《CISSP认证对企业的收益》

（ISC）2对CISSP的认证项目符合ANSI/ISO/IEC 17024标准的严格要求、可以证明证书持有者具备了符合国际标准要求的信息安全知识水平和经验能力，提升其专业可信度，并为企业和组织提供寻找专业人员的凭证依据，目前已经得到了全世界广泛的认可；截至2010年6月，全球有100多个国家的67,000多人获得了CISSP证书。在亚洲，香港是仅次于北美的拥有CISSP最多的地区，有超过1200人。中国大陆2002年5月在深圳首次举办CISSP考试，到2010年6月有500多位证书获得者，年递增速度在20％左右。同时（ISC）2每年均会根据最新的安全发展趋势针对CISSP知识体系大纲进行修正、以便CISSP持证人员能适应企业信息安全管理岗位的需要；
The CISSP was the first credential in the field of information security to meet the stringent requirements ofANSI/ ISO/IEC Standard 17024.[17], and its CBK is refreshed annually to stay current with the latest developments
Currently, the CISSP certification covers the following ten domains:
• Access Control • Telecommunications and Network Security • Information Security Governance and Risk Management • Software Development Security • Cryptography • Security Architecture and Design • Security Operations • Business Continuity and Disaster Recovery Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security

信息安全是一个相对的概念，在安全威胁很低的情况下，安全专家通常是被人们所遗忘的对象。但随着目前国内外信息技术的发展，当年只有精通系统和网络底层，推动技术进步的高手才能被称为黑客，现在随便一个会用网络的再随便找些入侵工具也自称为黑客.
Information security is a relative concept. When in a low-threat environment, security specialist is always ignored.
We once called them hacker those who were accomplished in information system and network. They could always drive technology progress. But with the development of information technology, more and more guys claim to be a hacker, they know basic knowledge of network and how to use some intrusion tools.
技术门槛的降低和对技术的追求转化为对金钱的追逐——越来越多的入侵事件、恶意软件的传播、还有时不时出现在媒体上的高智商犯罪等就是这些所谓“后起之秀”的杰作。
Nowadays, people’s pursuit has gradually changed from technology to money. There are more and more hacker events or malicious software.
如近年来CSDN、天涯等网站数据库被黑客攻击、部分企业核心技术泄密、企业内部敏感信息泄露。面对越来越严重的安全威胁，不单在IT行业，在各行业的企业组织都越来越意识到信息安全的重要性。
For example, the data-base of CSDN or tianya-BBS was hacked recently. The core technology and confidential internal information were divulged. People are aware that the importance of information security when facing more and more serious threat.
但单纯依靠技术方案和产品并不能解决如何保护企业信息资产的问题，信息安全是一个综合的标准；国内近几年大部分企业成功实施了ISO27001 信息安全管理体系、但是安全事件仍是没有得到有效的控制、安全管理体系并未落地。
But people still can’t protect information assets well if only rely on technology project and product. Information security is a unitary standards. Nowadays, most corporations have set up ISO27001 information security system successfully. But information security incident still can’t be controlled effectively. Security management system can’t be carry out.
综上所述,结合SPISEC十年以上信息安全咨询培训经验我们认为、由一个专业信息安全人员组成的团队、可以给企业带来以下收益：
In summary, SPISEC combines it’s ten-year training and consulting experience and conclude: a team which consisting of information security professional can bring following benefits:
一、 信息安全岗位人员是否达标
1. To Meet the demand of security position
信息安全岗位在企业中至关重要，信息安全以人为本、如何评估岗位人员的知识水平和专业性、信息安全岗位工作人员的职责、工作范围如何定义？信息安全岗位工作人员是否满足企业需要、知识水平是否能够达到？目前各企业信息安全未来发展方向遇到瓶颈、没有一支专业的信息安全管理团队，面对信息安全突发事件、建立健全企业信息安全管理机制、企业如何解决？
Security position is pretty important to a company. Information security should be people-oriented. How to evaluate the level of a professional? How to define their responsibility and job? Do they meet the demand of the company? Do they have enough specialist knowledge?
Many enterprises meet the bottleneck of their information security development direction in the future. How should a company respond to information security incidents if there is no information security management group.

根据历年分析，目前各企业信息安全人员大部分由网络、运维、技术、网管、或其他岗位进行抽调、并没有针对信息安全知识体系进行培训或是评估.
Historical analysis shows: IS staff of most enterprise are consist of network admin, operator, technician or other position. Their specialized knowledge of information security hasn’t been trained or evaluated.

信息安全涉及范围不仅广、而且专.只有系统专业的信息安全人员，才能保障企业信息安全工作。
Information security involves the range not only wide, but also specifically. Only if those who have special IS knowledge can ensure the operation of IT work of a enterprise.

如：中国移动在2006-2008年之间，通过全国移动内部大比武，以CISSP认证知识体系为内容，通过对移动人员进行评估和考核、选择优势人才组织成一支信息安全专业队伍。目前在全国各省移动，均有专业负责信息安全岗位人员，以通过专业水平有效保障企业信息安全建设和管理工作。
During 2006-2008, China Mobile chose some people through internal technology competition which based on CISSP knowledge domain. And they composed a professional information security team. Currently they have been CIO of a province branch. They are engaged in the construction and management of enterprise information security work .

二、 CISSP认证通过，它能在实际领域中的作用。
CISSP不仅仅是单纯的技术认证，它涵盖了信息安全的各个方面。着重突出信息安全是技术和管理结合。通过学习其，能巩固目前所掌握的技术 还能学习其他方面知识。对整个信息安全知识体系得到完善。



三、 CISSP与ISO27001
3， CISSP and ISO27001
随着信息安全事件高发、信息安全重要性已得到各个企业的高度认知、目前企业纷纷根据ISO27001标准体系，在企业内部建立或预建立一套信息安全管理体系，但是大部分企业均是选择以咨询公司为主，借助外部力量帮助企业完善体系。
The importance of information security has been acknowledged by most corporations with more and more security incident occurrence. So nowadays, companies setup or prepare to setup an information system according to ISO27001 standards, but most of these companies chose consulting company to setup the information security system and ask partner’s resource to complete the system.

近年来国内外咨询水平层次不齐、信息安全管理体系不仅涉及安全、IT，ISO27001涉及到11个控制域133个控制点，通过近几年的调查，企业在信息安全管理体系建立后，如果企业内部人员知识水平不能有效提高，在咨询公司离开后、体系的运行、和后续过程中并不能得到有效解决。
Recently, the overseas and domestic consulting companies’ level differs a lot. Information security management system not only includes security, IT, ISO 27001, but includes 11 control domains and 133 control points. From recent several years’ investigation, after the setup of information security management system, if there are not enough information security specialists in companies, the management system will not continue run after the leave of the consultants.

如近年来：百度、支付宝、华为（汇哲科技学员）均在通过培训、和后续的过程中在建立健全自己的一支信息安全管理团队、以帮助企业通过内部自己的力量，建立健全和完善自己的信息安全管理问题。而CISSP本身知识内容与ISO27001定义基本相当，CISSP涉及10个CBK与ISO27001涉及11个控制域基本相符、只是针对层面不同。
For example, in recent years, Baidu.com, Taobao.com and Huawei ( clients of SPISEC) all set up their own information security management team with the help of partners’ training, and strengthen their internal information security team.

四、 有效提高全员信息安全知识水平
4, Effectively improve all employees’ information security knowledge level
世界头号黑客Kevin Mitnick曾说过一句话：“人是最薄弱的环节。你可能拥有最好的技术、防火墙、入侵检测系统、生物鉴别设备，可只要有人给毫无戒心的员工打个电话……”。
The Top 1 Hacker Kevin Mitnick has the words: The people are the weakest link . You may have the best technology, firewall , intrusion detection systems , biometric equipment, as long as someone unsuspecting employees make a phone call ...
由于缺少足够的信息安全意识，他们往往因为自己的便利而违反信息安全规章，也往往意识不到，因为自己的这种行为，会将其他同事乃至整个组织推向危险的境地。
Because lacks of information security sense, employees sometimes violate the information security rules for their conveniences. And they have no sense that these actions will cause their colleagues and organization to hazard situation.

信息安全对于一个企业是全员的问题，通过专业的信息安全工作人员，可以制定信息安全整体策略、通过策略落地、由专业信息安全工作人员，组织对全员进行信息安全意识培训、信息安全意识宣贯、信息安全知识普级、等信息安全工作；
Information security is the topic for the entire employees. With the help of information security specialists, company can setup information security policy, implement the security policy, train and improve the employee’s information security sense.
不仅可以帮助企业节约相关费用、更能通过实践，找到一条适合于企业本身的信息安全管理之道。
From these steps, company not only saves their related cost, but also finds a more suitable ways to setup the information security system.

五、 安全检查与信息安全合规
5. Security Detect and Information Security Compliance
目前在国内和国外、国家组织机构与地方政府、行业均根据中国目前信息安全形势和国内信息安全发展状态、制定了一系列有效信息安全管理制度；
According to current security situation and the development of the domestic and international information security status, national organizations and local governments have set up a series of effective information security management system.
企业信息安全专业人员应该根据政策和法律法规标准和规范、将具体条款细化的落入企业各个环境中、以促进落地与满足各级监管单位的检查；
According to the local standards、 policies 、laws and regulations, information security group of a enterprise should adopt those clause to improve the information environment to meet the demand of a investigation department.
同时，企业专业信息安全人员，应该根据企业本身信息安全制度、策略，对各部门、供应商、外包人员，等涉及信息安全工作进行详细检查，以便提高整体标准在企业的落地与实施减少风险。
Meanwhile, IS group should detailed investigate their departments, suppliers, contractors and other related information security staff based on their own information policy.

六、 持续在教育与行业保持一致
6. Continuing education and consistent with the industry
CISSP考试通过后ISC2对于CISSP明确定义， CISSP资质持有者在3年内获得120个持续专业教育（CPE）积分以维持证书的有效性。CPE可以通过：厂商的培训、安全会议、出版安全论文或书籍、提供安全培训、服务于安全专业组织的管理层、阅读安全书籍；而信息安全行业发展和专业领域知识更新，同样与CPE的维持保持一致、随着信息安全行业的发展，各类新技术和领域不断提高，无论企业或个人，信息安全专业人员，均应该随着行业新领域的知识水平发展，不断学习，以便满足需要。
Recertification is also required every three years, with ongoing requirements to maintain your credentials in good standing. This is primarily accomplished through continuing professional education [CPE], 120 credits of which are required every three years.
The following items can be counted towards CPE credits:
Attending a vendor training course(For example, CISA, COBIT or other course of SPISEC);
Attending a security conference;
Publishing a security article or book;
Providing security training;
Reading a security book;
Serving on the board of a professional security organization;
With the development of information industry, technology keep renew and improve every day. Not only individual but also enterprise need keep study to meet the demand of thd industry.