Abstract
This research is based on the requirements of an individual interested in the Information Security as stipulated by the International Information Systems Security Certification Consortium, (ISC)2.
The requirements focus on major domains to be covered by completion of the certification. In this text, certifications discussed include; Certified information Systems Security Professional CISSP, Systems Security Certified Practitioner SSCP, Information Systems Security Architecture Professional ISSAP, Information Systems Security Engineering Professional ISSEP, and GIAC Security Essentials Certification GSEC.
In summation, this research is essential for both professionals and non-professionals interested in Information Security.
Introduction
Information security is the process of protecting the availability, privacy and integrity of information from unauthorized access or modification. A tremendous increase in technological advancement in the corporate world has seen many companies store business and individual information on computer databases. Most of this information stored, is processed and transmitted across networks to other computers. Should this confidential information fell into the wrong hands, it could lead to lost business, identity theft, law suits or even bankruptcy of the business. Thus, protecting confidential information is a business requirement and in many cases also an ethical legal requirement.
Over time, information security has evolved significantly and developed even more important in recent years. From a career perspective, there are even more areas where a professional can work in the field. Some of the specialty areas within information security include; Network Security, Application and Database Security, Security Testing, Information Systems Auditing, Digital Forensics Science and Business Continuity Planning, among others.
Professionalism
An entry into this field of information security can be accomplished through self-study, college or university schooling in the field or through week-long focused training camps. Many colleges, universities and training companies offer many of their programs online
The International Information Systems Security Certification Consortium, also known as (ISC)2, is a global, not-for-profit leader in educating and certifying information security professionals. The (ISC)2 is recognized worldwide for their gold standard certifications and high quality education programs. The (ISC)2 provides career services, education products, and certification credentials to information technology security professionals in more than 135 countries.
The mission of the (ISC)2 is stated as: we make society safer by improving productivity, efficiency and resilience of information-dependent economies through information security education and certification.
(ISC)2 develops and maintains their Common Body of Knowledge, CBK on information security topics. This knowledge defines global industry standards, and serves as a common framework of terms and principles. In this way, the (ISC)2 allows professionals worldwide to discuss, debate, and resolve matters pertaining to the field. Subject matter experts continually review and update the CBK.
The (ISC)2 certifications are in high demand to both individuals and employers for the seamless safety and protection of information and infrastructures. The certifications under study in this research and currently offered by (ISC)2 include:
- Systems Security Certified Practitioner (SSCP®)
- Certified Information Systems Security Professional (CISSP®)
- Information Systems Security Architecture Professional (CISSP-ISSAP®)
- Information Systems Security Engineering Professional (CISSP-ISSEP®)
CISSP - Certified Information Systems Security Professional
The CISSP is a credential for professionals who develop policies and procedures in information security. It was the first credential in the field of information security, accredited by the American National Standards Institute, ANSI to International Organization for Standardization, ISO Standard 17024:2003. This certification is not only an objective measure of excellence, but also a globally recognized standard of achievement.
The CISSP credential is ideal for mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
Its validity is for only three years, after which it must be renewed by either re-taking the exam or by reporting at least 120 Continuing Professional Education, CPE credits since the previous renewal.
For a candidate to take CISSP examination, he/ she must meet the following requirements:
- Have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)2 CISSP CBK, or four years of direct full-time security professional work experience in two or more of the ten domains of the CISSP CBK with a college degree. On the other hand there is a one-year waiver of the professional experience requirement for holding an additional credential on the (ISC)2 approved list.
The ten domains of the (ISC)² CISSP CBK include:
- Access Control – policies, standards and procedures that define who users are, what they can do, which resources they can access, and what operations they can perform on a system.
- Application Development Security – Software based controls, development life cycle and principles
- Business Continuity and Disaster Recovery Planning – Response and recovery plans and restoration activities
- Cryptography – Basic concepts and algorithms, signature and cryptanalysis.
- Information Security Governance and Risk Management – policies, standards, guidelines and procedures. Risk management and practices and planning and organization.
- Legal, Regulations, Investigations and Compliance – Major legal systems, common and civil law and regulations regarding law and information security.
- Operations Security – Media, backups and change control management.
- Physical (Environmental) Security – Layered physical defense and entry points including site location principles
- Security Architecture and Design – principles and benefits, trusted systems and computing base, and system and enterprise architecture.
- Telecommunications and Network Security – network security concepts and risks, business goals and network security.
- Complete the Candidate Agreement, attesting to the truth of his or her assertions regarding professional experience and legally commit to adhere to the (ISC)2 Code of Ethics.
- Successfully answer four questions regarding criminal history and related background.
SSCP - Systems Security Certified Practitioner
Systems Security Certified Practitioner (SSCP) is a vendor-neutral Information Security certification governed by the (ISC)2. SSCP is designed for the hands-on practitioner who implements the plans and policies designed by information security managers, CISOs, CSOs or equivalent.
The main goal of SSCP is to validate mastery of the technical implementation side of information security systems and the ability to collaborate with those that write policy. It is ideal for those working towards positions such as Network Security Engineers, Security Systems Analysts, or Security Administrators. This is also the perfect course for personnel in many other non-security disciplines that require an understanding of security but do not have information security as a primary part of their job description. This large and growing group includes information systems auditors; application programmers; system, network and database administrators; business unit representatives, and systems analysts.
SSCP candidates must meet the following requirements prior to taking the SSCP examination:
- Subscribe to the (ISC)2 Code of Ethics.
- Have at least one year of cumulative work experience in one or more of the seven domains in information security.
The seven domains of the (ISC)² SSCP include:
- Access Controls - policies, standards and procedures that define who users are, what they can do, which resources they can access, and what operations they can perform on a system.
- Cryptography - the protection of information using techniques that ensure its integrity, confidentiality, authenticity and non-repudiation, and the recovery of encrypted information in its original form.
- Malicious Code and Activity – countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses and other related forms of intentionally created deviant code.
- Monitoring and Analysis – determining system implementation and access in accordance with defined IT criteria. Collecting information for identification of and response to security breaches or events.
- Networks and Communications - the network structure, transmission methods and techniques, transport formats and security measures used to operate both private and public communication networks.
- Risk, Response and Recovery - the review, analysis and implementation processes essential to the identification, measurement and control of loss associated with uncertain events.
- Security Operations and Administration - identification of information assets and documentation of policies, standards, procedures and guidelines that ensure confidentiality, integrity and availability.
Information Systems Security Architecture Professional (ISSAP)
Information Systems Security Architecture Professional is an independent information security certification concentration of the CISSP governed by the (ISC)2.
This concentration requires a candidate to demonstrate two years of professional experience in the area of architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities. The architect plays a key role within the information security department with responsibilities that functionally fit between the C-suite and upper managerial level and the implementation of the security program. He/she would generally develop, design, or analyze the overall security plan. Although this role may typically be tied closely to technology this is not necessarily the case, and is fundamentally the consultative and analytical process of information security.
According to the (ISC)2 Information Systems Security Architecture Professional (ISSAP) Candidate Information Bulletin, candidates for the ISSAP must meet the following requirements:
- Be a CISSP in good standing
- Demonstrate two years of professional experience in systems security architecture
- Maintain the ISSAP credential in addition to the underlying CISSP
- Adhering to the (ISC)2 Code of Ethics.
The six major domains of the CBK covered by CISSP-ISSAP certification are:
- Access Control Systems and Methodology – details the critical requirements to establish adequate and effective access control restrictions for an organization. Access control protects systems, data, physical infrastructure and personnel in order to maintain their integrity, availability and confidentiality.
- Communications & Network Security - addresses the security concerns related to the critical role of telecommunications and networks in today’s distributed computing environments.
The security professional understands the risks to communications networks across data, voice and multimedia.
- Cryptography - requires the security professional to understand cryptographic methodologies and the use of cryptography to protect an organization’s data storage and communications from compromise and misuse.
- Security Architecture Analysis - requires the evaluation and choice of different architectures, and understanding the risks associates with each type of design.
- Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP) - involves the identification of adverse events that could threaten the ability of the organization to continue normal operations. Once identified, the security professional will implement countermeasures to reduce the risk of such incidents from re-occurring.
- Physical Security Considerations - recognizes the importance of physical security and personnel controls in a complete information systems security model.
Information Systems Security Engineering Professional (ISSEP)
This concentration was developed in conjunction with the U.S. National Security Agency (NSA) providing an invaluable tool for any systems security engineering professional. CISSP-ISSEP is the guide for incorporating security into projects, applications, business processes, and all information systems. Security professionals are hungry for workable methodologies and best practices that can be used to integrate security into all facets of business operations. The SSE model taught in the IATF portion of the course is a guiding light in the field of information security and the incorporation of security into all information systems.
Candidates for the ISSEP must meet the following requirements:
- Adhering to the (ISC)2 Code of Ethics
- Be a CISSP in good standing
- Pass the ISSEP exam
The four major domains of the CBK covered by CISSP-ISSEP certification are:
- Systems Security Engineering - employs Information Assurance Technical Framework (IATF) processes to discover users’ information protection needs and design systems that will effectively and efficiently address those needs. It also covers concepts of defense in depth, risk assessment, and the systems lifecycle.
- Certification and Accreditation (C&A) - identifies, understands, and implements the Certification and Accreditation (C&A) processes.
- Technical Management - describes system development models and relates security tasks to these models.
- U.S. Government Information Assurance (IA) Governance (e.g., laws, regulations, policies, guidelines, standards) - identifies, understands and applies the practices as defined by the United States Government Information Assurance regulations.
GIAC Security Essentials Certification (GSEC)
GSEC (GIAC Security Essentials Certification) from the SANS Institute targets security Professionals that want to demonstrate they are qualified for IT systems hands-on roles with respect to security tasks. Candidates are required to demonstrate an understanding of information security beyond simple terminology and concepts.
GSEC has nearly one third of its focus on testing skills that people need to secure the most common and most important operating systems, so it test knowledge the professional can put to work immediately in their jobs. Therefore, it is more focused on what security professionals actually have to do, and goes deeper in technical concepts.
The primary goal of the program is to address the need to validate the skills of security professionals and developers. GIAC certification provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job. The standards for the GIAC certification were developed using the highest benchmarks in the industry.
Before a person can attempt the GSE, they must successfully complete three GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two. In addition, you must have real world, hands-on experience in these subject areas. The GSE hands-on examination ensures each candidate has a high-degree of competence in each of the objectives listed below.
GIAC reserves the right to request that candidates who are unsuccessful in one domain of the GSE lab by a slim margin complete additional work outside of the GSE lab before awarding any credential. GIAC also reserves the right to require any candidate to retake the entire lab.
Five domains of the GSE Certification include;
- IDS and Traffic Analysis
- Incident Handling
- ITSEC
- Security Technologies
- Soft Skills
GIAC certifications cover five IT security job disciplines:
- Security Administration
- Security Management
- Forensics
- IT Audit
- Software Security
Reference
(ISC)², Inc. Certification Programs. 1996-2010. 6th December 2010. <https://www.isc2.org/credentials/default.aspx>
The SANS Institute. GIAC - Global Information Assurance Certification. 2000 -2010.6th December 2010. <http://www.giac.org/>