Certifications for IT Security Professionals

This page is Part 1 of a series on certifications for IT security professionals. Page 2

Related:

Site Map  
About this site  

Benefit to Organizations

Computer Security is becoming more important than ever.   Customers using eCommerce want to be sure that their online transactions will be secure. Corporations want to be sure that their company assets are protected from unauthorized access and other vulnerabilities The internet has become part of terrorism's battleground.

$42 The Information Security Management Handbook by Hal Tipton. (Auerbach Publications, annual series)

Info Security magazine October 2001 article about security certifications

Vendor-neutral certifications for IT security professionals

Most computer certifications inevitably contain questions relating to security. However, these 15 organizations offer certification exams which focus exclusively on ensuring the security of computers:

Type of Certification	Certifying Body
Vendor neutral	• Brainbench • ASIS (American Society for Industrial Security) • CompTIA (Computing Technology Industry Association) • Information Systems Audit and Control Association • IWA (International Webmaster Association) • ISC2 (Information Systems Security Certifications Consortium) • SANS Institute (System Administration, Networking, and Security Institute) • Prosoft • TruSecure
Vendor (product) specific	• CheckPoint • Cisco • IBM • Microsoft • RSA • Symantec

No one vendor offers products for all the security needs of large multi-national companies using a variety of legacy platforms. This has created a demand for products built to industry-standards such as PKCS rather than proprietary schemes. This in turn is creating demand for security professionals who can integrate products from different vendors. This means that security professionals today must have a solid understanding of both theoretical industry standards and specific implementations of products from vendors.

Brainbench

Internet Security

Network Security

Security Industry Knowledge (U.S.)
This certification is for security guards.

American Society for Industrial Security (ASIS)

Elsewhere on the Web •  Article by Ed Tittle

The Certified Protection Professional (CPP) program, launched in 1977, is for managers and directors of security departments or organizations — corporate and organizational executives with 4 years or more experience dealing with Protection of Sensitive Information, Physical and Personnel Security; Security and Emergency management; Investigations; and Legal Aspects.

More than 9,000 individuals have passed the $250 CPP exam administerd by Prometric. Recertification is required every three years by continuing education or by retaking the exam.

A $50 discount is available to the association's 32,000 members. ASIS (founded in 1955) publishes the Security Management monthly magazine and offers workshops, seminars, conferences, and review exam prep courses.

Computing Technology Industry Association

As of this writing, the Security+ exam content and skills development standards are still under development by the same organization that developed the A+, iNet+, Network+, and other vendor-neutral IT certifications.

CompTIA uses a committee of subject matter experts from Software / hardware organizations, training and academia, consulting firms, government, and other affiliated associations.

Information Systems Audit and Control Association

The $460, four hour CISA (Certified Information Systems Auditor), established in 1978, covers auditing of information technology security.

The IT Governance branch of this group publishes the Control Objectives for Information and related Technology (CoBIT) and the K-Net Knowledge Repository with a wealth of links for members.

The next exam, given just once a year, is on Saturday, 8 June, 2002 (but you must register before 3 April, 2002). There is a $115 discount for members and a $50 discount for early registration. The 9 June 2001 CISA examination attracted nearly 9,000 candidates at dozens of test centers worldwide.

The CISA Exam Bulletin of Information
CISA Study aids

More of this Feature $42 CIW Security Professional Certification Bible by Mandy Andress, Phillip Cox (Hungry Minds, Inc., October 2001)

International Webmaster Association (IWA)

Certified Web Professional (CWP) Security Specialist
This certificate is obtained with a CIW, plus proof of 2 years' experience This certification requires continuing education, membership in the association, and a separate $75 application fee.

CIW Security Analyst
This certification is for those who want focused and streamlined validation of proficiency in systems security knowledge — after attaining a MCSE, CNE, CCNP, or CCIE. This specialization certificate requires all this plus passing the 75 minute, 60 item CIW Security Professional Exam 1D0-470 administered by Prometric. Exam topics include Network Security and Firewalls, Operating Systems Security, and Security Auditing, Attacks and Threat Analysis.

Prosoft created their courseware based on their own CIW (Certified Internet Webmaster) certification, for $145 each test, of "Master" level Administrators, Designers, Enterprise Developers, and (starting June 2001) Web Site Managers with 5 years of experience.

Information Systems Security Certifications Consortium

Elsewhere on the Web •  Cramsession's Guide to SANS Global Incident Analysis Center KickStart Excellent! •  Clément Dupuis' CISSP Open Study Guides •  CISSP Study Maillist started by Scott Sanchez •  CISSPS.com •  cccure.org (CISSP OSG) study guides •  CCPrep.com offers labs on real routers for $35 per hour. •  Exam Theory and Practice guides for the CISSP ($49 each) •  Article: Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam $80 All-in-One CISSP Certification Exam Guide by Shon Harris (McGraw Hill Osborne, 2002) $70 The CISSP Prep Guide: Mastering the Ten Domains of Computer Security by Ronald Krutz and Russell Vines (John Wiley, 2001) $35 Exam Cram: CISSP by Mandy Andress.

Certified Information Systems Security Professional (CISSP)
This six-hour $450 certification examination consists of 250 questions covering telecommunication and network security, physical security, and 8 other areas. It aims to be the most prestigious certification for IT Security professionals.First established in 1992, it's for IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization.

This exam is offered one day each month at the USC Center for Information Assurance Studies in Los Angeles, California and at ISC2 offices in San Mateo, California and Fort Lauderdale, Florida. It is offered less frequently elsewhere around the world.

Systems Security Certified Practitioner (SSCP)
This 3 hour $295 certification examination is for network and systems administrators who implement policies, standards, and procedures on the various hardware and software programs for which they are responsible.

SANS Institute

This non-profit group conducts its 75 question, 2 hour GIAC examinations to those attending its live training sessions at their conferences (held 5 times a year) or online.

GIAC Security Essentials Certification (GSCE)
This tests mastery of LevelOne Security Essentials training (available online for $1595) after a KickStart training held by SANS or available online for $1595. Candidates also must submit a practical research paper.

GIAC Security Engineer (GSE)
This certification is considered the “blue chip” of security education and certification programs. It goes to those who are certified in all five “Level Two” subject areas (scoring at the Master level on at least one exam).

The five LevelTwo subject areas and related certifications and exams are (with links to practicals):

• Firewalls, Perimeter Protection, and VPNs: GIAC Certified Firewall Analyst (GCFW).
• Intrusion Detection in Depth: GIAC Certified Intrusion Analyst (GCIA) -- two exams (TCP/IP and network traffic and log file analysis).
• Advanced Incident Handling and Hacker Exploits: GIAC Certified Incident Handler (GCIH).
• Securing Windows NT: GIAC Certified Windows Security Administrator (GCNT).
• Securing Unix: GIAC Certified Unix Security Administrator (GCUX).

Security Certified Program

Elsewhere on the Web •  FAQ •  E-security for E-business •  PKI FAQ •  PKI Primer

Elsewhere on the Web •  Biometrics FAQ •  Biometrics Primer

Prometric offers two vendor-neutral advanced level certifications:

The Security Certified Network Professional (SCNP) certification is for those who already have an Network+, MCSE, CNE, CCNP, or CCIE. This requires two $150 exams:

• Exam SC0-401: Network Security Fundamentals
• Exam SC0-402: Network Defense and Countermeasures

The Security Certified Network Architect (SCNA) certification is open to SCNPs and require two $180 exams:

• Exam SC0-501: PKI and Biometrics Concepts and Planning
• Exam SC0-502: PKI and Biometrics Implementation

Recertification is required every two years.

TruSecure

The TruSecure ICSA Certified Security Associate and Expert security practitioner certification (T.I.C.S.A. and T.I.C.S.E.) is offered by TruSecure's ICSA Labs. It aims to be complementary (a prelude) to the CISSP (which focuses on "best" security practices) by focusing on the criteria and “pragmatic must dos” practices which TruSecure uses as the basis for certifying the security of Internet-connected organizations and specific Firewall, Antivirus, Intrusion Detection, Cryptography, IPSec, and PKI products.

TreSecure is well known for its Information Security magazine and NT Bugtraq website on Microsoft-related security issues.

This 90 minute 70 multiple-choice Prometric exam has been available since 2002 and costs $US295.

Recertification requires 48 hours of education every two years.

Next page > Vendor/Product specific security certifications & Conclusion > Page 1, 2