Supported by Industry Leaders
Electricity surrounds CompTIA’s new Security+ certification. Whenever people in industry, government and academia talk about this certification and examine its objectives, they become energized. When I talk to security subject-matter experts, courseware providers and certification candidates, the same thing happens. There is enormous interest surrounding this certification due to its content, timing, backing and the widespread need for validation of IT security skills.
CompTIA Security+ is the security certification that people have been waiting for—a foundation certificate that integrates well with higher-level certifications. Security+ is sponsored by leading public and private organizations. This means that those holding a Security+ certificate are going to be recognized for earning a respected credential.
“Creating a global security certificate that would be supported by industry, academia and government agencies was required if Security+ was going to have broadly based relevance,” said Fran Nielsen, Ph.D. deputy chief, Computer Security Division, Information Technology Laboratory, National Institute for Standards and Technology (NIST). “I sensed during the Security+ development meetings that committee members were joined in their commitment. Without CompTIA’s neutral standing, resources and knowledge, a certificate recognized globally would be long in coming. In terms of security, no one was willing to wait.”
The seventh annual survey conducted by the Computer Security Institute and the Federal Bureau of Investigation found that despite a wide deployment of security technologies—including firewalls, access controls and digital IDs—security breaches occur. Findings from this report include:
- 90 percent of survey respondents (primarily large corporations and government agencies) detected information security breaches within the last 12 months.
- 80 percent acknowledged financial losses due to security breaches.
- 44 percent of respondents were willing and able to quantify their financial losses. These 223 respondents reported more than $450 million in financial losses.
- As in previous years, the most serious losses occurred through theft of proprietary information (26 respondents reported $171 million) and financial fraud (25 respondents reported $116 million).
- 74 percent cited the Internet as the point of attack.
- 33 percent cited internal systems as the point of attack.
- 85 percent detected computer viruses.
Today, there is an undeniable need for a certified IT security workforce. The CompTIA Security+ certification is designed for network and security administrators and those with similar job functions who have roughly two years of experience with networking and security. Security+ certification validates that an individual has mastered foundation-level knowledge.
Research indicates that a fraction of those who train for IT certifications actually follow through and take the exams. CompTIA believes that the majority of those who study for Security+ will seize the initiative and go to a testing center because employers will require proof that security knowledge has been mastered. Employers are going to look for, hire and retain those certified in security technologies.
Security+ Founding Organizations
Public and private organizations come to CompTIA, the largest business association in the computing technology industry, when there is a need for creating and maintaining a new vendor-neutral certification. These same organizations commit resources to the new certification. Some provide funding that goes into the creation of a major new certification, while others commit expertise to the undertaking. All volunteer an enormous amount of time and insight. The development of such certifications as CompTIA A+, Network+ and Server+ came about this way.
The committee for Security+ includes many of the leading names in IT security as well as government agencies and bureaus, academic organizations and training and courseware providers. Security+ founding organizations include Argonne National Laboratory, Ascendant Learning, Course Technology, Cybersmuggling Center – U.S. Customs, Element K, Entrust, the FBI, IBM/Tivoli Software, Information Systems Audit and Control Association (ISACA), Information Systems Security Association, Institute for Excellence in Information Technology, Intense School, Marcraft International, Microsoft, Motorola, New Horizons, NIST, Novell, Olympus Security, RSA Security, Sun Microsystems, Sybex, Tech Connect, U.S. Secret Service and VeriSign.
During the initial steps in the process, it was clear that the committee wanted to develop a certification validating that an individual had mastered the basics of security and was well prepared to pursue more advanced training and certification in that discipline. Founding organizations offering certifications wanted Security+ to mesh with their own programs as well as those of others. They wanted to create a progression of training and certification that will prepare the next generation of security practitioners—a clear and logical progression that fits the individual’s career objectives as well as the industry’s need for trained and certified people.
“When we began the Security+ development process, there were no global standards in place to evaluate a candidate’s foundation-level capabilities,” said Bill Boni, chief information security officer for Motorola and a Security+ committee member. “There were no standards for a security training curriculum at that level either. The goal of the CompTIA Security+ certification is to provide a benchmarking process. The certification says this person has demonstrated an aptitude, interest and ability to master certain fundamental core subjects that should be relevant to a security program, whether it’s for a small, medium-sized or global enterprise.”
The founding committee agreed that five broadly inclusive domains would meet its vendor-neutral foundation-level objective. The domains and their relative percentage of the exam are:
- General Security Concepts (30 percent), including access control, authentication, non-essential services and protocols, attacks, malicious code, social engineering and auditing.
- Communication Security (20 percent), including remote access, e-mail, Web, directory, file transfer and wireless.
- Infrastructure Security (20 percent), including devices, media, security topologies, intrusion detection and security baselines.
- Basics of Cryptography (15 percent), including algorithms, concepts of using cryptography, public key infrastructure (PKI), standards and protocols and key management/certificate lifecycle.
- Operational/Organizational Security (15 percent), including physical security, disaster recovery, business continuity, policy and procedures, privilege management, forensics, risk identification, education and documentation.
Following domain creation, 500 subject-matter experts and survey respondents from 26 countries helped to define in greater detail the job-task skills that show a mastery of foundation-level security knowledge in the areas noted above. Subject-matter experts participated in a job-task analysis workshop and wrote exam items, which were then evaluated through a beta exam. The results of the beta exam were also reviewed by subject-matter experts and folded into the final Security+ certification test, which went live in the fourth quarter of 2002.
Through intense effort, a certification development process that normally requires 18 to 24 months was accomplished in less than 12 months. Along with fast-track certification development, there was a parallel effort to develop quality courseware and prepare training organizations to offer Secur