Enterprises certified secure
look at why your enterprise needs to use personnel with security certificates
to conduct business better. by Avinash W. Kadam
Information security is a relatively young discipline.
People attracted to this branch of IT usually have some background of networking,
system administration, programming, and curiosity towards the twilight world
of hackers. They want to understand how information security is breached, and
being honest people, do not want to become hackers themselves. They prefer to
become security professionals.
But there are no university courses in India for security
professionals. Not even the B. Tech-Computer Science course includes a paper
on information security. In such a scenario, how does one become an information
A similar dilemma is faced by organizations that want
to employ information security professionals. Should they employ reformed hackers
or self-taught security experts? How can they be sure of the competence level
of the persons they are employing?
Answers to these questions are provided by a number
of reputed organizations providing specific certifications. In this article,
we will take an overview of major security certificates offered. In subsequent
articles, I will cover each certificate in more details.
Security certification associations should have a few
characteristics in common.
- Should be non-profit oriented
- Have a common body of knowledge
- Look for experienced professionals
- Conduct examinations
- Referred by other certified professionals
- Charge examination fees and annual membership fees
- Calculate Continued Professional Education (CPE)
- Follow an established code of ethics
Some of the characteristics are discussed in detail:
Common body of knowledge: A profession must have a
common body of knowledge to be distinctly different. A common body of knowledge
elaborates the areas of knowledge the professional must be familiar with.
Requirement of experience: Most professional organizations
require within five years of experience to admit a new entrant. This experience
is not necessary for taking the examination, but could be accumulated before
and after passing the examination. Some organizations replace this clause by
insisting on a research paper, written by the applicant based on his or her
An examination: An examination usually consists of
150 to 250 multiple-choice questions. The duration of examination varies between
four and six hours. Most exams are paper-based with some exams being on-line.
Pass marks for these exams are between 70 and 75 percent.
Reference from other certified professionals: This
is to reduce the risk of unsuitable or undesirable persons becoming certified
Examination fees and annual membership fees: Even a
'not for profit' organization requires money to run. Examination fees for most
other organizations are around $450 and the annual membership fees are around
Continued Professional Education (CPE) hours: To maintain
a professional status it is important to keep abreast of the latest developments
in the profession. This education entails activities like attending professional
courses, technical seminars, giving lectures, and writing articles. Most organizations
expect members to clock 40 hours of CPE every year.
Code of ethics: Every association follows a code of
ethics for its members. This code is based on venerated principles of honesty,
integrity, and high professional conduct. Disciplinary action is taken against
those found guilty of breaching this code.
Benefits of Membership
Membership of these organizations provides a large
source of up-to-date information about the profession. Members are provided
access to the members' only areas on the website. Some organizations publish
journals and newsletters.
Members can get opportunities to work on various boards
and committees engaged in improving the working of the organization. They may
participate in creation of examination questions, write articles for the journal,
undertake research work, and improve individual profiles in peer groups.
Major Security Certifications
CISA (Certified Information Systems Auditor): Strictly
speaking, this is not a security certification, but is probably the oldest and
most respected certification in the area of information systems audits. It covers
all the aspects of information systems from whether the information system meets
business objectives, to how the information systems are managed and monitored.
The Information Systems Audit and Control Association
(ISACA) offers this certificate. Their Website is www.isaca.org.
CISSP (Certified Information Systems Security Professional)
This is a very focused certificate specifically meant
for information security professionals. It covers all the aspects of information
security like, physical, logical, technical, procedural, legal, and managerial.
The common body of knowledge covers all the areas of information security described
in the information security standard BS 7799. No wonder, CISSPs are in great
demand for employment as Information Security Officers.
The International Information Systems Security Certificate
Consortium (ISC2) offers this certificate. Their website is www.isc2.org.
GSEC: Global Information Assurance Certificate (GIAC)
for Security Essentials
This is given by the SANS (SysAdmin, Audit, Network,
Security) Institute. This certificate is more inclined towards the technical
aspects of information security. Apart from the GSEC, the SANS Institute provides
certificates in hardcore technical areas like firewalls, IDSs, incident handling,
Unix security, and Windows security.
Their website is www.sans.org.
CBCP (Certified Business Continuity Professional)
This again is not strictly a security certificate,
but since availability of information is as important as confidentiality and
integrity of information, the certificate is recognized as a must for security
professionals with BCP/DRP responsibility. The Disaster Recover Institute has
created this professional certificate.
Their website is www.drii.org.
CISM (Certified Information Security Manager)
This is a new kid on block in the certification market.
The certificate is offered by ISACA who has been offering CISA for many years.
They perceived the need for a specialized certificate for security managers.
This certificate assumes that you have the requisite technical background and
tests you on the security management aspects. The first examination for this
certificate was held in June 2003.
The website is www.isaca.org.
Value attached to the certificates
All the certificates described above are prestigious
acquisitions. Retention of the certificate in good standing requires adherence
to the code of ethics and continuous updates of knowledge. All the above organizations
have their head offices in USA with associate offices in other countries. In
the global scenario, having an internationally accepted certificate helps.
These certificates are independent of a vendor or specific
technology. As such, these are not endorsement of your skills in a particular
product. Skill oriented certificates may become obsolete as the technology changes.
Whereas a professional certificate establishes the fact that you have taken
efforts to acquire all round understanding of the particular discipline. These
certificates should not be treated on par with skill level certifications like
CCNA or MCSE.
These certificates are increasingly finding acceptance
in the industry. Most of the senior professionals get attracted to these associations
and become members.
They benefit from the interactions with fellow professionals
and are also able to contribute to the profession.