Information Security Certifications
Information security certifications allow managers and customers to identify those who know how to protect computers and data centers against hackers, identify ever-changing IT security threats and distinguish between the first level help desk staff and experts who can identify zero day threats and combat them.
Information security certifications may be vendor-specific or vendor neutral. They are offered by a range of not for profit and for profit institutions.
Information security certifications have evolved to include multiple levels, from the help desk technician qualified to install security patches on a computer to enterprise information security experts who can harden an entire server farm against intrusion. Information security certifications include IT auditors qualified by ISACA or who possess IT management credentials.
International Information Systems Security Certification Consortium, Inc or (ISC)² oversees and administers the testing efforts for the following certifications: Information Systems Security Engineering Professional or ISSEP, Information Systems Security Architecture Professional or ISSAP and Information Systems Security Management Professional or ISSMP.
A CISSP helps develop the overall security infrastructure and security policies used by an organization. How will you manage user identities? Will you use an Active Directory and LDAP or another method? What security standards must your organization meet, such as those set by the ISO or the Department of Defense?
The Information Systems Security Management Professional is responsible for software application security, encryption, information security investigations and the security architecture. To sit for the ISSMP test, you must have already earned the CISSP certification.
The titles “Certified Information Systems Security Professional” or CISSP and “Systems Security Certified Practitioner” or SSCP are registered trademarks of the (ISC)².
SANS stands for the SysAdmin, Audit, Network, Security Institute. SANS offers certifications in areas like computer forensics, software security, cyber-security and IT auditing. According to the SANS website, it offers certification through the Global Information Assurance Certification or GIAC security certification program, which is American National Standards Institute accredited. The SANS Institute also runs an Internet early warning system that it calls the Internet Storm Center or ISC. The ISC is a volunteer effort to detect new threats to the internet before they go viral and spread worldwide.
SANS also offers white papers and case studies on information technology and information security. What are the best practices in IT and information security SANS members have found? What are some of the latest developments in the legal world that affect information security like HIPAA and recent legal cases? The documents in the SANS “reading room” are free.
Global Information Assurance Certification or GIAC offers certifications in intrusion detection, penetration testing, forensic analysis and reverse engineering malware and others. GIAC also offers training in meeting information security requirements such as the Certified Unix Security Administrator and a certification on reverse-engineering malicious software or malware.
GIAC offers a course to become a Certified ISO-27000 Specialist, proving that someone is an expert on the ISO’s information security management system standards or ISMS. GIAC’s website states that its exam development process is accredited under ISO standard 17024.
A Cisco Certified Security Professional or CCSP has been trained in maintaining the security of Cisco servers. The CSSP certification training covers installing and maintaining firewalls, security policy development and maintenance, identity management and other forms of network security. Cisco’s certifications are considered vendor-specific.
The Cisco Certified Network Professional or CCNP is a network security specialist. You must earn the Cisco Certified Network Associate or CCNA security certification before you can earn the CCNP certification.
The CompTIA A+ Certified Professional is described by CompTIA as a foundation level course for those wanting to work in IT support. This certification includes training on IT system maintenance, troubleshooting and security. The CompTIA Network+ Certified Professional has greater training on network administration, hardware installation and network security. The Comp TIA Security+ certification is a focused information security certification. Those who hold the Comp TIA Security+ certification have been trained in network security, software application security, access controls, encryption and several other IT security topics.
CompTIA’s Advanced Security Practitioner or CASP certification is a vendor-neutral certification in information security at an enterprise level. The CASP exam covers topics such as researching security threats, web host hardening, risk management and enterprise wide security management. The CompTIA Security+ exam is not a prerequisite to the CompTIA Advanced Security Practitioner exam but is recommended as a precursor by CompTIA.
CIW is a vendor-neutral web and internet training provider. It is independent of vendor hardware, like Microsoft’s MCSE or Cisco’s proprietary credentials. CIW’s courses range from a basic introduction in HTML to internet security. CIW offers three different internet certifications: web security professional, web security specialist and web security associate.
The Certified Information Systems Auditor or CISA certification means that someone is qualified to audit information technology systems. They may create logs and verify that administrative passwords are changed periodically, review a company’s security policies to ensure that they are kept up to date or that all software is tested for IT security as well as compatibility with other software applications before being put into production.
CISA qualified auditors take part in IT risk management assessments. They may perform data quality audits. The CISA certification from ISACA is ISO/IEC 17024 certified.
Related Information Security Credentials
Information Technology Infrastructure Library or ITIL is a set of procedures and check lists for meeting the IT service management system outlined in ISO standard 20000. ITIL offers the ITIL Foundation Certificate in IT Service Management certification. This credential means that the IT professional has learned about service management and ITIL concepts.
ITIL processes include service continuity management; continuity management addresses the plans and procedures to ensure that IT functions continue in case of a natural disaster or system outage. ITIL includes processes for setting up and maintaining an information security management system. While ITIL certification is not exclusive to IT security, information security training is included in the ITIL lessons.
The Microsoft Certified Systems Engineer or MSCE coursework covers system architecture, server support and network security. The MSCE certification also means that the holder is capable of installing security patches on a server and maintaining the Active Directory service used to authenticate users. Microsoft's certifications are an example of "vendor-specific" certifications. Training on Microsoft's security software does not prepare one for working on Sun or Linux system security.
The Disaster Recovery Institute or DRI offers the Certified Business Continuity Professional certification. This certification focuses on business continuity, the organization and operations that ensure that a business can continue running when its main servers, sites or personnel are not available. These systems may be offline due to fire, flood or a denial of service attack.