Information Security Training & Certification

CISM, CISMP and other IT Security Certifications Explained

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

Information Security Training and Certification
Prominent lapses in information security have demonstrated all too clearly how organisations can quickly fall foul of the law – and undermine trust and confidence built up over decades. A new business critical body of knowledge is rapidly developing in the area of information security. Training and certification is now available which provides individuals with the necessary skills, and companies with the necessary assurance that they are employing competent individuals. The notes below provide background on the industry bodies involved, and the qualifications for which they are responsible. 1. 2. 3. 4. 5. Why Information Security? Formal Qualifications Relevant Industry Bodies Leading Certifications Which Certification is Right for Me?

Prepared by: Rex Gibson Development Director

About:
Focus on Training offers the largest UK schedule of accredited courses for these certifications. Explore them on the Focus website at:
http://www.focus-on-training.co.uk/it-governance-and-security-training/courses/skillarea/15/

Rex Gibson leads the IT team at Focus. He has successfully executed major business change and IT projects, and has managed international engineering companies with significant IT dependency.
info@focus-on-training.co.uk

Version 1.02 October 2010

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

1. Why Information Security?
Recent prominent lapses in information security have demonstrated all too clearly how organisations can quickly fall foul of the law – and undermine trust and confidence built up over decades. The importance of Information Security is increasing rapidly as information processing comes centre stage in many organisations – and as technological advances allow vast amounts of electronic information to be stored in databases and shared across networks. It is a highly complex area spanning fast developing computer hardware, software, and systems. It also interfaces with many business functions. There are difficult trade-offs which cannot be made in isolation from business strategy: the long recognised balance between Confidentiality, Integrity and Availability is increasingly supplemented with consideration of aspects such as Utility and Accountability. This is creating demand for Information Security Professionals with up to date skills and experience. These individuals can be amongst the highest paid in the IT sector; they are able to influence at senior levels, and their skill sets are sought after internationally.

2. Formal Qualifications
Formal qualifications are increasingly important in the field of Information Security, in part reflecting the assurance and compliance nature of the task. There is a confusing array of different certifications from a number of industry bodies. The following is a summary of the more commonly recognised qualifications:
CISM CISA CISSP ISMAS CISMP Security+ CEH Certified Information Security Manager Certified Information Systems Auditor Certified Information Security Professional Information Security Management Advanced Certificate in Information & Security Principles CompTIA Security+ Certification Certified Ethical Hacker ISACA ISACA (ISC)2 EXIN BCS/ISEB CompTIA EC-Council

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

3. Relevant Industry Bodies
ISACA - Originally the Information Systems Audit and Controls Association - A world leading authority on IT Governance, Control and Security - A professional membership organisation (90,000 members) - Based in US but has chapters in 75 countries, and members in 160 - Accredited qualifications focus on info security management and audit http://www.isaca.org/ (ISC)2 - International Information Systems Security Certification Consortium - A leader in educating and certifying information security practitioners - Maintains a Critical Body of Knowledge (CBK) on info security topics - Based in US but with offices in London, Hong Kong & Tokyo - 60,000 certified members gain networking and information benefits https://www.isc2.org/ EXIN - The Examination Institute for Information Science - Based in Holland but has certified a million IT professional worldwide - A leading ITIL exam authority – and it also covers ISO/IEC 20000 & 27000 http://www.exin-exams.com/ BCS/ISEB - ISEB is the examination board of the British Computer Society (BCS) - Based in the UK but operates worldwide - The leading membership organisation for IT professionals in the UK - Specialises in ITIL, Business Systems Development and IT Governance http://www.iseb-exams.com/ CompTIA - A leading provider of vendor-neutral IT certifications - US based but adopted worldwide - Target practical IT specialisms eg network administration & computer repair - Provides bridge from entry level to more specialised certification from others http://www.comptia.org/ EC-Council - The International Council of Electronic Commerce Consultants - Newcomer, offering tools and education for professionals to avert cyber attacks - US based; 30,000 certified worldwide since established less than 10 years ago - Ethical Hacker is the most prominent of its series of specialist qualifications http://www.eccouncil.org/

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

4. Leading Certifications
CISM Certified Information Security Manager CISM is a management focused certification that has been earned by more than 13,000 professionals since its introduction in 2003. CISM is for the individual who manages, designs, oversees and assesses an enterprise's information security. The emphasis is on risk management rather than technical expertise. As well as passing the CISM exam it is necessary to evidence a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the “job practice analysis areas”. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam. There are one or two year offsets to the experience requirements depending upon prior certification and education. Exams are held in June and December each year and are organised directly by ISACA. The exam is a closed book, 4 hour paper with 200 questions. Candidate scores are reported on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass the exam. In the UK exams are held in London, Birmingham and Manchester. Exam preparation courses are typically 5 days in order to cover the growing curriculum covered. They are often scheduled to take place a few weeks prior to the June and December exams.

CISA Certified Information Systems Auditor The CISA certification was launched in 1978 and has become a globally accepted standard of achievement among information systems (IS) audit, control and security practitioners. It was the precursor to the CISM and follows the same structure. Closed book exams are held in June and December. Five years’ experience is required for certification – though subject to certification and education waivers. This qualification specifically identifies those with the competency to conduct and interpret systematic information system audits.

CISSP Certified Information Security Professional The CISSP certification is governed by the International Information Systems Security Certifications Consortium (ISC)2 and has gained importance as a key component in the selection process for mid and senior level information security management positions.

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

CISSP was the first security certification to be endorsed by American Standards Institute, ANSI. As well as passing a demanding examination, candidates for this credential must be able to demonstrate extensive security experience. You must have at least five full years of experience in information security (though there is a one year waiver for a relevant degree or other specified qualification). Your experience must cover two or more of these 10 (ISC)² CISSP domains: Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security The CISSP exam is booked with (ISC)2. It is a closed book multiple choice paper with 250 questions. Up to six hours are available to complete the paper. The pass mark is 70%. Allow 6 weeks for papers to be marked. It is recommended that candidates attend a 5 day course which will cover the subject matter and prepare students for the exam.

ISMAS

Information Security Management Advanced

The ISMAS certification is relatively new – but is unique in that it is specifically aligned to ISO/IEC 27001. This is the international standard for Information Security which replaced BS 7799 and is achieving rapid global uptake. EXIN offers both Foundation and Advanced certification. The Foundation level provides an overview and is appropriate for those needing awareness of the topic. Advanced is for those who need to apply the principles. A third certification tier (Expert) with more complex exam and experience pre-requisites is under development. Those requiring this certification will typically attend a 5 day course which includes both Foundation and Advanced exams.

CISMP

Certificate in Information & Security Management Principles

The CISMP does also reference ISO/IEC 27001. It provides a base level of knowledge for individuals moving into a security or security related function. It also offers the opportunity for IT security managers to enhance or refresh their knowledge.

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

Candidates must have a minimum of twelve months experience in IT; six months of this experience must have been in a security control activity. The certification is described as “Foundation” by ISEB. It is true that it is relevant to new entrants but equally there is a wide range of knowledge expected. This qualification is probably better recognised in the UK than internationally. The exam is a two hour, 100 question, multiple choice paper with pass mark of 65%. The exam is typically taken on the final day of a 5 day instructor led training course.

Security+

CompTIA Security+ Certification

Security+ is one of a series of specialist certifications offered by CompTIA. It is an international, vendor-neutral certification that proves competency in system security, network infrastructure, access control and organizational security. Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years of technical networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended. The exam is a 90-minute, 100 question multiple choice paper available at Prometric and Pearson Vue test centres. The pass mark is 750 on a scale of 100-900.

CEH

Certified Ethical Hacker

The CEH certification has achieved rapid international recognition – because it is unique in recognising those individuals who command the skills, expertise and trust to test the integrity of the latest web based systems. The definition of an Ethical Hacker is very similar to a Penetration Tester. The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. To prepare for the exam students attend an intensive 5 day class where they learn to think like a hacker. The class will immerse the students into a hand’s on environment where they will scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. This course prepares you for EC-Council Certified Ethical Hacker exam. The four hour examination consists of 150 multiple choice questions. The exam can be taken at Pearson Vue and Prometric test centres. The pass mark is 70%.

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training

5. Which Certification is Right for Me?
Each of the above Information Security certifications is well recognised by employers and will provide valuable knowledge for those working in this area. The appropriateness of each certification to your own circumstances will depend on level of experience, job role, employer preferences and geographical emphasis.
Experience CISM CISA CISSP ISMAS CISMP Security+ CEH *** *** *** ** * * ** Job Role Seniority *** ** *** ** ** * ** Job Role – Technical Bias * ** * ** * ** *** ISO27001 Alignment ** ** ** *** ** * * UK Recognition *** ** ** ** *** ** **

* ** ***

Low Medium High

This is for outline guidance only. Focus would be pleased to advise on your specific requirements.

Focus on Training

Tel: 0845 450 6120

Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce © 2010 Focus on Training