Two New Security Certifications for 2008
Two new certifications have recently been announced, and it is likely that their respective acronyms will soon find their way onto the resumes of information security professionals.
ISACA recently announced the creation of CGEIT (Certified in the Governance of Enterprise IT) certification, as did SCIPP with their SCIPP security certification.
Security certifications are valuable commodities to employers, who are demanding qualified information security staff. Many view certified candidates as having an advantage over others. Job seekers go for certifications for numerous reasons, one of which is certification offers a career differentiator, giving them enhanced credibility and marketability.
CGEIT is meant to lessen the gap that exists between security and audit groups and their counterparts in management and in the boardroom. For too long, information security staff has been far too technical, speaking to management in a language they do not understand or want to hear. Executive management does not really care about encryption key length or which brand of firewall is being used. They want to know the business they run is compliant with required standards and regulations.
Governance has long existed in the corporate world, and CGEIT certification is about ensuring that it transcends to the world of IT.
Publically announced in November 2007, CGEIT is in no way meant to be an introduction certification. ISACA developed it for professionals who have extensive experience in management, advisory or assurance roles relating to the governance of IT. ISACA states that the certification is intended to support the growing business demands related to IT governance; increase the awareness and importance of IT governance good practices and issues; and define the roles and responsibilities of the professionals performing IT governance work.
Requirements for CGEIT Certification
Earning the CGEIT certification is a four-step process. First is to pass the CGEIT examination, which will first be offered in December 2008. Similar to the (ISC)2 CISSP certification, ISACA requires an individual to adhere to the ISACA Code of Professional Ethics and agree to comply with the CGEIT Continuing Education Policy.
Finally, candidates must provide ISACA with evidence that they have five or more years of experience managing, serving in an advisory or oversight role or otherwise supporting the governance of the IT-related contribution to an enterprise. This work experience can be in any of the following six practice domains as defined by ISACA: IT governance framework, strategic alignment, value delivery, risk management, resource management and performance measurement.
Within the five-year requirement, ISACA allows a substitution of up to two years for those with other management experience or specific certifications or degrees.
For those who do not want to wait to achieve CGEIT certification, ISACA is offering CGEIT certification to experienced professionals under a grandfathering clause. Until October 2008, ISACA is allowing experienced professionals who have had a significant management, advisory or assurance role relating to the governance of IT to apply for certification as a CGEIT without being required to pass the CGEIT examination.
To earn the CGEIT designation during this period, one is required to do everything a normal candidate does (submit evidence of appropriate work, agree to adhere to the ISACA Code of Professional Ethics and agree to comply with the CGEIT Continuing Professional Education Policy), and pay the application fee, which ranges between $595 and $725.
While certifications such as CISSP, GIAC, CISM and others are for the information security elite, the newly formed SCIPP organization is not targeting the security elite, rather the tens of millions of end users, who are often oblivious to security and privacy issues. SCIPP targets everyone from remote telecommuters to partners, vendors and consultants.
SCIPP International is a new nonprofit security organization that was recently formed by noted security professional and author Winn Schwartau. SCIPP is formed around security training and awareness, and its certification program is not made for experienced security professionals only, but rather for just about anyone who touches a computer.
SCIPP is focusing on the end-user base because a majority of computer security breaches stem from basic user errors. SCIPP feels that it makes the most sense to train the most significant potential weak link in the information system security chain, that being the end user.
On the policy side, the organization is developing SCIPP Generally Accepted Practices (SCIPP GAP), which is a common body of knowledge of security awareness best practices to be used to expand the role and influence of security awareness training and certificate programs for end users. Like the CISSP CBK (Common Body of Knowledge), SCIPP GAP contains 10 practice areas, from security event reporting, password procedures, corporate policies, compliance and more. SCIPP GAP will face hurdles as the industry is lined with similar initiatives that have crashed and burned. A similar recent initiative, GAISP (Generally Accepted Information Security Principles), of which this author was a co-chairman, was recently terminated by the ISSA.
SCIPP will be offering a certificate of security awareness in a number of programs, namely SCIPP-CE, for corporate employees; SCIPP-CC, for corporate entities; SCIPP-GE, for government employees; SCIPP-GC, for government entities; SCIPP-SE, for self-employed professionals; and SCIPP-ED, for educators.
Each SCIPP security awareness training and certificate program consists of three parts: optional pre-assessment metrics; ROI and improvement measurement statistics; a self-paced three-chapter online course; and a 25-question multiple choice post-assessment.
Upon successful completion, the candidate is awarded a SCIPP certificate of security awareness. SCIPP certificates are valid for one year from the date of successfully completing the awareness course and passing the post-assessment.
One unique aspect of SCIPP is its organizational certification. As part of the process, SCIPP International monitors an organization’s security awareness course and its post-assessment progress. SCIPP offers organizational certification dependant on the percentage of end users who participate in the annual SCIPP course and pass the post-assessment. The levels are: Master, 90 percent; Level 4, 75 percent; Level 3, 50 percent; Level 2, 25 percent; Level 1, 10 percent.
Information security certification plays an important and ever-increasing role in the success of security professionals. The benefits certification offers are significant, and a resume that is lacking in a certification is often viewed with suspicion. It is likely that in a matter of time, CGEIT and SCIPP will be on more and more information security candidates’ resumes.
Ben Rothke, CISSP, CISM, PCI QSA, is a senior security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. He can be reached at editor (at) certmag (dot) com.