There are several organizations that provide certifications to individuals who either wish to become IT security professionals or are already working in the field. The certifications serve as credentials to show that individuals have reached a certain level of experience and have met the educational requirements and passed the required tests. Many IT security positions require the certifications as a condition of employment.
One of the most well-known and widely recognized organizations that issues IT security certifications is the International Information System Security Certifications Consortium, known as IISSCC or (ISC)2. Based in Palm Harbor, Fla., (ISC)2 is a nonprofit organization that provides two of the most popular IT security certifications. The certifications are vendor neutral, meaning that those who hold them don’t specialize in any one brand of technology products.
In addition to providing certifications, (ISC)2 also maintains a Common Body of Knowledge (CBK) for information security. The CBK is a compilation of all the relevant basic areas of knowledge for IT security. It is organized into eight domains, classifying distinct areas of study for the certification.
The Common Body of Knowledge Domains
- Security and Risk Management
- Asset Security
- Security Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
The certifications provided by the (ISC)2
Certified Cloud Security Professional (CCSP): The (ISC)2 has collaborated with the Cloud Security Alliance to offer the CCSP certification. Candidates must have a minimum of five years experience in information technology, of which three years must be in information security and one year in cloud computing.
Certified Information Systems Security Professional (CISSP): Candidates must have a minimum of five cumulative years of professional, full-time experience in at least two of the domains listed above. It is intended for advanced IT professionals in management or senior roles who have oversight for multiple areas of IT security.
Systems Security Certified Practitioner (SSCP): Candidates must have a minimum of one year of work experience in one or more of the seven SSCP domains. The SSCP certificate is intended for IT professionals who specialize in a particular area of IT security. The seven SSCP domains are:
- Access Controls
- Security Operations and Administration
- Risk Identification, Monitoring, and Analysis
- Incident Response and Recovery
- Networks and Communications Security
- Systems and Application Security
SSCP is a popular (ISC)2 certification for newer professionals in the information security industry. Those who don’t have the one year of experience but pass the exam can achieve the status of an “Associate in (ISC)2” after passing the SSCP exam.
The test to gain each certification is rigorous. The CISSP exam lasts six hours and contains 250 questions. The SSCP exam has 125 questions, and candidates are given three hours to complete the exam. The credentials are recognized internationally and also require individuals to adhere to a code of ethics and maintain the certification with continuing education. The CISSP certification is recognized by both the International Standards Organization (ISO) and the American National Standards Institute (ANSI).
(ISC)2 also offers three concentrations or “merit badges” targeting specific areas of interest in IT security:
- CISSP Architecture (CISSP-ISSAP)
- Engineering (CISSP-ISSEP)
- Management (CISSP-ISSMP)
For more information on the CISSP and SSCP certifications, visit the (ISC)2 website.
Other Common Certifications
Another well-known certification program for IT security professionals is the Security+ credential from the Computing Technology Industry Association (CompTIA). With 250,000 credential holders, the Security+ certificate is aimed at broad based IT security professionals. Candidates are encouraged to have two years of experience in IT security, and most of those who hold it have also passed the Network+ certification.
The program prepares candidates in the areas of cryptography, identity management, network access control, security infrastructure, and others. The certification, which has been approved by the U.S. Department of Defense, requires holders to update the certification every three years and earn continuing education credits.
The ISACA, which was first known as the Information Systems Audit and Control Association when it was founded in 1967 but now goes by the acronym, provides a Certified Information Security Manager (CISM) certification. It is intended for managers developing or overseeing information security systems and requires holders to have five years of experience, submit a written application, and pass the exam. The ISACA also has four other separate certifications available for information security professionals, all of which are ISO and ANSI approved.
The most well-known of these is the Certified Information Systems Auditor (CISA), which was created in 1978 and has increased in popularity due to the need for compliance with the 2002 Sarbanes-Oxley Act. Unlike the other ISACA certifications, CISA does not mandate a specific set of work experiences, but does require adherence to the ISACA code of ethics, pursuit of continuing education, and recognition of ISACA procedures.
The SysAdmin, Audit, Network, and Security Institute (SANS Institute) is another organization that issues information security certifications and requires candidates to pass a three-hour exam.
The SANS Institute currently has 27 certifications in its Global Information Assurance Certification (GIAC) program. Those include the GIAC Security Essentials (GSEC), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), and GIAC Information Security Fundamentals (GIAF) among others.
There are several other specific certifications that cover different areas of the IT security landscape. Although they are too numerous to name here, some examples include the Certified Ethical Hacker (CEH) offered by the International Council of Electronic Commerce Consultants, Certified Penetration Testing Consultant (CPTC) and the Certified Penetration Testing Engineer (CPTE) offered by Mile2, and the Offensive Security Certified Professional (OSCP) offered by Offensive Security.
There are also vendor-specific certifications that serve as credentials for those who work with specific software and hardware systems, such as the Cisco Certified Design Expert, Salesforce.com Certified Administrator, and the Microsoft Certified Solutions Expert.
To test your understanding of the content presented in this assignment, please click on the Question icon below. Choose your selected response
1. True or False?
A CISSP certification is intended for those who are just starting out in the IT security profession.Choose only one answer below.
Correct. This is a false statement. CISSP candidates must have a minimum of five cumulative years of professional, full-time experience in at least two of the CBK domains.
2. True or False?
A vendor-neutral information security certification is one that is not affiliated with any particular brand of software or hardware.Choose only one answer below.
Correct. This is a true statement. Vendor-neutral certifications are independent of specific products or companies.