JOSEPH MICELE: Okay. We will go ahead and get started this evening. Thank you everyone for attending this evening. This is our webinar panel discussion on understanding CISSP as part of the online Management Information Systems degrees programs at the UAB Collat School of Business.
Before I introduce our panelists for this evening, I just wanted to go over a couple of points with you. You are currently in a listen-only mode. We are broadcasting this webinar and you are able to hear through your computer speakers.
You are able to ask questions. You can simply type them in the chat box or the Q&A box to the right of the screen. Feel free to type in your questions at any time, however, we will hold off on going through questions during the question and answer session later on in this evening’s event, but we will make sure that we address all questions.
You will be able to obtain copies of the slides tonight. You also will be able to obtain a link to the recording of this discussion. Both the slides and the recording will be emailed out to you tomorrow afternoon.
I’d now like to go ahead and introduce our panel for this evening. We are joined tonight by Mr. Darrell Bilbrey, Vice President, Corporate Systems at HealthSouth. And we are also joined by Dr. Julio Rivera, Associate Professor at the Collat School of Business in the Department of Management Information Systems and Quantitative.
Methods. And Dr. Rivera is also the program director for our online Bachelor of Science and Information Systems program.
Unfortunately, Mr. Michael Stockard, Chief Technology Officer of ProAssurance, is unable to join us this evening as originally advertised due to a personal matter.
Before I turn the evening over to our panel, I just wanted to go over a couple of points regarding ranking and accreditation for the University of Alabama at Birmingham and the Collat School of Business. The University of Alabama at Birmingham is accredited by the Southern Association of Colleges and Schools and the Collat School of Business is accredited by the Association to Advanced Collegiate Schools of Business, otherwise known as the AACSB. It has been ranked as having one of the best online graduate Business programs by US News and World Reports 2015 rankings of best online programs, as well as among the top 14 up and coming schools. Additionally, it’s been ranked by the NSA in the Department of Homeland Security and designated as a national center of academic excellence and information assurance in cyber defense research. UAB is one of two centers in Alabama to hold this designation.
I am now going to go ahead and turn over this evening’s presentation to our esteemed panelists, Dr. Rivera and Mr. Bilbrey.
DR. JULIO RIVERA: Thank you, Joe. Just to set the background, first, I would like to welcome everybody to the webinar. And what I would like to do tonight is talk — first, the background of why we need information security, what role people in that area play. And then, talk specifics about the certification, the CISSP, or the CISSP certification, and what you have to do to obtain it. And then, I’ll be happy to entertain questions and talk a little bit about our graduate program, as well as, the classes that we offer.
Just for your information, I’m slated to teach both of the CISSP classes this fall. So I’m going to be working on getting that prepared over the next few weeks.
But first, let me start by talking about the need for information security. As you know, as it’s in the news, we hear about all sorts of information security breaches and the latest one being the Office of Personnel Management in federal government. And then, that’s a particularly nasty one. But there’s many others out there and there may be ones we don’t know about that we find out about after the fact. So what that leads us to get into, is when we look at what businesses and organizations do, they tend to, as of course, a business collect and create large amounts of data and information. Depending on the business or the organization, that may be a valuable asset to the organization. It also may be necessary, simply, to operate the organization to do some or many of these things. But that information and data may also be sensitive, private, confidential.
Darrell, if you want to speak to that since you are in the healthcare industry and that’s one of the particular concerns to us.
DARRELL BILBREY: Yeah, Julio. Thank you. Can you hear me?
DR. JULIO RIVERA: Yes.
DARRELL BILBREY: Okay, I just wanted to make sure I got you off mute. Yeah, in the healthcare space it is vitally critical because we need all that information to operate the business. You’re correct. But then, there’s a — it’s very sensitive information, you know, its protected health information, so there’s rules and regulations that we have to abide by, the HIPAA regulations. Then further, like us, we’re also a publicly traded company so that we have to maintain, you know, confidentiality of our financial records, as well. So there’s a lot of different pieces of the information that we must protect from these outside hackers trying to get in at it. So, yeah, it’s really a big deal in our organization these days.
And receiving attention even from the Board, you know, public boards of companies are really interested in how we are protecting the data, as well. You know, one of these things could be a really, really big hit to you financially. Just the cost of providing monitoring to, you know, hundreds of thousands or millions of people can add up very quickly.
DR. JULIO RIVERA: Okay. So for a business perspective, most businesses obviously are interested in protecting their assets, and information is one of those assets and data that is collected.
You also have some of the things that Darrell just mentioned. You have to comply with regulations and standards depending on the industry that you’re in. So, for example, HIPAA and the medical industry. FERPA, for example, here in our university environment that’s — just so you know what the acronym is, is Family Educational Rights and Privacy Act, so that forces us to put certain things in place to prevent certain kinds of information from being disseminated. And then, you know, there’s industries’ standards. For example, the PCI DSS, which is the Payment Card Industry Standards for setting up payment devices and conveying that information. And then, of course, even if there are no standards or regulations, most organizations are very sensitive to privacy concerns. We don’t want, as private citizens, there’s certain kinds of information that we don’t want widely available. So we need to be very conscious of that. If nothing else because we, you know, reputation wise, we don’t want businesses to suffer. And at the end of the day, regardless of all those things, we also need to be able to provide correct access to the data and information for business purposes, and to control that and monitor that and make sure that’s it not being used incorrectly.
Darrell, do you want to speak to that and some of the other things that happen in normal business?
DARRELL BILBREY: Yeah. One of the things that we have to do, is not only do we have to look at how we protect the data as a whole from the outside, but also the need to know level of access internally as we operate the business. Just because you are a nurse in one of our facilities doesn’t mean you need to see all the information that’s out there. So there’s even more grandeur levels of security that we have to put in place and monitoring of that to make sure that you’re getting to the data that you need to do your job, but not getting in to other pieces of data. And then other things you have to look at that, is that we have to — we’re now kind of charged with figuring out what normal use of that data looks like. And if you’re out there accessing abnormal amounts of that data — of that same data that you may have rights to — it may raise a flag. And we have to take a look at what you’re doing, because sometimes insiders are going out and running queries they have access, and they’re pulling data they don’t need — they don’t really need to get access to. So we’ve got to understand what the use is of that. So it’s adding extra levels of complexity into what we do, but we still have to do it.
Another example in the healthcare space, we have to protect the data but at the same time the government’s mandated that we exchange this with other providers. So there’s a lot of security protocols having to be developed and put in place to make sure we’re exchanging that in a secure manner while still exchanging it for the patients’ well-being. (Inaudible)
DR. JULIO RIVERA: Okay. So how do we go about doing this? So what happens then is most organizations are faced with a need to come up with an effective information security program. And, you know, that starts really by identifying the risk they’re faced in that business or organization, and, you know, what threats and vulnerabilities you are exposed to. And then, what’s the likelihood of certain risks happening. What’s the likelihood of, for example, of something like a flood or a fire versus, say, a hacking attack? And then, you have to weigh what those risks are as you decide how you’re going to deal with them, which is the next part this. So if you know that we have a risk, we need to put in place some kind of strategy to mitigate that risk — to reduce the likelihood that will be affected by that risk. And in a business environment, that, typically, among other things, means that you have to have policies and procedures that address those risks, and then have controls implemented to make sure that you deal with those properly. And then, of course, periodically, you have to access and revise those policies and procedures and access how well your controls work.
In the risk mitigation area, one thing that, I guess, most of us are probably familiar with is, you know, most of us drive vehicles. We buy car insurance because there’s a risk of having an accident. And if we did not have insurance and then we would be liable for all the costs of dealing with that situation. So we buy insurance to try to mitigate that risk. We pay somebody to assume part of that risk and they, of course, charge us based on things like our driving record, the likelihood that we’ll be involved in an accident. So we have to think about that from a business perspective when we access what risks we have to deal with and how we mitigate it — go about mitigating them.
Darrell, do you want to speak to some of those things?
DARRELL BILBREY: Yeah. And especially in our industry and in the healthcare, identifying the risk, you know, we’re tuned into a lot of different journals and groups that provide us that information. Additionally, you know, the FBI, basically, has said that healthcare industry you have a big red target painted on you. So that means that’s an environmental threat that we’ve had to make sure we are accessing. And you look at each of the different ways that you have the access to systems and the things we have to do. I mean, today a company can’t operate without some type of internet connection and/or internet site, as well, you know, website. And how do you control the access to that and not let it get beyond that. So we do a lot of different things as we develop our policies and procedures.
Like you — like Dr. Rivera talked about and the other pieces. Implement those appropriate controls. We do, you know, we build those policies and we review them on a periodic basis as a minimum annually — take a look at how we’re doing against those things. And, you know, we’re audited against those, both by internal and external auditors. It’s become a bigger deal now. Even your — most of the financial audit teams also have IT audit teams to make sure you’re effectively applying the controls that you said you were going to do.
And then and additionally, a lot of companies were turning towards not just looking at the procedures themselves and the effectiveness of the controls, but were going out and actually retaining white hat hackers to go take a look to see what they can do against this to make sure that we’re doing what we say they do and we’re working the way we need to. And also getting them to point out other places we may need the strength and based on new threats they know about in the environments. So it’s a — it’s like a giant chess game and you’re trying to make sure that you’re defending the king, which is the data, the best you can.
And, additionally, just like the car insurance. You know, companies are getting data theft, data breach insurance these days. There’s companies offering that, especially, when you have data like we do.
We’ve mentioned PCI. Even in — even in the hospital setting that we have, we have PCI to deal with, as well, because we have members who pay with credit cards or, you know, patients who pay with credit cards, or their families who are eating in our cafeterias. So that’s just another one of those that we have to comply with, as well.
Are we going to the next one here?
DR. JULIO RIVERA: Okay. So how do we go about developing these security programs and implementing them? And, you know, at the end of the day any organization’s management, that’s their ultimate responsibilities to put these thing in place. Of course, they are not going to be the ones that go and do the nuts and bolts on this, so, typically, their charge is to decide what the appropriate level of risk mitigation should be. In one of the ways of looking at that is what risk epithet the organization should adopt. And, you know, you will see similar organizations in the same industries, some of which accept more risks than others. Usually, not substantially more or less, but that is a management decision. And then, you know, once you decided to implement a security program or security plan, then management needs to provide adequate support by funding it and making sure it’s implemented and following up on it.
So that’s a serious managerial role that has to be fulfilled. In terms of developing plans, the required matter subject experts. So, you know, within the organization you might have your chief information officer or CIO, or chief information security officer, should probably be heavily involved in that. A legal plays a heavy role in this, believe it or not, sometimes a pretty large role in determining what you may be liable for and what you need to protect against and how you do that. And then there’s a number of other things that feed into this as you get expertise in various technologies and so forth, and you determine what you can do in terms of implementing controls. And then, eventually, you have to delegate the implementation of these things to the specialists that you either have in-house or you contracted to do these things. So, for example, the idea of white hat hackers is contracting specialists to try to penetrate your system so that you can determine if your — you’ve got the right controls in place and so forth.
Darrell, I know you’ve got to be involved in some of these things, so I’m sure you have some comments about it.
DARRELL BILBREY: Yeah, and, additionally, especially in our industry, there’s another group, and I think a lot of companies are adding this group, but they’re heavily involved. And there’s also a compliance group, mostly chartered around the HIPAA compliance and making sure we’re complying with all that. And, additionally, what we’re seeing more and more as companies have more and more data out there, more electronic, we’re seeing some industries, some companies move to physical security into this mix, as well. So it’s a merged risk analysis that’s being done, because getting access to the physical network can be just as — just as detrimental as them coming in through the internet. You know if they can walk in and plug in somewhere in the conference room or somewhere, you know, how are you going to mitigate that threat? So it’s a really multi-pronged threat assessment you have to do, and know, where are your weak points? You sit and talk this through, and then, you have report it back. I mentioned the Boards. You know, we’re now reporting — routinely the CIO’s reporting to the Board how we’re doing against all these things that are going on. Now with all the high visibility breaches that have occurred in the healthcare space and those in the — like those — it’s becoming more and more important that we stay on top of this and try to protect our patient data that we have.
So again, multi-pronged approach to doing it and even the other things that we do with the white hat hackers is that sometimes we’ll bring them inside and do what’s called an internal in test just to see if they get inside, what can they see? So that gives us an extra layer to look at and see if there’s other things we can do. So even if they get in through the front door, can we, you know, minimize the impact that they can do if they do that. So, again, you just have to think of all the different scenarios and how they might be able to attack and come at you and try to — try to put up a defense to help against that.
DR. JULIO RIVERA: Okay. So, you know, that sort of brings us to how do we get subject matter experts? And, you know, expertise comes from a variety of places.
One is certainly education. You can achieve academic credentials in information systems field and development the experience and so forth. There are, in fact, some degrees that are specific information system security. And then there’s a number of places that offer those at the community colleges, the undergraduate level and even some at the graduate level. And, obviously, we’re trying to offer something in that area target a little bit different.
Experience is a big one. We have a lot of people that’s not working in the field and the industry, and then over time develop expertise as they learn on the job and/or by attending continuing education classes and so forth.
And, you know, the last one of these, the certifications is a way of demonstrating that you have a certain level of expertise. And depending on the certification, this may be irrelevant, so —
But we’re looking in terms of the CISSP is more of a business managerial type area and the expertise in the security side. So one of those, and a particular useful one, the CISSP certification, helps in that area.
There are a number of other certifications, so the other one that I’ve listed here is a CompTia Security Plus (+), that’s typically more at the technical level. But it does share something with the CISSP, in that they’re not specific to particular technology or industry. They’re more not vendor related. So, you know, you’re not tied to a particular type of system or vendor with those.
And there’re, of course, a number of other certifications that you can achieve. There’s a variety of places that offer them, as well as, vendors. So, you know, if you look at Cisco, for example, or Microsoft, and so forth, they have certifications on their systems. And, of course, those may be for people in the technical area. Those may be very important. So, you know, there’s a mix of these things, and the one thing you’ve got to remember when you look or acquire a certification, is that it means you would achieve a certain level of recognized expertise. Now, how you work with that, you know, on the job, is a whole other story, but it does give you some sort of a baseline.
And, Darrell, you can probably speak of, you know, the type of people that you hire and what you look for in that regard.
DARRELL BILBREY: Yeah. We tend as a company to try to look for the general certifications because the technology changes so rapidly. We look for that base understanding. So it’s not as important to be Cisco certified for the security people or Microsoft certified as it is to be CISSP. That kind of tends to be our main look that we do just because we you to be able to be looking across all of that and not be tied to any one technology. Because as we talk about, you know, the layer of defenses and changing this stuff out and the technologies are leap-frogging each other, you know, you want to be able to, you know, step back and not, you know, get so focused on a single vendor that you’re missing some opportunities with others.
The other piece talking about experience that we like to intermix in, and it’s not everybody, but, you know, for some of the deeper forensics type looks that you need, it’s very, you know, it’s very important to have somebody who’s got that kind of understanding, either a former network engineer or a server engineer that has that depth or sometimes a programmer depending on what you’re looking at. It’s good to intermix those in with the team because they understand these systems that they’re trying to protect and defend a little bit better because they helped on and build them in the past. So we kind of use a combination in our mix just to keep things fresh and make sure that we are looking at it from all angles.
DR. JULIO RIVERA: Okay. So, let’s talk about CISSP certifications, specifically, because it’s the — obviously the subject for this webinar.
First of all, the organization that puts us together is the IEC SQuarRE. There’s actually a link in the presentation if you want to go look at it. It’s IEC2.org and they offer a number of certifications. CISSP’s one of the older ones and it’s been around and is well recognized, but they have a number of other ones. As I said, it’s a vendor neutral certification and I’ve sited two things from their website here. And I would certainly encourage you to go look through the website so that you can get a better feel and look at some of the examples there. But they claim it’s the ideal credential for those with proven deep technical, main managerial competent skills experience, and credibility to design, engineer, implement and manage their overall information security program to protect organizations from going sophisticated test. So you can see that it’s wide-ranging. It also — again this is a quote from the First Credential and the Freedom Information Security to meet the ISO/IEC Standard 17024.
The other nice thing about it is that it is globally recognized. So if you were to look at the exam, you will find it’s available in various languages and it’s offered across the world. So it’s a nice certification in the sense that it recognizes the level of achievement, not just in a technical area, but also across managerial and other skills in confidence. And it brings with it the written experience requirements, so it does mean that you’ve mastered and experienced some of these things.
And having said that, just to give you sort of an idea of some of the capabilities — and, Darrell, you can weigh-in on this, too — you need to have technical knowledge, obviously, to achieve this certification. But that’s not enough. You also need to have a managerial perspective or insight in to how organizations operate and why they do certain things. And then being able to analyze situations that you’re involved in, so that you can craft solutions that solve the problems that you face.
Experience, as I said, is part of the requirement. There is a strong ethical requirement, too. When you become a CISSP or a CISSP, you are required to subscribe to a code of ethics. It goes along with that. And then, because there’s a continuing education learning — and, of course, if you are in the information systems field, you must do this or you will rapidly be out of date. So you have to have the desire to continue to learn.
Darrell, do you want to speak to any of these things?
DARRELL BILBREY: No. I mean, I don’t really have any more to add other than I really look strongly at that last one — desire to continue to learning. And I use that whether you are in security or not. You made a really good point — it’s an IT thing.
DR. JULIO RIVERA: Uh-huh.
DARRELL BILBREY: And I will mention ethical values. I mean, the strong ethics, you can’t say enough about how important that is. I mean, because, you know, you’re defending this stuff which also means you have access to everything. So you have to be completely trusted by upper management and stuff that you are effectively going to put these controls in place and do you best and not misuse that power that’s been given to you.
DR. JULIO RIVERA: Okay. So let’s us — the next few slides really cover what’s involved and what the background is that you need and so forth. And so, starting with this one, the CISSP is a sort of person that sits at the middle of providing access to people with the information and technology. So you have to have a foot — of course, we only have two feet, right — in each of these camps in order to understand the importance of this information and the what’s involved and what you have to secure, as well, as the capabilities of the technology, both to protect and to penetrate and eventually do harm.
And then you have to understand how people operate. Because one of the — probably biggest areas. And, you know, it’s all about people — is what’s called social engineering. It’s how you get people to sort of violate the policies and procedures and security — the things that you put in place. So you have to understand those mechanisms, too. And that means you have to have a fairly broad background. You can’t just concentrate on either technical or people or one of these other things. You need to be able to converse in all those areas.
And if you look at what’s required in order to achieve the certification, it’s now been collapsed to eight knowledge domains — it used to be ten when I certainly became certified or received a certification. And they sort of fall into two areas — technical and the managerial areas.
The technical roughly fall into the security engineering, communication network security, software development security, identity and access management, and asset security. So each of those has a number of things that you need to be familiar with.
And so, for example, in communication and network security you need to know how networks operate and, you know, how data gets moved around and so forth.
In software development you need to be able to understand what things you build into software to make it more secure right off-the-bat. That’s, by the way, one of the very difficult things that we face these days. We have a lot of systems that were developed with no thought given to the security of the system and the data that they work with. And, obviously, that’s come back to bite us. So that’s a big issue.
How do you manage identity and access management? Just as a little person on the side, two days ago I learned that LastPass, which is where I keep all my passwords, was hacked. So I made the decision to go to two-factor authentication, and that’s, you know, another potential control that you can implement.
Assets security. This is an interesting one, because it is not just the securing of the other chronic assets, but what about the server room and the, you know, the databases where you keep these physically — physical assets of the facilities. All of those are things that you need to consider and adopt an appropriate level of security for.
And then on the other end, on the managerial side, security and risk management. You know, how do you recognize the risks that are out there and decide what’s appropriate in terms — or recommend what is appropriate — in terms of risk mitigation. And it’s not just, you know, somebody’s going to hack into the place, but what happens, for example, if you have a catastrophic event like a flood or a fire. And then, you know, organizations depend on the IT info-structure. How do you make sure that you have the ability to recover from that or the business continues on? So those are all important things that feed into development security plans.
How do you access and test order? Earlier we talked about penetration testing. There’s other issues. So most of you probably heard about phishing attacks. So there are companies now that you can hire that will run simulated phishing attacks against your employees as a way of training them to make sure that they don’t do the wrong thing when they get an unknown email.
And then, you know, simply, how do you operate your security? What things do you do to make sure that the policies and procedures are being followed and how do you assess their effectiveness over time?
So all of those are areas that when you sit for the exam, you will have questions to deal with and that means that you have to have some knowledge about all those areas. One I skipped over, by-the-way, in the sense where, — you know, if you look at the history, it started in the Department of Defense military areas — is how do you classify information? What should be, you know, so to speak, top secret versus confidential, versus widely available? So you have to have mechanisms for doing that. And you have to recognize the different levels of risk associated with those things.
Any comments from you, Darrell, on this?
DARRELL BILBREY: No. I think that was a good coverage. I think, you know, we may have some questions that come up that we can address in the Q&A.
DR. JULIO RIVERA: Okay. So given that we have these eight domains and, you know, you need to have knowledge in all of them. Typically, most people that sit for the exam are, you know, fairly conversed in one or two areas that are areas of specialization, but you need to be, you know, have enough knowledge so that you can deal with the others. And that is not unusual.
If you look at what happens once you achieve a certification, you know, looking at job titles you might be a consultant, the chief information security officer, a security architect, analyst and so forth. There’s a number of roles that you can play and that’s one of the nice things about this certification, in the sense, because you’ve got the managerial as for as the technical backgrounds. It lets you play in a lot of different areas. Which is different than say, getting a narrower certification or achieving some in computer science or computer engineering where, you know, you’ve got a lot of expertise in one single or maybe a couple of areas. But, you know, what the CISSP brings to the table is to recognize the business value and put that into equation in terms of developing information and security plans and so forth. And striking a balance that works because, you know, you can make things so secure that nobody can use the systems that you’re guarding. So you have to figure out what the right balance of these things are, is what you want to achieve. So that’s important.
Darrell, can you speak to some of the, you know, the things that you hire into and so forth?
DARRELL BILBREY: Yeah. Typically, we are looking at, you know, analysts. I mean, we hire across the board on some of those roles. I mean, you have different roles filled out so you have people who are more managerial and deal with the management of the security folks. Then you others who are very much an engineer, because they’re out there doing the forensic piece. So in a balanced approach to the security, you know, you’re going to have multiples of these titles. And you look for, again, that balance of whose done programing, whose done network, who’s been out there dealing with all the rules and regulations, especially, in the healthcare space. It’s important that you have somebody who has a deep understanding of all the HIPAA rules and all that that implies. And how you do that to help with both the classification of the data, you know, what is considered HIPAA data. Then what are the rules as they change them. How do you — how do you get to that?
Also, tied in with that — is you’ve kind of touched on a minute about disaster recovery planning and stuff — it’s not enough just to protect your primary data center. These controls have to be extended to make sure that you’re not leaving weaknesses that your (inaudible) as well, so you can safely and effectively roll with those if you need to. So it’s — it is very much a high-demand, high- pressure and high-visibility position in the companies these days. And it’s important that if companies don’t have this, they soon will be getting it. And I can’t think of too many that don’t have folks in some of these areas these days.
DR. JULIO RIVERA: Okay. So what do you have to do? First of all to strengthen weaknesses, what you have to understand is that the certification that has a lot of breadth but not a whole lot of depth in it. So it’s a mile-wide but an inch deep. The strength, of course, is the different bodies of knowledge. So you have knowledge of all these areas which you can then use to craft solutions.
There is experience requirements. So you, you know, anybody that achieves a certification has some experience in the area. So you know that going in. It does have requirement for on-going training — continuing education. The idea that it balances an effectual managerial is important.
Interestingly enough, some of this is laid out. If you look at the Department of Defense Directive 8570, which is Information Assurance Workforce Improvement Program. What it does is it sort of designates how you fulfill certain levels in this directive. And the CISSP certification lets you achieve the technical and management levels of Level Three, which is the highest level that they have. And of course there’s, you know, with the certifications, strength is a credibility because you have achieved that and that indicates that you’ve have (inaudible) knowledgeable. And that brings with it the market ability of your — of yourself from career perspective and salary.
Weaknesses of any certification. Well, and, you know, you don’t have specific technical skills necessarily in every area. So, you know, you are more of a generalist than a specialist. The common body of knowledge, the eight areas that we’re looking at were recently revised and they’ll — you know, I’m sure over the years we will see more revisions as things change. So that may mean if you don’t keep up, you will be out-of-date over time, so that is a must — you must keep up.
There’s maintenance cost involved. So every year there is, I think, it’s up to $85.00 now a year to maintain that cost. But again, check the IEC2.org site for that.
And then, you know, one of the downfalls to getting a certification is people sometimes look at that as somebody that comes in that has this tacked on to their name, and because of that, they know everything about the business and so forth. And that’s not necessarily the case. So you should look at certifications as sort of a confirmation that you’ve achieved a certain level of expertise, but then when you come into an organization, you really have to prove yourself. Just achieving this certification by itself doesn’t necessarily mean that you will be the person that can solve the problem that an organization has. So that is something you should keep in the back of your mind.
Now onto the certification itself. Well, first of all, there is an exam. It is a six-hour long exam, and by six hours, I mean, you’re given six hours to complete it. Two-hundred-fifty questions. Out of those, ten percent or twenty-five are experimental, but they’re not identified so you do not know that going in. And those experimental questions, by the way, are development questions that are maybe later used in other exams or may be dropped, because of, you know, the people making up the exams don’t feel that they work well. The questions are not grouped by domain. They are just randomly generated for the exam. When I, actually, took the exam — this was a multiple-choice exam using a scantron. And you had a, you know, the testing site set up and you, actually, had CISSPs there that administered the exam and kept track of everything that was going on. It was proctored — it was very strict. So you do need to keep that in mind. We now use — and you can go to the IEC’s site to look at. They’re using, I think, Pearson testing centers and you do it online and you receive, typically, any immediate feedback on how well you did. That was not the case when I did it. I had to wait and get it in the mail. And the types of questions are going to be multiple-choice, drag-and-drop. And we now have pattern recognition using hotspots. So that wasn’t available when I took the exam. And then, they’ve changed it up a little bit. But still, it’s a fairly grueling exam. When I took it, just from my experience, I think I — finally after about five hours — said enough. I’d answered everything, I’d checked it again and then at that point I said, you know, there’s nothing more for me to do here. Turned it in and I did manage to pass it on the first one, so that was a major plus. But it is — it does wring you out.
There’s a credentialing process. So it’s not just taking the exam. Obviously, before you take the exam you need to think about, well, you’ve got to pay for the exam. I just checked the IEC2’s site, it’s right under $600.00 for sitting for the exam, and then, of course, there’s an experience requirement — five years. They knock a year off for a college degree, for example, or other certifications. And again, check the IEC2 site for details on that. There’s also — you can also get an Associate certification which lets you complete the experience requirement, if I remember correctly. But, you know, you need to be able to document that experience requirement, because you will need it after the exam to submit the application for certification. And, of course, and as I mentioned earlier, you need to commit to the code of ethics that IEC2 has. So that is important.
And that brings me to the next thing in terms of taking the exam. If you have a criminal record or have had issues with certifications in the past, this may be a bar to your being certified. So you need to make sure you know about that and deal with it before you sit for the exam.
Once you pass the exam, there is an endorsement form and that needs — you need endorsed by somebody that has certification, another CISSP. And they are essentially sponsoring you candidacy and verifying your work experience. And then once you achieve the certification, you need to document and maintain your continuing education credits. So those are all important things.
And then, let’s see what I have here. Okay. Just to round this out, just to give you a feel for how this fits into our MS and MIS degree, we have an information security concentration. It’s a four-course set-up; IOS 620 is a hack and penetration; 621 incident and response and (inaudible) continuity, that we just mentioned a little bit about; and then 622, 623 classes are courses that cover the domains — the now eight domains in the CISSP certifications. So you in CISSP 1 you cover the first four domains and the last four in the other two. And just one more word about this. When I got certified, I went through the process, I, actually took a review course — three-day cram review course — before the exam, and it was very helpful. So what we’re trying to do here with the CISSP courses, is achieve some of that — bring you up to speed in the areas that you are knowledgeable about. But it does assume that you have enough background so that you can build on that and fill out the areas that you may be weak in. You shouldn’t expect to come in and take these courses and know everything about every domain. You’re essentially building on your own knowledge and adding in the pieces that are missing at that point.
And with that, I think I will turn it over to Joe and we will try to answer any questions that you have.
JOSEPH MICELE: Great. Thank you very much Dr. Rivera and Mr. Bilbrey. Yes, as was mentioned, we can now go ahead and open it to Q&A. We have a few questions that have come over during the presentation.
Just to let everyone know, we also have Jovonna Jenkins here who is an enrollment advisor here for the online programs. So if you have an enrollment related questions that you wanted to ask; now you can do that as well, and Jovonna would be able to answer that for you.
Well, let me go ahead and get started with some of the questions received. This one would be for our panelists. How often is defense in depth applied when conducting risk mitigations?
DR. JULIO RIVERA: Darrell, do you want to tackle that one?
DARRELL BILBREY: Yeah. I’m going to tackle that. I’ll tackle that one. I would say that it should be used every time. I’m not going to specify how many layers of defense in depth you need. But if you’re not in today’s environment with as many hackers and things that are out there. If you’re not doing a defense in depth approach, you’re behind the eight-ball.
Just to put it in perspective, a CISO at another company that I was talking to — this was a couple of years ago, basically, said his perspectives through the years are changed. It’s not now how to keep out, it’s how to control what they can get to after they get in. Because if they really target you, they are going to get through that first layer. There’s just almost no way to completely stop them if you’re an internet-based company from getting through the first layer. So then it’s how do you get them, how do you keep them from getting in and doing damage once they get through that.
Julio do (inaudible).
DR. JULIO RIVERA: And, of course, I would agree with that. That there’s no one thing that will stop everything. So you need to build in enough to discourage all but the worst, because, you know, at some point somebody is going to figure out how to penetrate you. But you better make it hard enough that, you know, it’s going to be very difficult.
JOSEPH MICELE: Fine. Okay. Another question here is what sort of documentation is needed to prove that you have the relevant experience for credentialing?
DR. JULIO RIVERA: Okay. Number one, I am going to refer you to the IEC2.org site. They actually have a list of what they consider previous experience and it’s rather extensive. But just in my case, I can give you an example of what I did, is I pulled my resume out and designated out, you know, the things that I had done over time that built on that experience. So I have built networks. I have managed networks. I have over time, actually, built here in our school the whole management apparatus for our academic computing area, and I’ve done it elsewhere, too. So all those things documented that I had done things. And then, I’ve taught classes, so that’s another one that counts. Currently, I’m involved as a part of a university-wide committee, so that counts as experience too that looks into security. So all of those things, so you can document your work experience. So if you’ve worked on networks or been in (inaudible) Admin, or any of those roles, those are all applicable. And what you need to do is when you make the application and it gets endorsed, you need to, as part of that application and your resume layout, what experience counts towards what you consider in that area.
JOSEPH MICELE: Great. Thank you. We have a question here and this one is actually for Jovonna.
Jovanna, for the MS and the MIS, if I work full time in Birmingham, could I take one course at a time?
JOVANNA JENKINS: Well, the way our program is set up, it is designed for the working adult. With that being said, our graduate students, they take one class for seven weeks, then they get a one-week break, and then they take the other class for the other seven weeks. So that’s two classes per semester that they’re able to take and it is 100 percent online, as well as, being a syncretized program, so there are no schedules for specified login times.
JOSEPH MICELE: We have another question here for the panel. Are you seeing a hiring trend for individuals with CISSP credential or other credentials right now?
DR. JULIO RIVERA: I think so. Darrell, what do you have to say?
DARRELL BILBREY: I would say, and I think this probably correct. I’d have to go back and double check but I think I read here recently that it is one of the top — it’s either the top five or top ten of the hottest IT hiring going on right now. I would think it’s in the top five given all these high-level breaches that have been going on. As more and more companies face it, I mean, you go out and look and there are CSOs and CISSP roles everywhere out on the web. So, I mean, its — I would call it kind of an on fire at the moment.
JOSEPH MICELE: Great. Thank you. We have another question here and I would think either — I would think this might be more suited for Dr. Rivera, but it’s related to the program itself. And we have an individual asking, if they were interested in the IT management concentration, would they still — would they still have the opportunity were they to have the education and the experience to sit for the CISSP exam and achieve the credential?
DR. JULIO RIVERA: Sure. The CISSP exam doesn’t require that — that you do anything other than pay for it, you know. So to speak, but, of course, you are going to do that, you probably want to prepare yourself. So taking the two CISSP courses, is, of course, a way of doing that.
There’s other review course out there. I mean, if you go to IEC2 site, you’ll find links to some of those. They’re all targeted at making sure that you’ve got, you know, you’ve filled in the gaps in your background and experience. If you’re interested in IT management, having some security in your background is helpful, I think.
And, Darrell, you probably speak better to that, but, you know, it’s not, absolutely, essential. That’s what I would say.
DARRELL BILBREY: No. I don’t think the classwork itself would be essential, but you, definitely, want to get if you’re not going to take the courses through this, you, definitely, want to get the study guide or something. And you’re going to have to spend some time, because I don’t think just being in a security job without, actually, applying yourself to the materials and understanding the domains, you’re going to walk in and do it for the first time without some kind of prep.
DR. JULIO RIVERA: And I will tell you because, you know, again I took a review course then sat for the exam. It is a lot, you know, it’s a very broad area and you have to know quite a bit about a lot of different things. Most of those that you don’t experience, you know, even in a security position all the time. So if nothing else, it refreshes you and makes sure that you’ve had that certain body of knowledge. So I would certainly recommend that you do some sort of review course or self-study before you sit for an exam. Otherwise, you may be throwing your money away.
JOSEPH MICELE: Great. Thank you. We have another question here. Can you recommend some websites to keep up with the latest news in information security?
DR. JULIO RIVERA: I subscribe to ZDNet and a couple of other sites like that, so I get stuff on a daily basis. And so you can pick stuff up like that. You know, unfortunately, with the hacks that we’ve had lately, all of the stuff is in the news. I mean, so, but I don’t have one thing I can point you directly to, but ZDNet does it for me. They give you a bunch of choices and that’s one.
Darrell, do you have any other preferred sites?
DARRELL BILBREY: I’m trying to think of some above and beyond that. Since more of my team does a lot of application development, I point towards some of those and I’m trying to remember the name. But there’s a couple of security sites that talks, specifically, about building the security into your coding and stuff. So I look at those a lot, and subscribe services where we actually can run our code against those looking for security vulnerabilities, too. So we — there’s — (inaudible)
DR. JULIO RIVERA: There’s a lot of sources out there, for example, companies like McAfee and so forth. Whole lot of stuff out there. (Inaudible) So, that’s another area you can look at. It depends on what sort of information you are looking for.
DARRELL BILBREY: In my role I get just tons of daily newsletters, too. So I subscribe to a lot of newsletters to get different perspectives, because sometimes you pick up on things faster than others, so you don’t want any one source to be where you go all the time.
JOSEPH MICELE: Great. Thank you. We have a question here. This is for Dr. Rivera. Can you talk a little bit about maybe one or two of the courses that you teach in the online program?
DR. JULIO RIVERA: In general, I’m picking the two CISSP courses up this fall, but I’ve taught the Business Analytic Scores the last time. I’m, also, in the fall got a mobile apps course that I did last spring that we’re doing again. And then, coming in the spring, I’m sort of shifting around. I’m picking up the web app development and then the mobile app development. Because what we are doing with the mobile apps, is we’re essentially creating web apps and then using Adobe’s phone gap build to transform those into native code for multiple platforms for IOS Android and Windows phone. So those, that’s kind of the space I’ve been playing in to lately. Although I’ve been here long enough that I think I’ve taught everything under the sun, but that’s another story.
I did see one other question. Let me quickly answer that one. The two CISSP courses do not count towards experience for sitting for the exam. That’s not, you know, the review. They don’t count as experience. So again, I’m going to refer you to the site and it has a long list of things that count. So you should use that as your guide.
JOSEPH MICELE: Excellent. Thank you.
DARRELL BILBREY: I’m going to back up to the one — let me back up to the one question about a couple of URLs, some in the health space and I want to make sure I was giving you the right one. Anybody that’s in the health space, there’s one called HealthITSecurity.com, which we all — pretty much everybody in health IT subscribes to probably. And then, there’s another one that we use. It’s part of TechTarget which is their secure — their daily security digest that I get. They have a daily and a weekly wrap up. So those are good sources as well.
DR. JULIO RIVERA: Uh-huh.
JOSEPH MICELE: Thank you. We’re going to go ahead and make those our last questions for the evening as I do want to cover, quickly, the next slide.
Just a few important details to be aware of. We are currently recruiting for the fall term, for the MS, the online MS/MIS program. We have a current application deadline of July 20th, 2015, and a completed file due date of August 3rd, 2015. Just to clarify those two dates. By application deadline that is actually turning in the application and your enrollment advisor can certainly provide you the link for that if they have not already. Completed file is when you would be able — when you need to supply any of the supporting documents along with your application. So things like transcripts, resume, essay — those types of items.
Classes begin on August 24th. And you can always contact your enrollment advisor directly one of two ways. Either toll free at 1-877-807-8456 or locally you can contact them at 1-205-909-6301.
So I want to say thank you, again, to everyone who attended this evening’s event. We hope you got a lot out of this and that questions you had were answered. If you had any additional questions, please feel free to contact your enrollment advisor and if they can’t answer it, they will certainly get an answer for you on those questions.
Thank you again to our panel, Dr. Rivera and Mr. Bilbrey. We appreciate your participation and the information you shared with everyone tonight. We look forward to everyone’s participation on our next panel discussion webinar event.
Again, thank you and have a good night.
DR. JULIO RIVERA: Thanks, Joe, and certainly thanks, Darrell.
DARRELL BILBREY: You’re welcome. Thanks for having me.
DR. JULIO RIVERA: Okay. Bye-bye.