Global Information Assurance Certification
If someone told me in 1998 that one day I would run one of the most advanced technical security certification programs in the world, I would have laughed in their face. I had been given the offer, but flatly refused it because it sounded like a whole lot of work.
What changed my mind was an employee who had an impressive résumé that listed a lot of intrusion detection experience. When that employee was asked to install IDS Real Secure—one of the easiest intrusion detection systems to use—it became obvious that he could not do it, and I knew something was very wrong: Résumés cannot be trusted to prove that a potential employee meets a minimum standard.
About a month later, another incident finally convinced me to become involved in creating a certification for security professionals. At the time, I had management responsibilities and approved training for myself and three employees at a conference in Monterey, Calif. On the second day of the conference, I looked around for them, and they were nowhere to be found. They had gone sea kayaking. When you consider the cost of training, which also includes the cost of travel, hotel and per diem, the employer had invested about $5,000 to send each employee to training. Something else was wrong: Employers could invest in training, but had no guarantee that they were getting any return on those investments in their employees.
Certification as part of training is one way for employers to ensure that they are getting their money’s worth.
I started bothering my colleagues in the industry, asking what they thought a security professional needed to know. After six weeks or so, the list grew to several thousand items, and the best assessment was that a class that could prepare someone for this role would last at least six weeks. A large number of people could see the importance of this project for the information security industry and cooperated to complete it. Creating this list would have been impossible without their help. The security community worked together to move forward and formed a strategy to prepare the list. The essentials of security were defined using two population groups: technical professionals and managers, especially those who subscribed to the CIO Institute Bulletin. Finally, the first two courses in certifications—SANS Security Essentials and Intrusion Detection Tracking Certification—were ready.
The End Result: SANS GIAC
As a result of the cooperation of the community and in response to the need to validate the skills of security professionals, the SANS Institute established the Global Information Assurance Certification (GIAC) program in 1999. The purpose of GIAC is to provide assurance that certified individuals hold the appropriate levels of knowledge and skill necessary to practice in key areas of information security. In 2002, SANS’ Security Essentials was certified as 100 percent compliant with the National Security Telecommunications and Information Systems Security Instruction’s (NSTISSI) 4013 training standards.
SANS training and GIAC certifications address a range of skill sets, including entry-level Information Security Officer and broad-based Security Essentials, as well as advanced subject areas like Basic and Advanced Audit, Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics, Hacker Techniques, Windows Security, UNIX Operating System Security and Linux Apache MySQL PHP (LAMP). GIAC is unique in measuring specific skill knowledge areas, instead of general-purpose security knowledge.
The first GIAC professionals were certified in February 2000, and just under 1,000 candidates were certified in the program’s first year alone. As of March 2002, SANS had certified more than 3,000 individuals, and there are currently more than 9,000 certified professionals.
Distinctive Issues for the GIAC Certification
There are four major distinctions that demonstrate the quality of the GIAC family of certifications:
- GIAC never grandfathered anyone into the program.
- GIAC requires recertification.
- Each student receives a unique certification exam.
- GIAC uses a meritocracy-based advisory board.
These distinctions give GIAC its unique personality.
Many of the leading security and audit certifications have selected to certify a number of people who have never taken the certification exam. This is known as “grandfathering.” It’s an understandable choice because it takes a great deal of input to create a certification. Grandfathering is a way to reward the people who helped create the program by awarding them certification. However, because this practice might mean that someone who is certified does not meet the minimum standards, GIAC did not choose that path.
Information technology in general, and security in particular, are changing rapidly. Most certifications do a decent job of demonstrating that candidates meet a minimum standard. However, what about one year, two years or 10 years later? Many security certification programs accept continuing education credits as evidence of continuing knowledge growth. SANS GIAC did not feel that it could rely on continuing education credits in good conscience because it is not a general certification, but subject-matter-based. For example, if you have a firewalls certification, it is not clear that continuing education for forensics will keep your firewalls knowledge intact. GIAC certifications expire in a period of four years, after which students must review the information and retake the exams in order to retain certification. The www.giac.org Web site serves as a link to both GIAC certification information and the latest in information security research.
GIAC security certification creates a unique exam for each student. One of the significant problems in running a modern certification stems from students remembering or copying questions from exams and then selling them to test preparation sites. A question bank of more than 30,000 items based on every skill or knowledge element that GIAC tests helps minimize cheating.
Also, GIAC courses are updated multiple times per year. This requires a lot of effort to keep exam questions synchronized to the course. One of GIAC’s rules is that every question must be taken from the course material. In fact, questions are tracked by the page in the course. Therefore, all testing is done in batches. All the students of a class are added into a group. There is a matching bank of questions for their courseware, and the exams are generated randomly.