Certified Information Systems Security Professional (CISSP®)

The CISSP was the first credential in the field of information security, accredited by the ANSI/ISO Standard 17024:2003. It is not only an objective measure of excellence, but a globally recognized standard of achievement.

The CISSP credential demonstrates competence in the ten domains of the (ISC)2® CISSP CBK®: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Cryptography; Information Security and Risk Management; Legal, Regulations, Compliance and Investigations; Operations Security; Physical (Environmental) Security; Security Architecture and Design; Telecommunications and Network Security.

The CISSP credential is ideal for mid- and senior level managers who are working toward or have attained positions as CISOs, CSOs, or Senior Security Engineers. Certification is awarded to those individuals who have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)2 CISSP CBK, adhere to the (ISC)2 Code of Ethics, and pass the CISSP certification examination.

For more information, visit: www.isc2.org/cissp

Systems Security Certified Practitioner (SSCP®)

The Systems Security Certified Practitioner (SSCP) credential is for tacticians with an implementation orientation – the go-getters, the action oriented, hands-on problem solvers of the industry. SSCP credential holders implement the plans and policies designed, planned and managed by the CISO or CSO. (ISC)2® SSCP CBK® topics are as follows: Access Controls; Analysis and Monitoring; Cryptography; Malicious Code; Networks and Telecommunications; Risk, Response and Recovery; Security Operations and Administration.

People who have responsibility for application programming, system, network and database administration; business unit representatives and systems analysts; and other non-security disciplines that require an understanding of and have a corporate responsibility for securing information assets will benefit from the SSCP certification. SSCP candidates must subscribe to the (ISC)2 Code of Ethics and have at least one year of cumulative work experience.

For more information, visit: www.isc2.org/sscp

CISSP® Concentrations

(ISC)2 developed credentials which address the specific needs for CISSP credential holders to specialize in a particular field mainly the architecture and management areas. The CISSP-ISSAP® and the CISSP-ISSMP® are the elite designations within the CISSP® certification.

The CISSP-ISSAP understands the technical limitations and the need to run security as a project and that an effective security program requires careful planning, design, monitoring and implementation of technologies. The CISSP-ISSMP looks at a larger enterprise model of security and management. It contains more managerial elements such as project management, risk management, setting up and delivering a security awareness program and managing a Business Continuity Planning program.

For more information, visit: www.isc2.org/concentrations

Certificate in Information Security Management Principles (CISMP)

This qualification is designed to provide a base level of knowledge for individuals who are thinking of moving into a security or security-related function. It also offers the opportunity to those for whom security responsibility is already part of their day-to-day role, to enhance or refresh their knowledge.

More information about the CISMP can be found at www.bcs.org

Information Systems Audit and Control Association (ISACA) offers the following qualifications:

Certified Information Security Manager (CISM)

The CISM certification program is developed for experienced information security managers and those who have information security management responsibilities. It is for security professionals who manage, design, oversee and/or assess an enterprise’s information security. The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services.

More information about the CISM qualification can be found at www.isaca.org London - http://www.isaca-london.org/

Global Information Assurance Certification (GIAC)

The SANS Institute founded GIAC in 1999 in response to the need to validate the skills of security professionals. SANS training and GIAC certifications address a range of skill sets including entry level Information Security Officer and broad based Security Essentials, as well as advanced subject areas like Audit, Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics, Hacker Techniques, Windows and Unix Operating System Security. GIAC is unique in measuring specific skill knowledge areas instead of general purpose security knowledge.

The GIAC certification program consists of:

• Information Security KickStart
• LevelOne Security Essentials
• LevelTwo subject area modules
• GIAC training and certification is presented in live training sessions at SANS conferences. Information Security KickStart, LevelOne Security Essentials, and an increasing selection of LevelTwo courses are also offered over the web with both online course books and (in most cases) audio tracks.

More information about SANS and GIAC can be found at www.sans.org and www.giac.org

Background

Since 1978, the CISA program has been a globally accepted standard of achievement among information systems (IS) audit, control and security professionals.

To earn the CISA designation, candidates are required to:

• Successfully complete the CISA examination, which is offered twice annually in 11 languages and at more than 200 locations
• Adhere to ISACA's Code of Professional Ethics and agree to comply with a continuing professional education policy
• Submit evidence of a minimum of five years of professional IS auditing, control or security work experience
• Adhere to the Information Systems Auditing Standards as adopted by ISACA

A 2006 survey of ISACA members revealed that 93 percent of CISAs value their certification, and 72 percent of CISAs believe that the CISA certification has helped advance their career.

More than 60,000 professionals have earned the CISA designation since inception. More than 25,000 candidates registered for the CISA examination in 2007. CISA retention each year consistently remains at 93-94 percent.

CISA in the News

• A 2008 study by Foote Partners LLC called CISA one of the highest-paying tech certifications.
• Certification Magazine's 2007 salary survey found that CISA was among the top five highest-paying certifications.
• In 2006, Certification Magazine named CISA one of the top 10 specialty certifications and one of the top 10 vendor-neutral certifications, calling it "an extremely popular and well-recognized credential in the system audit arena."
• "If you look at the CISA certification when it first came out, it was something that people thought it would just be nice to have. It's really evolved. It's a requirement for some employers in getting hired or promoted. I think it's become an independent benchmark. You'll see companies that will say, 'Our whole security staff has certifications.'" --Everett Johnson, international president of ISACA (Source: Certification Magazine)

CISA in the Workplace

• More than 1,200 CISAs are employed in organizations as the CEO, CFO or equivalent executive position.
• More than 2,200 serve as chief audit executives, audit partners or audit heads.
• More than 3,200 serve as CIOs, CISOs, security directors, security managers or consultants.
• More than 5,000 serve as audit directors, managers or consultants.
• Nearly 9,300 are employed in managerial or consulting positions in IT operations or compliance.

CISA Recognition

• CISA has earned accreditation from the American National Standards Institute (ANSI) under the International Standard ANSI/ISO/IEC 17024 for the past three years. This accreditation is a benchmark for global organizations that certify individuals worldwide.
• A new law in California recognizes CISA as an approved certification to meet the requirements of the Electronic Recording Delivery System legislation.
• The US Department of Defense includes CISA in its list of approved certifications for its information assurance professionals.
• All assistant examiners employed by the US Federal Reserve Banks must pass the CISA examination before they are eligible for commissioning.
• CISA is one of two certifications recognized by Washington, USA, to qualify an individual as a computer security professional.
• The National Stock Exchange of India has recognized CISA as a requirement to conduct systems audits.
• In Hong Kong, ISACA members who have held a CISA certification for at least four years have the right to vote for the city's legislative counselors, as representatives of the IT category among the functional constituencies.
• CERT-IN, the Indian Computer Emergency Response Team, has recognized CISA as one of the requirements to be empaneled to conduct security audits.
• In Romania, banks desiring to implement distance or electronic payment instruments, such as Internet bank and home banking, are required by law to be certified by CISA-holding auditors.
• The State Bank of Pakistan began offering its employees who earned the CISA credential financial incentives: reimbursement of their examination fees and payment of a cash bonus.
• In Hyderabad, India, the State Bank also conferred incentives, in the form of examination and maintenance fee reimbursement and a significant honorarium, to employees earning and retaining the CISA.

Background

Designed for experienced information security managers, the CISM designation is a groundbreaking credential earned by more than 9,000 professionals since it was established in 2002.

To earn the CISM designation, candidates are required to:

• Successfully pass the CISM examination, which is offered twice annually in three languages
• Adhere to ISACA's Code of Professional Ethics and agree to comply with a continuing professional education policy
• Submit proof of five years of work experience in the field of information security, with at least three years in the role of information security manager

More than 4,000 candidates registered for the CISM examination in 2007. CISM retention each year consistently remains at 93-94 percent. A 2006 survey of ISACA members revealed that 92 percent of CISMs value their certification.

CISM Recognition

• A 2008 study by Foote Partners LLC named CISM one of the highest-paying IT certifications.
• CISM has earned accreditation from the American National Standards Institute (ANSI) under the International Standard ANSI/ISO/IEC 17024 for the past three years. This accreditation is a benchmark for global organizations that certify individuals worldwide.
• SC Magazine selected CISM as a finalist for its 2008 Awards in the "Best Professional Certification Program" category. CISM was chosen as a finalist by a panel of 18 chief information security officers (CISOs) at major corporations and large public-sector organizations.
• A November 2006 Certification Magazine article named CISM one of the top 10 vendor-neutral credentials, giving it "high marks" for a "fair and balanced approach to tools, technologies, policies, principles and practices."
• "Information security governance is another focus area for organisations. This ensures that the efforts and direction of information security programmes are in line with the business goals of the organization. To this end, it is worth considering the CISM certificate from the Information Systems Audit and Control Association (ISACA)." Source: Avinash Kadam, Computer Weekly, 16 May 2006
• "The US Department of Defense includes the CISM certification in the list of approved certifications for its information assurance professionals.
• "CISM is designed for security professionals who manage, design, oversee and assess their enterprises' information security systems. This certification does a good job of tying security practices and business practices together." Source: Certification Magazine, November 2005
• "The CISSP certification long ago made the gold standard, but infosec execs are now wisely adding the new CISM certification. Why the push? The advanced-level CISM better addresses the interdependency between business needs and IT security by focusing on risk management and security organizational issues. Who's needed? Three-quarters of pros who have earned CISM have CISSP or CISA. Over half of 2005 CISM exam takers have one or both."
• "We look at what's important to firms, and [CISM] matches perfectly," David Foote, president and chief research officer of Foote Partners LLC, says in the 9 November 2004 edition of SC Magazine.

CISM in the Workplace

• More than 800 CISMs serve as CEOs, CIOs, CISOs, CTOs, CSOs or security directors.
• More than 4,000 CISMs serve as an IS/IT director manager or consultant in information security or in a related information security position.

Background

Introduced in 2007, the CGEIT designation is the third certification offered by ISACA. Designed for professionals who manage, provide advisory and/or assurance services and/or who otherwise support the governance of an enterprise's IT and who wish to be recognized for their IT governance-related experience and knowledge, CGEIT is based on the IT Governance Institute's (ITGI's) intellectual property and the input of subject matter experts around the world.

CGEIT focuses on:

• IT governance frameworks
• Strategic alignment
• Resource management
• Risk management
• Performance measurement
• Value delivery

To earn the CGEIT designation, candidates are required to:

• Prove at least five years of experience supporting the governance of an enterprise's information technology. This experience can be achieved entirely through IT governance experience, or through a combination of IT governance experience and management experience.
• Pass the CGEIT exam
• Adhere to the ISACA Code of Professional Ethics
• Agree to comply with the CGEIT Continuing Education Policy

The first CGEIT exam will be administered in December 2008. A grandfathering program, through which professionals who are highly experienced in the governance of IT can apply for the CGEIT certification without taking the exam, is available. More information can be viewed at www.isaca.org/cgeit and the grandfathering application can be found at www.isaca.org/cgeitgfapp.

In the News

"'[The CGEIT certification] sets the path towards building the competency in IT governance,' says [Bob] Frelinger, adding that professionals in finance and other fields may also seek CGEIT certification. 'We're hoping it's not just for IT folks. Certainly there is a big business contribution to IT in an organization.'" Source: "New Certification Seeks Governance Excellence,"

ITWorldCanada.com, 24 August 2007