Certified Personnel

Enterprises certified secure

A look at why your enterprise needs to use personnel with security certificates to conduct business better. by Avinash W. Kadam

Information security is a relatively young discipline. People attracted to this branch of IT usually have some background of networking, system administration, programming, and curiosity towards the twilight world of hackers. They want to understand how information security is breached, and being honest people, do not want to become hackers themselves. They prefer to become security professionals.

But there are no university courses in India for security professionals. Not even the B. Tech-Computer Science course includes a paper on information security. In such a scenario, how does one become an information security professional?

Dilemma

A similar dilemma is faced by organizations that want to employ information security professionals. Should they employ reformed hackers or self-taught security experts? How can they be sure of the competence level of the persons they are employing?

Answers to these questions are provided by a number of reputed organizations providing specific certifications. In this article, we will take an overview of major security certificates offered. In subsequent articles, I will cover each certificate in more details.

Common requirements

Security certification associations should have a few characteristics in common.

• Should be non-profit oriented
• Have a common body of knowledge
• Look for experienced professionals
• Conduct examinations
• Referred by other certified professionals
• Charge examination fees and annual membership fees
• Calculate Continued Professional Education (CPE) hours
• Follow an established code of ethics

Characteristics explained

Some of the characteristics are discussed in detail:

Common body of knowledge: A profession must have a common body of knowledge to be distinctly different. A common body of knowledge elaborates the areas of knowledge the professional must be familiar with.

Requirement of experience: Most professional organizations require within five years of experience to admit a new entrant. This experience is not necessary for taking the examination, but could be accumulated before and after passing the examination. Some organizations replace this clause by insisting on a research paper, written by the applicant based on his or her experience.

An examination: An examination usually consists of 150 to 250 multiple-choice questions. The duration of examination varies between four and six hours. Most exams are paper-based with some exams being on-line. Pass marks for these exams are between 70 and 75 percent.

Reference from other certified professionals: This is to reduce the risk of unsuitable or undesirable persons becoming certified professionals.

Examination fees and annual membership fees: Even a 'not for profit' organization requires money to run. Examination fees for most other organizations are around $450 and the annual membership fees are around $50.

Continued Professional Education (CPE) hours: To maintain a professional status it is important to keep abreast of the latest developments in the profession. This education entails activities like attending professional courses, technical seminars, giving lectures, and writing articles. Most organizations expect members to clock 40 hours of CPE every year.

Code of ethics: Every association follows a code of ethics for its members. This code is based on venerated principles of honesty, integrity, and high professional conduct. Disciplinary action is taken against those found guilty of breaching this code.

Benefits of Membership

Membership of these organizations provides a large source of up-to-date information about the profession. Members are provided access to the members' only areas on the website. Some organizations publish journals and newsletters.

Members can get opportunities to work on various boards and committees engaged in improving the working of the organization. They may participate in creation of examination questions, write articles for the journal, undertake research work, and improve individual profiles in peer groups.

Major Security Certifications

CISA (Certified Information Systems Auditor): Strictly speaking, this is not a security certification, but is probably the oldest and most respected certification in the area of information systems audits. It covers all the aspects of information systems from whether the information system meets business objectives, to how the information systems are managed and monitored.

The Information Systems Audit and Control Association (ISACA) offers this certificate. Their Website is www.isaca.org.

CISSP (Certified Information Systems Security Professional)

This is a very focused certificate specifically meant for information security professionals. It covers all the aspects of information security like, physical, logical, technical, procedural, legal, and managerial. The common body of knowledge covers all the areas of information security described in the information security standard BS 7799. No wonder, CISSPs are in great demand for employment as Information Security Officers.

The International Information Systems Security Certificate Consortium (ISC2) offers this certificate. Their website is www.isc2.org.

GSEC: Global Information Assurance Certificate (GIAC) for Security Essentials

This is given by the SANS (SysAdmin, Audit, Network, Security) Institute. This certificate is more inclined towards the technical aspects of information security. Apart from the GSEC, the SANS Institute provides certificates in hardcore technical areas like firewalls, IDSs, incident handling, Unix security, and Windows security.

Their website is www.sans.org.

CBCP (Certified Business Continuity Professional)

This again is not strictly a security certificate, but since availability of information is as important as confidentiality and integrity of information, the certificate is recognized as a must for security professionals with BCP/DRP responsibility. The Disaster Recover Institute has created this professional certificate.

Their website is www.drii.org.

CISM (Certified Information Security Manager)

This is a new kid on block in the certification market. The certificate is offered by ISACA who has been offering CISA for many years. They perceived the need for a specialized certificate for security managers. This certificate assumes that you have the requisite technical background and tests you on the security management aspects. The first examination for this certificate was held in June 2003.

The website is www.isaca.org.

Value attached to the certificates

All the certificates described above are prestigious acquisitions. Retention of the certificate in good standing requires adherence to the code of ethics and continuous updates of knowledge. All the above organizations have their head offices in USA with associate offices in other countries. In the global scenario, having an internationally accepted certificate helps.

These certificates are independent of a vendor or specific technology. As such, these are not endorsement of your skills in a particular product. Skill oriented certificates may become obsolete as the technology changes. Whereas a professional certificate establishes the fact that you have taken efforts to acquire all round understanding of the particular discipline. These certificates should not be treated on par with skill level certifications like CCNA or MCSE.

These certificates are increasingly finding acceptance in the industry. Most of the senior professionals get attracted to these associations and become members.

They benefit from the interactions with fellow professionals and are also able to contribute to the profession.