Information security professionalism

Information security professionalism is the set of knowledge that people working in Information security and similar fields (Information Assurance and Computer security) should have and eventually demonstrate through certifications from well respected organizations. It also encompasses the education process required to accomplish different tasks in these fields.

Educational organizations

In 1989, Carnegie Mellon University established the Information Networking Institute, the United States' first research and education center devoted to information networking. The academic disciplines of computer security, information security and information assurance emerged along with numerous professional organizations during the later years of the 20th century and early years of the 21st century.

Entry into the field can be accomplished through self-study, college or university schooling in the field, or through week long focused training camps. Many colleges, universities and training companies offer many of their programs on-line.

In the United States, the National Security Agency (NSA) has partnered with other organizations to designate a number of colleges and universities as Centers of Academic Excellence in Information Assurance Education, CAE/IAE and Research, CAE/IAE-R. These institutions offer a wide range of undergraduate and graduate-level degree programs, both masters level and doctoral, in IA-related studies and discipline. The current list of designated centers is maintained by NSA.

The Master of Science in Information Assurance (MSIA) and Master of Science in Information Security and Assurance (MSISA) degrees are multidisciplinary degree programs offered by many leading institutions which combine theory with applied learning in order to prepare security practitioners to work in the field of information security.

There is a current and future need for information assurance professionals to support the security needs of the world's information infrastructure. Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack, cyberterrorism, access control systems and regulatory compliance requirements.

National Information Assurance Training and Education Center (NIATEC) is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information assurance.

Organization certifications

NIATEC states:^[1]

ISO/IEC 17799

Comprises ten prime sections - Security Policy, System Access Control, Computer & Operations Management, System Development and Maintenance, Physical and Environmental Security, Compliance, Personnel Security, Security Organization, Asset Classification and Control, and Business Continuity Management (BCM)

BS 7799

BS 7799 (ISO/IEC 17799) is comprehensive in its coverage of security issues, containing a significant number of control requirements

Professional association and certification

In addition to traditional university degrees, the Information security (IS) and Information assurance (IA) fields boast an extensive set of technical and professional certifications, used to indicate specific training or experience in detailed IA or IS practices, at both the technical implementation and management level. An important aspect of these certifications is that, unlike university degrees, they are not lifetime credentials. Rather, each certification authority mandates recurring continuing education or re-testing in order to retain the credential. Further, the certification knowledge base is usually updated and renewed on a much faster schedule than is possible with university curricula. The IA and IS certification marketplace is crowded and rapidly changing.

NIATEC lists some prominent professional certifications:^[1]

(ISC)²

International Information Systems Security Certification Consortium - The premier organization dedicated to providing information security professionals and practitioners worldwide with the standard for professional certification. Among its certifications there are:

• Certified Information Systems Security Professional (CISSP) - Designed to recognize mastery of an international standard for information security and understanding of a Common Body of Knowledge (CBK). It is a mid- to senior-level information security certification.
• Information Systems Security Architecture Professional (ISSAP) advanced certification in information-security architecture,
• Information Systems Security Engineering Professional (ISSEP) advanced certification in information-security engineering,
• Information Systems Security Management Professional (ISSMP) advanced certification in information-security management,
• Systems Security Certified Practitioner (SSCP) - The seven domain covered by examination include - Access Controls, Administration, Audit and Monitoring, Risk, Response and Recovery, Cryptography, Data Communications, and Malicious Code/Malware

CompTIA

Computer Technology Industry Association - CompTIA certification programs are the recognized industry standards for foundation-level information technology (IT) skills. Security+ certification is an entry level security certification

SANS

GIAC (Global Information Assurance Certification) administered by the SANS Institute.- Certification address's a range of skill sets including entry level Information Security Officer and broad based Security Essentials, as well as advanced subject areas like Audit, Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics, Hacker Techniques, Windows and Unix Operating System Security. The GIAC-GSEC certification is an entry level security certification.

Other well known organizations dealing with security awareness and training are:^[2]

• ASIS International mainly focused on physical security
• Information Systems Audit and Control Association (ISACA) issues different professional certifciations
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM) is an advanced certification in information-security management.
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified in Risk and Information Systems Control (CRISC)
• HTCIA is devoted to digital forensics for investigation of crimes. Members of HTCIA Inc. are made up of a professional body of investigators, prosecutors and security professionals.
• Information Systems Security Association (ISSA) maintains a list of third parties certification with a short description at https://www.issa.org/page/?p=Certifications_13
• InfraGard is a private non-profit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation. The organization describes itself as an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. InfraGard states they are an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.^[3]
• NAID National Association for Information Destruction http://naidonline.org.

Information Assurance practitioners supporting the US Department of Defense are required to hold selected security certifications in accordance with DoD Directive 8570.01-M.

EC-Council offers some certifications: among them Certified Ethical Hacker (CEH)

Membership of the Institute of Information Security Professionals (IISP) is gaining traction in the U.K. as the professional standard for Information Security Professionals.

Within the UK a recognised senior level information security certification is provided by CESG.

CLAS is the CESG Listed Advisor Scheme - a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector.

CESG recognises that there is an increasing demand for authoritative Information assurance advice and guidance. This demand has come as a result of an increasing awareness of the threats and vulnerabilities that information systems are likely to face in an ever-changing world.

The Scheme aims to satisfy this demand by creating a pool of high quality consultants approved by CESG to provide Information Assurance advice to government departments and other organisations who provide vital services for the United Kingdom.

CLAS consultants are approved to provide Information Assurance advice on systems processing protectively marked information up to, and including, SECRET. Potential customers of the CLAS Scheme should also note that if the information is not protectively marked then they do not need to specify membership of CLAS in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding.

The profession of information security has seen an increased demand for security professionals who are experienced in network security auditing, penetration testing, and digital forensics investigation. In addition, many smaller companies have cropped up as the result of this increased demand in information security training and consulting.

See also

Computer security portal

• Certification
• Computer security
• Cyberwar
• Information Assurance
• Information security
• Information technology
• ISACA
• ISO
• IT risk
• Penetration test

References

1. ^ ^{a b} National Information Assurance Training and Education Center Professional Certifications Summary
2. ^ Mallery, John. (2009) "1" Computer and Information Security Handbook Morgan Kaufmann Pubblications Elsevier Inc p. 9 ISBN 978-0-12-374354-1 
3. ^ "Infragard, Official Site". Infragard. http://www.infragard.net/. Retrieved 10 September 2010. 

External links

• Capella University – A Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA)
• Nebraska University Center for Information Assurance – a Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA)
• Norwich University Master of Science in Information Assurance - – a Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA)
• University of Maryland University College - A Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA)
• University of New Mexico Center for Information Assurance Research and Education
• Iowa State University Information Assurance Center – a charter NSA Center of Academic Excellence in Information Assurance
• University of Advancing Technology Master of Science of Information Assurance – a Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA)
• King Saud University – Center of Excellence in Information Assurance (CoEIA)
• University of Louisville Graduate Certificate in Network and Information Security
• Eastern Michigan University – a Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA) with undergraduate and graduate degrees
• DoD Instruction 8510.01 DoD Information Assurance Certification and Accreditation Process (DIACAP)

Related information