However, many employers are unsure how to measure the quality of a potential new hire. There are various certifications in the marketplace that target these types of individuals, but most are focused on detailed technical knowledge as a means of measurement.
As fast-paced as the technical marketplace has become, it is almost impossible to have a credential that can keep up with all the changes. For example, if someone gets certified in a particular technology component or system, how do we measure that individual's knowledge when a new version is released? One should be re-certified. Does anyone give up his or her former certification? No, because in general a certification will not specify a particular version of a technology or system.
The fact is, network and systems security administrators are providing much broader day-to-day support of the security infrastructure than a specific technical certification can measure. These ever-increasing responsibilities include:
- assisting with risk assessments
- assisting in the planning, development and implementation of security policies and services
- testing, evaluating and managing changes in the security environment
- implementing access controls, authentication and telecommunications controls
- monitoring and reviewing practices and mechanisms to ensure compliance with established policy
- performing incident handling tasks
- responding to malicious code
- ensuring compliance with change management practices
- facilitating emergency response and system recovery
- romoting security awareness
- understanding security fundamentals and staying current with technologies and best practices
- acting as intermediary both inside and outside the organization
A few years ago, it became obvious to the International Information Systems Security Certification Consortium, (ISC)², that a certification was needed for someone who applies the principles, procedures, standards and guidelines of an organization. (ISC)² is the non-profit consortium of top infosec professionals with the goal of training and validating the expertise of those in the industry. It offers the Certified Information Systems Security Professional (CISSP) and developed and maintains the (ISC)² Common Body of Knowledge (CBK), a comprehensive compendium of information security best practices upon which (ISC)²'s certification examinations are based.
To fill this need, (ISC)² developed the Systems Security Certified Practitioner (SSCP) credential. This credential is meant for those who have a network and systems security role in their organization and is meant to validate their ability to improve the performance of network and systems so that vulnerabilities are reduced, attack liabilities are limited and public confidence is maintained.
In many ways, the SSCP requirements are meant to complement the CISSP. While the CISSP is charged with developing and managing security policy enterprise-wide, the SSCP is charged with implementing and maintaining that policy in a department or throughout the organization. SSCPs are, in effect, the security policy enforcers.
Many in the information security field may ask why they should train and certify their network and systems security administration staff. The reasons are that your organization probably has a substantial investment in information assets, including technology, architecture and process. Protection of these assets can be ensured through the strengths of the certified professionals. In addition, the higher level of understanding and expertise benefits both the individual and the enterprise.
The benefits of certification to the individual are that it confirms a working knowledge of information security and passing of a rigorous examination. It is a career differentiator, with peer networking and added credibility, and also there is a broadening expectation of credentials.
The benefits of certification to the enterprise are that it establishes best practices and provides a solutions-orientation, not specialization, particularly with the broader understanding of the CBK. Certification also gives access to a network of global industry and subject matter/domain experts, and is a resource for broad-based security information. The rigor and regimen of the certification examinations adds to the credibility of an organization, and it provides a business and technology orientation to risk management.
The following areas of professional focus represent the seven domains of the (ISC)² CBK that make up the SSCP certification. Whether an organization chooses to certify its staff with the SSCP or not, it would be beneficial to keep the subject matters in mind when interviewing or promoting your security policy enforcers.
- Access controls includes the mechanisms that allow a system manager to specify what users and processes can do, which resources they can access, and what operations they can perform.
- Administration encompasses the security principles, policies, standards, procedures and guidelines used to identify, classify and ensure the confidentiality, integrity and availability of an organization's information assets. It also includes roles and responsibilities, configuration management, change control, security awareness and the application of accepted industry practices.
- Audit and monitoring includes those mechanisms, tools and facilities used to identify, classify, prioritize, respond to and report on security events and vulnerabilities. The audit function provides the ability to determine if the system is being operated in accordance with accepted industry practices, and in compliance with specific organizational policies, standards and procedures.
- Risk, response and recovery encompasses the roles of a security administrator in the risk analysis, emergency response, disaster recovery and business continuity processes, including the assessment of system vulnerabilities, the selection and testing of safeguards, and the testing of recovery plans and procedures. It also addresses knowledge of incident handling, including the acquisition, protection and storage of evidence.
- Cryptography addresses the principles, means and methods used to disguise information to ensure its integrity, confidentiality, authenticity and non-repudiation.
- Data communications encompasses the structures, transmission methods, transport formats and security measures used to provide integrity, availability, authentication and confidentiality for data transmitted over private and public communications paths.
- Malicious Code encompasses the principles, means and methods used by programs, applications and code segments to infect, abuse or otherwise impact the proper operation of an information processing system or network.
Anthony T. Baratta holds CISSP and SSCP credentials and serves as director of professional programs for (ISC)² (www.isc2.org).