cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AndreaMoore
Community Manager

Use One Email Address for Creating ALL (ISC)²-related Accounts

For more timely correspondence and quicker exam results, use one email address for all (ISC)²-related accounts, including creating a Pearson VUE registration. 

 

Steps to create your accounts and more details can be found at: https://community.isc2.org/t5/Member-Support/Multiple-Email-Accounts-at-ISC-Solution/td-p/56830

 




ISC2 Community Manager
3 Replies
JoePete
Advocate I


@AndreaMoore wrote:

For more timely correspondence and quicker exam results, use one email address for all (ISC)²-related accounts, including creating a Pearson VUE registration. 


Maybe my tinfoil hat is a little thicker than others, but as a security professional, I've been advising against such things for a couple of decades now. The more you can differentiate what hits your (unified) inbox, the better you can discern real traffic from distraction or attack. Certainly, when a service's database gets breached, it gives you trackable information so that you know what service has been compromised. It also provides a bit of a buffer should you lazily re-use passwords. Again, my tinfoil and the skull under it may be a little thicker than most.

 

I understand, especially as the (ISC)2 moves more into entry-level certification, that there has probably been an exponential increase in customer support issues, and they may appear to be tied to the use of multiple email addresses. So maybe such advice has become necessary, but I would emphasize email should not be considered a discriminant one-to-one identifier (an address could always be a list and people do have multiple addresses). Perhaps, a more involved solution would be for the (ISC)2 to provide member email addresses. Even with a distinct domain (e.g. member.isc2.org). That could be seen as a measurable member benefit and tightens control over communication. Yes, running a mail service for 150,000 people isn't the easiest thing in the world, but just something to put on the table.

CraginS
Defender I

I have a personal & general use address and a professional activities address; both go to my unified mailbox. The latter is associated with my (ISC)2 use. I receive several times more fraudulent and financial scam spam mail to my professional activities address than to my personal use address. 

 

"Perhaps, a more involved solution would be for the (ISC)2 to provide member email addresses. Even with a distinct domain (e.g. member.isc2.org)."

Hmmm. How many of us have an address ...@IEEE.org?

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
denbesten
Community Champion


@AndreaMoore wrote:

Use one email address for all (ISC)²-related accounts,


From a support and user-experience perspective, this is a great observation.

 

From a data-integrity perspective much less so. The fact that this arises as an issue in the first place indicates there is room for improvement in the data handling processes. 

 

Today, it seems the candidate is expected to supply name, address, email, etc. to both parties.  And then the two databases are linked by email address. This is suboptimal because it creates opportunity for a bad actor to intentionally introduce data inconsistency for their own benefit. For example, an unethical candidate might provide one name to (ISC)² to be printed on their certificate, provide a different name to Pearson Vue for ID check purposes, and provide the same email to both parties so that the two databases "link up".

 

Much better would be for (ISC)² to collect the candidate's identity information (name, address, email) and feed it to their supplier either through SCIM or JIT-Provisioning.  This eliminates the potential for an adversary-in-the-middle (AITM) and helps ensure that both parties are referring to the same individual. 

 

(ISC)² might also consider a SAML relationship with Pearson Vue to further reduce the AITM risk, much like they have today with Salesforce (CPEs) and Khoros (community).

 

@JoePete  wrote:
The more you can differentiate what hits your (unified) inbox, the better you can discern real traffic from distraction or attack.

One trick that might help Joe and Craign is "plus addressing".  Most email providers will ignore anything after a plus sign in an email address.  Net effect if that if you use "joepete+isc2@gmail.com" and "joepete+pearson@gmail.com", they will both end up in your joepete@gmail.com mailbox and you can then use the plus part to further filter.  Of course, that will not play well with (ISC)²'s presumption that email is a unique identifier.