Gaining IT security certification

Wednesday, 2 October 2002 - Information technology (IT) security is a much-misunderstood term. For the home user, it may be limited to anti-viruses solutions and firewalls, but for the corporation that is secious about protecting its data assets, IT security has taken on a whole new meaning as it incorporates considerations such as intrusion detection, operating system (OS) hardening, security policies, risk management, application design and many others which if not properly planned and implemented will cost companies millions of ringgit when compromises and breaches are eventually detected.

Companies have traditionally either maintained their in-house MIS department to manage these issues or outsourced it to consultancies that specialise in IT security. With the proliferation of hardware and software vendors all touting to provide maximum security solutions for the enterprise's data assets, one must be mindful of the following considerations - whether the vendors or their consultants can be trusted with your company's internal critical information and whether they are experienced and qualified to support your company's security requirements.

Other than the background information of the company or knowing the consultants personally, a certification is a good way to judge the strength and credibility of the information security professionals.

An industry-recognised certification puts a lot of weight on the credibility of a security professional confirming his knowledge and expertise in his area of work. One of the most highly sought-after professional certifications in the information security field globally is the CISSP designation. It stands for Certified Information System Security Professionals, a certification from the International Systems Security Certification Consortium (ISC)2. (ISC)2 is a not-for-profit global organisation formed in mid-1989 to develop an industry certification programme for information systems security professionals and practitioners.

So if you are a Malaysian IT security professional, how do you go about obtaining this certification? First, you would need to have at least three years of IT security industry experience to qualify for this certification. You would then get your certification by committing to the (ISC)2's code of ethics and passing a rigorous six-hour exam of 250 multiple-choice questions on information security. The exams covers 10 wide areas or domains of information security known as common body of knowledge (CBK) such as security management practices, access control systems and methodology, laws, investigations and ethics, physical security, business continuity and disaster recovery planning, security architecture and models, cryptography, telecommunications and network security, applications and systems development, and operations security.

The CBK basically covers all critical areas of information security from protecting physical sites, controlling systems access, securing networks, to incorporating information security in application software development.

From 2003 onwards, besides the requirement to have three years of direct experience in information security, you would also need to have a college degree to be qualified to take the exam which could possible include subjective-type questions in the future.

While other certifications such as Microsoft's MCSE or Cisco's CCNA are very focused on its own vendor's products, the CISSP certification covers the wide spectrum of information security. A candidate must know and understand the broad range of information security as covered in the CBK to pass the exam.

Once awarded, a CISSP has to earn at least 120 CPE (continuing professional education) credits every three years to maintain his or her certification or retake the certification exam every three years. CPE can be earned from activities related to the information security profession such as attending educational courses, writing a book, and giving security training.

The CISSP has gained worldwide recognition as the information security certification for information security professionals. When it was started, the CISSP certification exam was only available in North America, and now the worldwide demand for the exam has reached this part of world.

Kuala Lumpur had its first CISSP exam on April 27, 2002, which was attended by around 25 candidates. When we enquired from (ISC)2 beginning this year, there were approximately 4,000 holders of CISSPs worldwide, out of which only four were Malaysians. We should be seeing more Malaysian CISSPs with the availability of CBK review courses and CISSP exam facilities locally.

A CBK review course or any preparatory course from experienced CISSPs will be very helpful to candidates who intend to take the exam. It will help the candidates to identify those domains that require extra effort to pass the exam. Most security professionals are usually familiar only on a few domains of the CBK and the CBK review course will provide additional insights to other domains. It is common to have hands-on experience on telecommunications, and network and Internet security domains, while not many will be exposed to domains such as cryptography and law, investigations and ethics.

The list of recommended reference materials from the course and its practice session on the types and formats of questions expected to be extremely useful to increase the chance of passing the exam.

In conclusion, the CISSP designation gives the information security professionals a competitive edge in the labour market. Most employers are usually not sure of what to look for in hiring security professionals. The CISSP certification would narrow their selection process, as it ensures that the candidates are experienced and equipped with the necessary knowledge and skills to have obtained the certification. Recent industry study by Foote Partner survey of 30,000 IT workers has shown that there is always a high industry demand for highly skilled information security professionals.

A CISSP designation is a distinctive indication of the information security professional's knowledge and understanding of the wide breadth of information security. So, consider getting yourself or your consultants certified and help raise the level of information security standard in Malaysia. More information regarding CISSP is available at www.isc2.org

<< Back to SecureTangent Press Releases