Question on IT Security Certifications & Career Planning
alt
 
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a colleague:
Why would someone certify under CAP or CPP instead of SSCP or CISSP?  Most network engineers would certify under CISSP, correct? 
 
Each of the certifications covers a different set of skills and is made for different job positions. You should determine what job you want and build your resume for that dream job.
 
CISSP, SSCP and CAP are (ISC)2 certifications.
CISSP (Certified Information Systems Security Professional) is a high level tech or a manager certification.
The SSCP (Systems Security Certified Practitioner) is a certification for a tech.
The CAP (Certification and Accreditation Professional) is a specialty certification on National Institute of Standards and Technology (NIST) security framework and designed for management or a NIST/FISMA consultant.   (The Federal Information Systems Management Act (FISMA) requires Federal government agencies to implement information security and NIST standards)
 
The CPP is a certification administered by ASIS International.
The CPP (Certified Protection Professional) is an executive management level certification that traditionally focused on physical security and more recently has added IT security topics. The CPP will focus on topics as broad as terrorism, retail theft prevention, executive protection, armored cars, workplace violence, safety and information security.
 
The government has recognized certification as the best way to determine personnel skill levels.
 
The Department of Defense (DoD) really got the ball rolling on certifications by mandating certification for all staff involved in Information Assurance. DoD Directive 8570.1 actually maps each of the certifications to either technical or managerial and then to levels in each. In addition there are specialty positions, such as auditor, that don’t have levels but have certifications. All DoD part-time or full-time personnel are required to have those certifications by 2010. (70% by 2009)
 
Here is information on the DoD directive:
 
There is talk that certifications like CAP will be added in the near future. Perhaps it was not selected because it was too general on certification and accreditation to fit in with the DoD. However, it is perfect for federal government agencies and anyone that wants to use NIST security standards like State, Local and Tribal governments. (Other organizations too, as NIST can be used by private organizations as well).
 
Some other Federal agencies are using DoD as a guideline for their staff as well. Which is a good idea. In the past hiring managers focused on degrees and experience. The problem with experience is being able to verify that the candidates experience matched the needs of the position to be filled.  This is where certification come into play. A certification demonstrates a the holder has a particular knowledge or set of skills. In the end, you want to have both the experience and be able to demonstrate that experience with relevant certifications.
 
Degrees are a one time event and have the problem of being up-to-date with current technology and practices. For example, is a degree in computer science from 1980 relevant to today’s systems? With technology changing so rapidly any training you have is likely to be out of date; sometimes it is out of date before you have finished the training. The best bet is to combine continuing education with a degree.
 
There are 4 important qualities for a career in Information Technology or Information Assurance (IT Security).
 
1. A Degree, mostly to get you past any hiring manager that place a high value on a degree.
2. Experience, the longer you have been in the field the better.
3. Certifications, as a means to verify your experience.
4. Continuing Education, because this field changes rapidly and you have to keep up.
 
You will have a greater advantage over your completion the more you have in each of these areas.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
iPhone on the Corporate Network
alt
 
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a colleague:
Should organizations allow iPhones on the corporate network?
 
It depends (That's always the right answer). The only question is, is there a business reason for having them on the corporate network? Typically there is not a compelling business reason.
 
What we are really talking about here is wireless access directly into the internal organizational network. Not access to email server or website from outside. For example, connect to Exchange via ActiveSync is perfectly acceptable because the connection is controlled and the iPhone is not on the organization's network, it connects from the Internet.
 
Organizations should not allow unmanaged systems (those computers or devices the organization's IT does not exercise direct control over) on their networks.   Simply put, if the iPhone (or any other mobile device) is not under organizational control it should not be on the network. In addition, security standards require control of mobile devices on the organization's network. 
 
"The organization: (i) establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and (ii) authorizes, monitors, and controls device access to organizational information systems." - AC-19, NIST SP 800-53 rev 2
 
If the organization wishes to provide wireless access to the Internet for mobile device they can setup a wireless network that is segmented from the internal organizational network with a firewall separating them. 
 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Major PCI Change for Level 2 Merchants form MasterCard
alt

If you have attended any of my PCI presentations you are aware that each card brands (Visa, MasterCard American Express, Discover and JCB) set the dates for compliance and requirements for demonstrating compliance. The PCI Security Standards Council (PCI SSC) is responsible for maintaining the Data Security Standard (PCI-DSS) and the list of Approved Scanning Vendors (ASV) and Qualified Security Assessors (QSA). This means there is one standard that needs to be followed but different fines, compliance deadlines and requirements for demonstrating compliance from each of the 5 brands. If your organization accepts cards from all brands, your organization falls under all the requirements of each card brand.
 
Currently, only Level 1 merchants are required to have an onsite assessment by a QSA.  Generally this means if you have more than 6 million credit card transactions your organization would be a level 1 merchant. (If you have a security breach you would be moved to level 1 merchant no matter how many transactions you have.)
 
MasterCard has just announced that as of 31 December 2010 level 2 merchants will also be required to have an onsite assessment by a QSA.   Level two merchants are those merchants who have 1 million to 6 million transactions annually.
 
"Effective 31 December 2010, all Level 1 and Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor”
 
In the past Visa has been on the vanguard of PCI compliance and has the most aggressive requirements for demonstrating compliance. MasterCard has now taken the lead in compliance verification requirements.

 

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

 

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training.  Maze & Associates is a PCI ASV - Approved Scanning Vendor.

 

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

 

Disclaimer:  The views expressed here are those of the author and do not represent those of Maze & Associates.


Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 2 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

Remember Contra Costa County Property taxes are due April 10th and December 10th.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.