more specifically to the requirements of the U.S. Government.

In the Autumn of 1999 the (ISC)2 Board chose to establish even closer cooperation with organizations close to U.S. government and NSA.

It is a pity, that so few CISSPs attend the Annual meeting. They should participate and closely follow what the organization and its Board is doing. They should ask questions concerning training, testing, trainers (only American), finances, officers, directors, elections, and (ISC)2 personnel hiring/firing policy. They may find the answers extremely interesting. For example, Who are the directors? How are they elected? What are their
benefits? How are budgets derived? etc.

The administration of (ISC)2 has been shifted within a for-profit company that is responsible for handling the certification examinations, throwing into question the Internal Revenue Service tax-exempt status of (ISC)2 as a not-for-profit organization. CISSPs should understand that their money is involved in this business -- they are the stakeholders!

There is a clear need for a truly international professional certification program, free of influences from either the U.S. Government or bodies like NSA. Since the United States is pushing the notions of Critical Infrastructure Protection and "offensive information warfare," there is a need for Europe to find information technology security solutions and safeguards that are in the interest of European citizens and institutions.

A truly international professional certification would be highly beneficial to not only European IT security professionals but also to those in other countries who are increasingly involved in global electronic commerce and international operations.

There have been several disturbing trends in Europe over the past few years that call for a high degree of trust in those who are responsible for protecting the security of critical information systems and networks. In a time when state-sponsored espionage and disruptions of critical information systems is becoming more of an issue, and all the traditional threats of organized crime, corporate fraud, and hacking are still critical problems, it is important that international IT security professionals remain above the fray of illegal and wanton state-sponsored activities aimed at penetrating computer systems and networks.

The following are just a few examples of what has occurred in Europe since 1995:

-   British press reports of break-ins by non-European foreign intelligence services into the computer networks of the European Parliament. The penetrations were facilitated by security holes in the network operating protocols supplied by American firms.

-   International media reports of computer break-ins by U.S. intelligence into banks in European Union (EU) member Greece, EU candidate Cyprus and European Economic Area (EEA) member Switzerland.

-   German press reports of foreign intelligence eavesdropping of bank communications in EEA member Liechtenstein.

-   International press reports about the monitoring of European telecommunications from NSA stations at Menwith Hill, UK and Bad Aibling, Germany.

-   A verified report that the NSA was rigging network and cryptographic software in order to break into the networks of the European Commission and European Parliament.

From a European (and EU) point of view it would seem more natural to organize and/or establish the Information Security Professional Certification framework in cooperation with an organization which has no "hidden" connections or control from any non-European government agency or intelligence service. The European Union "Echelon" Committee is about to conclude its report on NSA technical eavsedropping on the private lives of European citizens. European IT security professionals must ally themselves to their own nations and European employers, not the computer spymasters of the United States and organizations that are willing to do their bidding.

The European Commission has both a requirement and an opportunity to start a real, international, and independent information security professional certification process free of control from the United States and its North American sycophant, Canada.