Eye on Certification: Information Security
Conditions both within and outside the IT industry have created something of a perfect storm for information security professionals, as well as those considering this career path. The hazards of cyberspace have risen in quantity and lethality, and the threat presented by viruses, worms, Trojan horses, denial-of-service (DoS) attacks and blends of all these techniques loom large for many organizations, some of which are involved in sensitive fields such as finance, health care and national security.
In addition, increases in employees’ use of insecure e-mail and instant messenger (IM) systems at work presents an internal challenge to organizational security. Rising media scrutiny of cyber-attacks and businesses’ IT security capabilities (or lack thereof), a post-9/11 emphasis on precautionary measures and the government’s various pieces of legislation regarding compliance all have contributed to the boom times in this field, as well.
It is amid this IT security frenzy that we bring you this review of the some of the most widely held certifications in this area of expertise.
The Security Certified Program offers two certification tracks: The Security Certified Network Professional (SCNP) certification, which tests candidates’ knowledge of defensive security strategies, and the Security Certified Network Architect (SCNA), which assesses candidates’ knowledge of building of reliable, secure networks.
The SCNP program, which focuses topics such as firewalls and intrusion detection, relies on hands-on labs to bring the security networking world to the candidates. The SCNP program is divided into two exams, which have corresponding courses: Hardening The Infrastructure (HTI) and Network Defense and Countermeasures (NDC). The exams are designed to validate foundational skills such as intrusion-detection systems design and implementation, network traffic signatures, security policy, risk analysis and firewall design and implementation.
The SCNA program covers advanced issues in security such as law and legislation, forensics, wireless security, biometrics, strong authentication, digital certificates and digital signatures and cryptography. It too is divided into two exams: Enterprise Security Implementation (ESI) and The Solution Exam (TSE).
For more information, see www.securitycertified.net.
(ISC)2 offers the Systems Security Certified Practitioner (SSCP) and the Certified Information Systems Security Professional (CISSP) certifications, the latter being the more advanced of the two.
The SSCP is designed for candidates who are advancing toward or have reached positions such as senior network security engineer, senior security systems analyst, senior security administrator, etc. The seven SSCP domains are access control, administration, audit and monitoring, cryptography, data communications, malicious code and malware, and risk, response and recovery.
The CISSP is aimed at information security professionals at the mid- and senior-manager level who are working toward chief information security officer, chief security officer or senior security engineer positions. The certification covers access control systems and methodology; applications and systems development security; business-continuity planning (BCP) and disaster-recovery planning (DRP); cryptography; law, investigation and ethics; operations security; physical security; security architecture and models; and telecommunications and network security.
The CISSP program also offers concentrations in architecture, engineering and management. SSCP specializations are under development. Both SSCPs and CISSPs will have access to (ISC)2 services and programs, which include peer networking, events, forums, job postings and ongoing education opportunities.
For more information, see www.isc2.org.
The SANS Institute offers credentials at multiple levels in five certification categories — audit, legal, operations, management and security administration — within its Global Information Assurance Certification (GIAC) program. Although the organization’s certifications around security are multilevel, they are not hierarchical, that is, the programs are stand-alone and should not necessarily be taken in any particular order.
Additionally, GIAC has two classes of certification: Silver and Gold. The Silver certification requires completion of an exam or exams. Full certifications require two exams, and certificates require a single exam. After earning Silver certification, a candidate can apply for Gold certification, which requires a technical paper.
Certifications are offered in conjunction with SANS training courses that last five or six days. Candidates are given four months to complete the exams for Silver certification, although that deadline will extend to six months March 15. The exams are taken online through the candidate’s portal account.
For more information, see www.giac.org.
The Information Systems Audit and Control Association (ISACA) has a pair of vendor-neutral credentials: the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM). Of the two, the latter is more focused on IT security specifically, but the CISA has some security components.
To attain the CISM, candidates must pass the corresponding exam, agree to follow ISACA’s code of professional ethics and validate they have a minimum of five years of on-the-job experience in information security, with a minimum of three years of information security management work experience in at least three of the job-practice-analysis areas covered in the exam (certain work experience substitutions are available). Those subjects are information security management, information security program management, information security governance, risk management and response management.
The CISA program covers IS audit, control and security. ISACA includes IT security professionals as part of its target audience for this certification. The CISA exam has seven content areas, three of which deal with security: protection of information assets (the largest portion of the exam), disaster recovery and business continuity and business process evaluation and risk management.
For more information, see www.isaca.org.
Security+ assesses the knowledge of IT professionals with two years of on-the-job networking experience with emphasis on security. The certification exam covers communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organizational security.
CompTIA considers Security+ to be one of its top three offerings, along with A+ and Network+. In about five years, the credential passed the 30,000-certified mark. Security+, which is offered at colleges, universities and commercial training centers around the world, also counts as an elective or prerequisite to several advanced security certifications. Additionally, it’s one of the approved credentials under the Department of Defense’s Directive 8570, which includes certification mandates for its employees.
For more information, see www.comptia.org.