Security certs won’t guarantee employment but they can help you establish your credentials.
Become the Consummate Certified Security Professional
Security certs won’t guarantee employment but they can help you establish your credentials.
- By Roberta Bragg
- September 01, 1999
Reputation a bit tarnished because some bright college
student in your company passed the MCSE exams but doesn’t
know the difference between a nose ring and a token ring?
You don’t have to sit back and take it. If we want to
differentiate ourselves, if we want respect and—let’s
not kid ourselves—if we want more money, we have to do
more than rest on our current credentials. We must add
experience, dedication, and hard work to our résumé.
In this month’s column, I’ll show you ways to establish
your credentials as an information systems security professional.
As in any specialty, what’s more important than certification
is real-world ability and a strong grounding in a broad
range of information. In the information security realm
there are certifications available that tend to articulate
that.
Product vs. Industry
The information systems security arena offers two main
types of certification: product and industry.
Product certifications tell someone you’ve studied a
particular product and learned enough to pass an exam
provided by its manufacturer. They don’t necessarily speak
to your suitability for a particular job in the industry.
They don’t even tell anyone that you can keep that product
up and running. Some of these certifications tend to be
directed toward partners (read: “sales outlets”) of the
companies that sponsor them. The certification process
hasn’t reached the furor or ubiquity of the MCSE. (You
probably won’t find people who purchase thousands of dollars’
worth of equipment and security software just so they
can pass an exam on a single product, in hopes that they’ll
be employed.) If you work for a partner or use these security
products, see if you qualify to take the certification
exam. It’s probably not going to land you another job,
but it can’t hurt.
Industry certifications tend to be a bit broader. They’re
usually driven by a need to acknowledge the mastering
of a commonly recognized body of knowledge in a particular
field. An industry certification in networking, for example,
wouldn’t stress products but rather classes of products
and concepts. Industry certifications are usually promoted
by an independent organization dedicated to the promotion
of a body of knowledge. Some association or the like is
formed to manage the exam—its questions, format, length,
and so on. While the industry supports the organization,
it’s also supported by companies that employ the certified
individuals, and by the individuals themselves. For examples,
just look at the certification process behind the initials
M.D. Consider what nurses, accountants, or lawyers must
go through before they’re allowed to practice their trade
and craft.
Industry certification emphasizes experience before examination
and also requires continuing education. Product certification
requires extensive product knowledge but doesn’t specify
where it comes from. Exams on new versions of the product
give you new certifications.
Security Product Certifications
You can become a Checkpoint Certified Security Administrator
(CCSA). A CCSA understands FireWall-1 and can install
and set up simple configurations. To certify, attend Checkpoint’s
“Introduction to FireWall-1 Management” class and pass
the exam. You should also have working knowledge of Unix
or Windows, network technology, Internet communications,
and TCP/IP. Certification comes with free access to Checkpoint
technical support staff (three incidents) and a copy of
SecureNet, a technical reference CD.
Once you’ve obtained CCSA, for more validity go for CheckPoint
Certified Security Engineer (CCSE), intended for engineers
who manage multiple FireWall-1 systems. You’re expected
to attend the class, “Advanced FireWall-1 Management.”
Here you learn how to implement sophisticated security
requirements for enterprise networking. Pass the exam
and gain five support incidents and a one-year subscription
to SecureNet.
Certification exams exist for other CheckPoint products,
specifically, FloodGate and Meta IP. Certified professionals
are expected to keep up with exams on new product releases
or they’ll be considered retired professionals.
Learn more at www.checkpoint.com/services/education/certification/index.html.
Network Associates (www.nai.com/naicommon/partners/resources/training-exams.asp)
offers the Network Associates Certified Professional (NCP)
certification in NAI products for partners. Certification
requires the completion of a Partner Services course and
testing via Sylvan Prometrics. Products covered include
PGP, Gauntlet NT, and CyberCop.
Industry Certifications
An information systems security Common Body of Knowledge
or CBK forms the basis for the International Information
Systems Security Certification Consortium, or ISC2 (www.isc2.org).
This exam was developed using a professional testing service—no
quickie exam process here. To become a Certified Information
Systems Security Professional (CISSP), you must meet pre-requisites
and pass the exam. You get six hours to complete 250 multiple-choice
questions over 10 test domains from the CBK. These domains
are:
- Access Control Systems & Methodology
- Computer Operations Security
- Cryptography
- Application & Systems Development
- Business Continuity & Disaster Recovery Planning
- Telecommunications & Network Security
- Security Architecture & Models
- Physical Security
- Security Management Practices
- Law, Investigations & Ethics
Before you can sit the exam, you must subscribe to the
ISC2 Code of Ethics and have three years of direct work
experience in one or more of the 10 test domains. Examples
of qualifying individuals are IS auditors, consultants,
vendors, investigators, and instructors who require IS
security knowledge and the direct application of that
knowledge. The exam fee is $395 and exams are held at
international locations periodically throughout the year.
Recertification is required every three years. It’s obtained
by earning 120 Continuing Professional Education credits.
The Information Systems Audit and Control Association
(www.isaca.org/cert1.htm)
sponsors the Certified Information Systems Auditor certification,
which has been in existence since 1978. This designation
is often sought by IS audit, control, and/or security
professionals.
To obtain certification, individuals must:
- Pass the CISA exam.
- Adhere to the ISACA’s Code of Professional Ethics.
- Submit evidence of five years of professional information
systems auditing, control, or security work experience.
The four-hour exam consists of 200 multiple-choice questions,
and it’s offered only in June. The exam is comprehensive,
covering auditing standards and practices; security and
control practices; IS strategies, polices, procedures,
and management practices; IS hardware and software platforms;
network and telecommunications; and data validation, development,
acquisition, and maintenance. To get a taste, try the
25-question sampler at www.isaca.org/examsamp.htm.
Maintaining certification requires continuing education
hours and fees.
A third type of certification may be offered by a training
association. An example of this is Certified Internet
Webmaster. Not quite a product certification and not quite
an industry association certification, the Certified Internet
Webmaster program (administered by Prosoft Training at
http://www.ciwcertified.com/certifications/mcasp.asp?comm=home&llm=3)
offers a Security Professional track. This certification
consists of taking a number of classes and passing exams
administered by Sylvan Prometric.
The track identifies a security professional as one who
implements security policy, identifies security threats,
develops countermeasures using firewall systems and attack-recognition
technologies, and is responsible for managing the deployment
of e-business transaction solutions and payment security
solutions.
To obtain the certification, students must pass a foundations
exam, internetworking professional exam, and the security
professional exam. Eight days of security-related Prosoft
courses or equivalent experience is recommended before
taking the security exam.
Broader is Better
In the real world, knowledge and ability should always
count more than paper titles—but sometimes you need to
have both. As professionals, we should seek those certifications
that reflect our real abilities. One way to do this is
to look for certifications that emphasize a broad industry
knowledge and that hold industry experience as prerequisites.