Enterprises certified secure - Secured View - Network Magazine India Page 1 of 3
Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of October 2003
Home > Secured View Print Friendly Page || Email this story
Enterprises certified secure
A look at why your enterprise needs to use personnel with security certificates to
conduct business better. by Avinash W. Kadam
Information security is a relatively young discipline. People attracted to this branch of
IT usually have some background of networking, system administration,
programming, and curiosity towards the twilight world of hackers. They want to
understand how information security is breached, and being honest people, do not
want to become hackers themselves. They prefer to become security professionals.
But there are no university courses in India for security professionals. Not even the B. Tech-Computer
Science course includes a paper on information security. In such a scenario, how does one become an
information security professional?
A similar dilemma is faced by organizations that want to employ information security professionals.
Should they employ reformed hackers or self-taught security experts? How can they be sure of the
competence level of the persons they are employing?
Answers to these questions are provided by a number of reputed organizations providing specific
certifications. In this article, we will take an overview of major security certificates offered. In
subsequent articles, I will cover each certificate in more details.
Security certification associations should have a few characteristics in common.
Should be non-profit oriented
Have a common body of knowledge
Look for experienced professionals
Referred by other certified professionals
Charge examination fees and annual membership fees
Calculate Continued Professional Education (CPE) hours
Follow an established code of ethics
Some of the characteristics are discussed in detail:
Common body of knowledge: A profession must have a common body of knowledge to be distinctly
Enterprises certified secure - Secured View - Network Magazine India Page 2 of 3
different. A common body of knowledge elaborates the areas of knowledge the professional must be
Requirement of experience: Most professional organizations require within five years of experience to
admit a new entrant. This experience is not necessary for taking the examination, but could be
accumulated before and after passing the examination. Some organizations replace this clause by
insisting on a research paper, written by the applicant based on his or her experience.
An examination: An examination usually consists of 150 to 250 multiple-choice questions. The
duration of examination varies between four and six hours. Most exams are paper-based with some
exams being on-line. Pass marks for these exams are between 70 and 75 percent.
Reference from other certified professionals: This is to reduce the risk of unsuitable or undesirable
persons becoming certified professionals.
Examination fees and annual membership fees: Even a 'not for profit' organization requires money to
run. Examination fees for most other organizations are around $450 and the annual membership fees
are around $50.
Continued Professional Education (CPE) hours: To maintain a professional status it is important to
keep abreast of the latest developments in the profession. This education entails activities like
attending professional courses, technical seminars, giving lectures, and writing articles. Most
organizations expect members to clock 40 hours of CPE every year.
Code of ethics: Every association follows a code of ethics for its members. This code is based on
venerated principles of honesty, integrity, and high professional conduct. Disciplinary action is taken
against those found guilty of breaching this code.
Benefits of Membership
Membership of these organizations provides a large source of up-to-date information about the
profession. Members are provided access to the members' only areas on the website. Some
organizations publish journals and newsletters.
Members can get opportunities to work on various boards and committees engaged in improving the
working of the organization. They may participate in creation of examination questions, write articles
for the journal, undertake research work, and improve individual profiles in peer groups.
Major Security Certifications
CISA (Certified Information Systems Auditor): Strictly speaking, this is not a security certification, but
is probably the oldest and most respected certification in the area of information systems audits. It
covers all the aspects of information systems from whether the information system meets business
objectives, to how the information systems are managed and monitored.
The Information Systems Audit and Control Association (ISACA) offers this certificate. Their Website is
CISSP (Certified Information Systems Security Professional)
This is a very focused certificate specifically meant for information security professionals. It covers all
the aspects of information security like, physical, logical, technical, procedural, legal, and managerial.
The common body of knowledge covers all the areas of information security described in the
information security standard BS 7799. No wonder, CISSPs are in great demand for employment as
Information Security Officers.
The International Information Systems Security Certificate Consortium (ISC2) offers this certificate.
Their website is www.isc2.org.
GSEC: Global Information Assurance Certificate (GIAC) for Security Essentials
This is given by the SANS (SysAdmin, Audit, Network, Security) Institute. This certificate is more