why cissp says this about PGP/GnuPG?

[Taylor, Martin - Resources - ICT Services]

"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> Philipp Gühring wrote:
> > Are there any facts or reasons against CISSP? Are there any 
> > alternatives?
> 
> Many.  Google for "CISSP criticisms" and you'll find a lot of reasons to suspect the CISSP, along with some well-regarded alternatives to it.
> 
> CISSP nominally requires four years of industry experience in computer security before they'll grant a cert, but in reality their definition of "industry experience" is very broad and permissive.  I'd much rather judge someone on the basis of the industry experience they used to get their CISSP than I would on the basis of the CISSP itself.
> 
> > My personal opinion is that PGP was designed to protect normal 
> > confidential data, not to protect spy information.
> 

It is unfortunate that this thread has to some extent turned into an attack on the CISSP qualification.

Firstly, the best source for the content of the CISSP exam is the "Official (ISC2) Guide to the CISSP Exam", by Hansch, Berti and Hare, published by Auerbach. The chapter on cryptography says nothing at all about PGP as a product (apart from a mention in the potted history of cryptography included in the chapter), or about any other product, but rather concentrates on the principles of cryptography, and on generic mechanisms.

I would agree that Shon Harris' prejudices are being exposed here, and I suggest that CISSP exam candidates who imbibe these prejudices will not be doing themselves a favour.

Secondly, and I confess my obvious interest here, I would suggest that at present the CISSP qualification, for all its faults, is the most effective qualification in existence for the information security generalist. I agree that hard industry experience is important, and as with any other qualification, an ability to walk the walk is more important than talking the talk.


Martin Taylor CISSP
Information Security Manager
Oxfordshire County Council
UK

The information in this e-mail, together with any attachments, is confidential. If you have received this message in error you must not print off, copy, use or disclose the contents. The information may be covered by legal and/or professional privilege. Please delete from your system and inform the sender of the error. As an e-mail can be an informal method of communication, the views expressed may be personal to the sender and should not be taken as necessarily representing the views of the Oxfordshire County Council. As e-mails are transmitted over a public network the Oxfordshire County Council cannot accept any responsibility for the accuracy or completeness of this message. It is your responsibility to carry out all necessary virus checks. You should be aware that all emails received and sent by this Council are subject to the Freedom of Information Act 2000 and therefore may be disclosed to other parties under that Act. www.oxfordshire.gov.uk