Information security is increasingly becoming a critical business function and in many organisations is represented at senior management and director level. There are a number of certification programmes available to those aspiring to reach the higher echelons of the information security profession.
The certification schemes available recognise higher level technical or managerial skills. The most general programme is theCISSP award. Others such as CISM and CISA address the requirments of security managers and auditors. In the technical domain, the most rigorous programme is the GIAC award. The CISSP programme is the most well established.
The professional certification schemes are administered by a handful of industry bodies and tend to be viewed as largely complementary to each other. In January 2006, the Institute for Information Security Professionals (IISP) launched with a mission to offer a unified standardisation effort. The IISP is intended to support a simple and consistent framework of training and certifcation, working close co-operation with the existing standards bodies.
The qualification of Certified Information Systems Security Professional (CISSP) was created in 1989. It was established by the US-based International Information Systems Security Certification Consortium (ISC)2. It is the most popular and well known security certification. The CISSP study programme gives a broad overview of information security. Certificationis by way of a multiple choice examination that covers 10 subject areas, including 'Cryptology', 'Law, Investigation and Ethics'.
The Certified Information Security Manager (CISM) programme is intended to recognise those with the technical and managerial abilities to oversee an enterprise wide information security system. Individuals in such a role require an understanding of business goals and IT strategies, as well as the ability to define sensible security policies, acceptable usage policies for the use of email and Internet, and the configuration of the organisations firewall.
The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise’s information security (IS). The CISMcertification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services.
The CISM certification is administered by the US based Information Systems Audit and Control Association (ISACA). More information can be found at www.isaca.org.
The Certified Information Systems Auditor (CISA) is recognised as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems.
With a growing demand for professionals possessing IS audit, and control skills, CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organisation and the IS audit, control industry.
More information can be found at www.isaca.org.
The Global Information Assurance Certification (GIAC) was founded in 1999. The programme operates in conjunction with training courses from the SANS institute. It addresses the skills required by technical specialists. The programme includes Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics and Hacker Techniques.
The exams have to be re-taken every two to four years, depending upon the type of certification. More information can be found at www.giac.org.