CISSP Management Concentration: Environments
As corporations and governments adopt new operational models driven by the Internet, more networks are opened to partners, customers, employees, suppliers, vendors and even competitors, making it faster and easier to do business. Greater access also leads to increased threats to infrastructure and data protection, however, and the associated risks must be managed by qualified professionals.
We all know information is one of the most valuable assets of any organization, and as access has become more convenient, protecting data integrity and privacy has become more critical and complex. What you might not know is that as threats and regulations have evolved, the business benefits of information security have changed. Within this new context, organizations of all types are realizing they must hire the right people with the right expertise, or the potential negative impact on finances and resources could be enormous.
In the past, technology alone was considered sufficient to secure the information infrastructure, but experience has shown many times over that even the best firewall or intrusion-detection system is useless when an unsuspecting employee is tricked into divulging a system password or downloads free software that also contains SpyWare.
In addition to outsider threats, organizations also must protect themselves from insider threats. The proliferation of mobile devices presents the threat of employees, contractors, vendors or strategic partners accessing the network and possibly downloading vast amounts of data and then walking out the door without being detected.
Another type of external pressure being exerted on businesses is from government regulations and new corporate governance rules such as Sarbanes-Oxley. Compliance with government regulation requires management to review organizational processes, which means security practices, not simply protected IT systems, are at the heart of good governance.
The growing awareness of cyber-security threats has prompted most organizations to realize that securing information assets goes beyond tools and technology — highly trained, highly qualified personnel are necessary to protect information assets.
People are the only resource that can create and implement a security policy for an organization based on a balance between business risks and costs. Tried and trusted security practices with an emphasis on broad-based objectives must be implemented throughout the organization.
Twenty-five years ago, the information security profession was new and obscure, and information security was not a high priority. As access to information became more convenient, the need to protect access to data became more critical and information security issues more complex. Many early information security professionals fell into their jobs when their employers realized their businesses were at risk, and they needed to protect their information assets.
Today’s information security professional is faced with constantly changing legal requirements, business practices and generally accepted security standards. Online connectivity has dramatically changed the way corporations and governments around the world communicate and access information, conduct financial transactions and perform daily operations. The increased protection of intellectual property, employee data and company records has become a top priority.
The management of information assets and the recognition of the importance of information security have come a long way in the past 25 years, and as the information security industry continues to mature, the management of information assets continues to increase in importance.
According to the second annual Global Information Security Workforce Study, conducted in 2005 by global analyst firm IDC and sponsored by (ISC)2, the International Information Systems Security Certification Consortium, ultimate responsibility for information security has moved up the management hierarchy, with more respondents identifying the board of directors and CEO or a CISO/CSO as being accountable for their company’s information security.
IDC expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. The study also found that security is becoming operationalized within organizations as they attempt to align their business and security strategies with the goal of establishing a comprehensive information risk management program.
Most respondents, 73 percent, expect their influence with executives and the board of directors to increase in the coming year, as dialogue between corporate executives and information security professionals has evolved from a technical security discussion to one of risk management strategies.
To meet this growing demand, (ISC)2 offers the Certified Information Systems Security Professional (CISSP) certification. The CISSP requires candidates to demonstrate a base level of knowledge in security best practices, policies and technologies by passing an examination, as well as have four years of validated experience in designated areas of information security (or three years plus a bachelor’s degree), be endorsed by a CISSP credential holder, abide by the (ISC)2 Code of Ethics and obtain audited continuing professional education credits to maintain their certification.
As the information security environment grows in size, complexity and specialization, (ISC)2 developed a management concentration for the advanced information security manager.
The CISSP-ISSMP (Information Systems Security Management Professional) reflects a deeper management emphasis and understanding built on the broad-based knowledge of the CISSP CBK domains.
The CISSP is a prerequisite for the management concentration, and it offers a career-enhancement strategy that spans a broad range of information security management positions, including information security, assurance and risk management for professionals who focus on enterprise-wide risk management.
The management concentration originated with (ISC)2’s job-analysis survey of its CISSP members in 2001, in which members requested additional concentrations to their credential, targeting their chosen career paths or job requirements. The management concentration is part of (ISC)2’s mission to ensure information security personnel are knowledgeable, experienced professionals in every phase of their careers.
As the information security profession continues to mature and expand, there is a need for professionals with specialized knowledge. The CISSP-ISSMP management concentration verifies knowledge, skills and abilities in the following areas:
- Expert understanding of relationships between security and business requirements of organizations. This ensures security is appropriately addressed and specifically included as part of the corporate governance process in making the day-to-day decisions affecting the risks of the business.
- Intimate understanding of risks and threats applicable in an organization’s environment, including applications, software languages, databases and operating platforms and countermeasures to mitigate these risks.
- Crucial knowledge to address control and coordination of operational networks and systems, including availability and integrity of systems, system processes and job executions.
- Proficiency in business-impact analysis, enterprise-recovery strategy, emergency planning, implementing and advocating business-continuity plans.
- Ability to identify appropriate and applicable laws related to risk management, understanding of investigation parameters and deep understanding of professional ethics in order to conduct investigations in a credible and effective manner.
Technology alone can’t stop future attacks — it’s up to qualified professionals to deploy tec