Information security professionalism

Information security professionalism is the set of knowledge that people working in Information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

and similar fields (Information Assurance

Information Assurance

Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...

and Computer security

Computer security

Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

) should have and eventually demonstrate through certification

Certification

Certification refers to the confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit...

s from well respected organizations. It also encompasses the education process required to accomplish different tasks in these fields.

Educational organizations

In 1989, Carnegie Mellon University established the Information Networking Institute

Information Networking Institute

The Information Networking Institute was established by Carnegie Mellon in 1989 as the nation’s first research and education center devoted to information networking....

, the United States' first research and education center devoted to information networking. The academic disciplines of computer security

Computer security

, information security and information assurance emerged along with numerous professional organizations during the later years of the 20th century and early years of the 21st century.

Entry into the field can be accomplished through self-study, college or university schooling in the field, or through
week long focused training camps. Many colleges, universities and training companies offer many of their programs on-line.

In the United States, the National Security Agency

National Security Agency

The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...

(NSA) has partnered with other organizations to designate a number of colleges and universities as Centers of Academic Excellence in Information Assurance Education, CAE/IAE and Research, CAE/IAE-R. These institutions offer a wide range of undergraduate and graduate-level degree programs, both masters level and doctoral, in IA-related studies and discipline. The current list of designated centers is maintained by NSA.

The Master of Science in Information Assurance (MSIA) and Master of Science in Information Security and Assurance (MSISA) degrees are multidisciplinary degree programs offered by many leading institutions which combine theory with applied learning in order to prepare security practitioners to work in the field of information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

.

There is a current and future need for information assurance professionals to support the security needs of the world's information infrastructure

Information Infrastructure

An information infrastructure is defined by Hanseth as "a shared, evolving, open, standardized, and heterogeneous installed base" and by Pironti as all of the people, processes, procedures, tools, facilities, and technology which supports the creation, use, transport, storage, and destruction of...

. Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack, cyberterrorism, access control systems and regulatory compliance

Regulatory compliance

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...

requirements.

National Information Assurance Training and Education Center

National Information Assurance Training and Education Center

The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...

(NIATEC) is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information assurance

Information Assurance

Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...

Organization certifications

NIATEC states:
ISO/IEC 17799

Comprises ten prime sections - Security Policy, System Access Control, Computer & Operations Management, System Development and Maintenance, Physical and Environmental Security, Compliance, Personnel Security, Security Organization, Asset Classification and Control, and Business Continuity Management (BCM)

BS 7799

BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

BS 7799 (ISO/IEC 17799) is comprehensive in its coverage of security issues, containing a significant number of control requirements

Professional association and certification

In addition to traditional university degrees, the Information security (IS) and Information assurance (IA) fields boast an extensive set of technical and professional certifications, used to indicate specific training or experience in detailed IA or IS practices, at both the technical implementation and management level. An important aspect of these certifications is that, unlike university degrees, they are not lifetime credentials. Rather, each certification authority mandates recurring continuing education or re-testing in order to retain the credential. Further, the certification knowledge base is usually updated and renewed on a much faster schedule than is possible with university curricula. The IA and IS certification marketplace is crowded and rapidly changing.

NIATEC lists some prominent professional certifications:

(ISC)²

International Information Systems Security Certification Consortium - The premier organization dedicated to providing information security professionals and practitioners worldwide with the standard for professional certification. Among its certifications there are:

Certified Information Systems Security Professional
Certified Information Systems Security Professional
Certified Information Systems Security Professional is an independent information security certification governed by International Information Systems Security Certification Consortium ²...

(CISSP) - Designed to recognize mastery of an international standard for information security and understanding of a Common Body of Knowledge (CBK). It is a mid- to senior-level information security certification.
Information Systems Security Architecture Professional (ISSAP) advanced certification in information-security architecture,
Information Systems Security Engineering Professional (ISSEP) advanced certification in information-security engineering,
Information Systems Security Management Professional (ISSMP) advanced certification in information-security management,
Systems Security Certified Practitioner (SSCP) - The seven domain covered by examination include - Access Controls, Administration, Audit and Monitoring, Risk, Response and Recovery, Cryptography, Data Communications, and Malicious Code/Malware

CompTIA

The Computing Technology Industry Association , a non-profit trade association, was created in 1982 as the Association of Better Computer Dealers, Inc. by representatives of five microcomputer dealerships...

Computer Technology Industry Association - CompTIA certification programs are the recognized industry standards for foundation-level information technology (IT) skills. Security+ certification is an entry level security certification

SANS

SANS can refer to*Small-angle neutron scattering*SANS Institute *Sympathetic Autonomic Nervous SystemSee also* Sans...

GIAC

Giac

Giac can refer to:* Global Information Assurance Certification, an information security certification entity.* Xcas/Giac, a C++ library that is part of a computer algebra system....

(Global Information Assurance Certification

Global Information Assurance Certification

Global Information Assurance Certification is an information security certification entity that specialises in technical and practical certification as well as new research in the form of its GIAC Gold program...

) administered by the SANS Institute

SANS Institute

The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...

.- Certification address's a range of skill sets including entry level Information Security Officer and broad based Security Essentials, as well as advanced subject areas like Audit, Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics, Hacker Techniques, Windows and Unix Operating System Security. The GIAC-GSEC certification is an entry level security certification.

Other well known organizations dealing with security awareness and training are:

ASIS International
ASIS International
ASIS International , headquartered in Alexandria, Va., is a professional organization for security managers....

mainly focused on physical security
Physical security
Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
Information Systems Audit and Control Association
Information Systems Audit and Control Association
ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it...

(ISACA) issues different professional certifciations
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager
  Certified Information Security Manager
  Certified Information Security Manager is a certification for information security managers awarded by ISACA...
  
  (CISM) is an advanced certification in information-security management.
- Certified in the Governance of Enterprise IT (CGEIT)
- Certified in Risk and Information Systems Control (CRISC)
HTCIA is devoted to digital forensics
Digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime...

for investigation of crimes. Members of HTCIA Inc. are made up of a professional body of investigators, prosecutors and security professionals.
Information Systems Security Association
Information Systems Security Association
The Information Systems Security Association is a not-for-profit, international professional organization of information security professionals and practitioners...

(ISSA) maintains a list of third parties certification with a short description at https://www.issa.org/page/?p=Certifications_13
InfraGard
InfraGard
InfraGard is a private non-profit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation. The organization describes itself as an information sharing and analysis effort serving the interests and combining the knowledge base of a wide...

is a private non-profit organization
Non-profit organization
Nonprofit organization is neither a legal nor technical definition but generally refers to an organization that uses surplus revenues to achieve its goals, rather than distributing them as profit or dividends...

serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...

. The organization describes itself as an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. InfraGard states they are an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

.
NAID National Association for Information Destruction http://naidonline.org.

Information Assurance practitioners supporting the US Department of Defense are required to hold selected security certifications in accordance with DoD Directive 8570.01-M.

EC-Council offers some certifications: among them Certified Ethical Hacker

Certified Ethical Hacker

The Certified Ethical Hacker is a professional certification provided by the International Council of E-Commerce Consultants An Ethical Hacker is one name given to a Penetration Tester...

(CEH)

Membership of the Institute of Information Security Professionals (IISP) is gaining traction in the U.K. as the professional standard for Information Security Professionals.

Within the UK a recognised senior level information security certification is provided by CESG.

CLAS is the CESG Listed Advisor Scheme

CESG Listed Advisor Scheme

The CESG Listed Adviser Scheme is a programme run by CESG, to provide a pool of information assurance consultants to government departments and other public-sector bodies in the UK....

- a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector.

CESG recognises that there is an increasing demand for authoritative Information assurance

Information Assurance

Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...

advice and guidance. This demand has come as a result of an increasing awareness of the threats and vulnerabilities that information systems are likely to face in an ever-changing world.

The Scheme aims to satisfy this demand by creating a pool of high quality consultants approved by CESG to provide Information Assurance advice to government departments and other organisations who provide vital services for the United Kingdom.

CLAS consultants are approved to provide Information Assurance advice on systems processing protectively marked information up to, and including, SECRET. Potential customers of the CLAS Scheme should also note that if the information is not protectively marked then they do not need to specify membership of CLAS in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding.

The profession of information security has seen an increased demand for security professionals who are experienced in network security auditing, penetration test

Penetration test

A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

ing, and digital forensics investigation. In addition, many smaller companies have cropped up as the result of this increased demand in information security training and consulting.

External links

The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.