This past week, I took and passed the certification exam to become a GIAC Information Security Professional (GISP). The GISP focuses on the same material covered by the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK). To prepare for both exams, SANS offers the SANS® +S™ Training Program for the CISSP® Certification Exam (Management 414) course.
I am including a video of Dr. Eric Cole, SANS instructor, developer of the course material, and President of Secure Anchor, providing a course description.
While I tend to prefer more technically focused courses, DoD directive 8570.1M convinced me that becoming a CISSP would be useful. Below is a chart showing the certification requirements for 8570.1M.
SANS offers information on SANS courses that align with the 8570 Baseline and with CND & IASAE. If it sounds like I favor SANS a bit, I do. Over the past few years, I have had to work with a very limited security training budget. SANS has offered options allowing me to pick up certification while keeping costs low. I really appreciate that. Plus, SANS instructors are well trained and of the highest caliber. If you are on a budget, two low cost options are available:
- The SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).
- The Community of Interest in Network Security (COINS) program. If you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.
I decided to take the SANS GISP exam first because SANS makes it so much easier to schedule the exam when compared to (ISC)2. The closest CISSP exam was over a 4.5 hour drive away from where I am currently residing. SANS allowed me to take the proctored at a local test center. Unlike the CISSP, SANS exams provide immediate results. For those not familiar with SANS certifications exams, they are given electronically. As you answer the questions, you are told whether you answered correctly.
A word of warning: The GISP is a 5 hours exam. Initially, the local test center stated they were only setup for maximum 3 hour exams. The test center was trying to avoid having to monitor the test takers over lunch. The good news is that SANS can resolve this problem, but you will have to ask them to do so.
Ted Demopoulos, over at SecurITyCerts.org, did one of the better posts, “CISSP versus SANS GISP Certification.” Unlike many writers on this subject, Ted was one of the few who had taken and passed both exams. Otherwise, I encountered people who had taken only one exam and tended to discuss how that exam was superior.
I will hold off offering an opinion as to how the exams compare until after I pass the CISSP. Since I plan on doing DoD work, the fact that the CISSP fulfills the certification requirements for half of the DoD categories makes the certification choice pretty obvious. In the future, SANS may be better represented under DoD directive 8570.1. Generally speaking, security professionals will be aware of SANS and will respect the GIAC certification. People in business and IT, but outside of security, are more likely to know about the CISSP. You will likely find yourself in a position where you need to impress both groups. If you have the option, consider taking both exams.
Congratulations for another success! If you want to shoot me a short note with the details of the 3 hour 5 hour issue, I will see if we can get a permanent process change put in place, glad it all worked out though.
After you have completed both exams, I would really appreciate any suggestions on what we could do better.