7 June 2001


From: nkoprowski@maples.com
To: jya@pipeline.com
Cc: james.wade@rich.frb.org
Subject: Rebuttal to "CISSPs - Do You Know Your Organization" by anonymous
Date: Thu, 7 Jun 2001 11:46:17 -0700

Dear Editor:

Below is an article written in response to "CISSPs - Do You Know Your Organization" by Anonymous, published by Cryptome.org, May 3, 2001.  Please let me know if you choose to post it on your Web site.

Thank you,

Nancy Koprowski
Account Executive
Maples Communications
PH: (949) 253-8737
FX: (949) 253-8751


June 7, 2001

(ISC)2's Response to "CISSPs - Do You Know Your Organization"

By James R. Wade, CISSP

President
(ISC)2

Facts About (ISC)2:

With respect to the Waiver-for-Examination (WFE) process having little international participation, shortly after the initial WFE period closed, a second period was opened exclusively for international applicants. As a result, several international information security professionals were certified at that time.

Allegations that the genesis of the CISSP program was based on a contract with the U.S. Postal Service are false.  The (ISC)2 Common Body of Knowledge (CBK) was based extensively on work performed by an international committee led by Mr. Corey Schou, a professor with Idaho State University.

Likewise, the CISSP Certification examination was developed by a large number of people following a very rigorous process to develop information security test items.  Suggesting that the U.S. Postal Service contract was the "genesis of the CISSP program" fails to acknowledge the hard work of a number of U.S. and international information security professionals in launching the CISSP Certification program.

With respect to "the associated training remained largely U.S.-oriented, with heavy emphasis on the U.S. government standards developed in the early 1980s by the U.S. National Security Agency (NSA)": As most people who have been involved in information security since the 1980s know, the so-called "Rainbow Series" of documentation developed by NSA was a source of information security processes and methodologies. In 1998 and 1999 (ISC)2 invested significant effort and resources to "internationalize" the CISSP certification by removing references to US law and policy and incorporating international standards like BS7799.

(ISC)2, as a not-for-profit organization, invests all surplus income over the costs of operations back into its programs.  As previously stated, (ISC)2 made significant investment in upgrading the materials supporting the CISSP Certification in 1998 and 1999.  (ISC)2 is an independent, not-for-profit company whose programs are not tied to any vendor, technology, methodology or government.

Moreover, it is a mystery why the author launches into a diatribe against the United States and concludes that any U.S. organization is automatically a pawn of the U.S. Government or puppet of the NSA.  (ISC)2 believes there is a clear need for Europe to endorse information security certifications as one of the ways to help safeguard its critical and sensitive information and systems.  (ISC)2 is the independent body that has the knowledge, vast experience, and infrastructure to support the information security certification needs of Europe and the rest of the world.

More information about (ISC)2 is available at  www.isc2.org

#   #   #