Security certs won’t guarantee employment but they can help you establish your credentials.

Become the Consummate Certified Security Professional

Security certs won’t guarantee employment but they can help you establish your credentials.

• By Roberta Bragg
• 09/01/1999

Reputation a bit tarnished because some bright college student in your company passed the MCSE exams but doesn’t know the difference between a nose ring and a token ring? You don’t have to sit back and take it. If we want to differentiate ourselves, if we want respect and—let’s not kid ourselves—if we want more money, we have to do more than rest on our current credentials. We must add experience, dedication, and hard work to our résumé.

In this month’s column, I’ll show you ways to establish your credentials as an information systems security professional. As in any specialty, what’s more important than certification is real-world ability and a strong grounding in a broad range of information. In the information security realm there are certifications available that tend to articulate that.

Product vs. Industry

The information systems security arena offers two main types of certification: product and industry.

Product certifications tell someone you’ve studied a particular product and learned enough to pass an exam provided by its manufacturer. They don’t necessarily speak to your suitability for a particular job in the industry. They don’t even tell anyone that you can keep that product up and running. Some of these certifications tend to be directed toward partners (read: “sales outlets”) of the companies that sponsor them. The certification process hasn’t reached the furor or ubiquity of the MCSE. (You probably won’t find people who purchase thousands of dollars’ worth of equipment and security software just so they can pass an exam on a single product, in hopes that they’ll be employed.) If you work for a partner or use these security products, see if you qualify to take the certification exam. It’s probably not going to land you another job, but it can’t hurt.

Industry certifications tend to be a bit broader. They’re usually driven by a need to acknowledge the mastering of a commonly recognized body of knowledge in a particular field. An industry certification in networking, for example, wouldn’t stress products but rather classes of products and concepts. Industry certifications are usually promoted by an independent organization dedicated to the promotion of a body of knowledge. Some association or the like is formed to manage the exam—its questions, format, length, and so on. While the industry supports the organization, it’s also supported by companies that employ the certified individuals, and by the individuals themselves. For examples, just look at the certification process behind the initials M.D. Consider what nurses, accountants, or lawyers must go through before they’re allowed to practice their trade and craft.

Industry certification emphasizes experience before examination and also requires continuing education. Product certification requires extensive product knowledge but doesn’t specify where it comes from. Exams on new versions of the product give you new certifications.

Security Product Certifications

• Checkpoint Certified Security Administrator or Engineer

You can become a Checkpoint Certified Security Administrator (CCSA). A CCSA understands FireWall-1 and can install and set up simple configurations. To certify, attend Checkpoint’s “Introduction to FireWall-1 Management” class and pass the exam. You should also have working knowledge of Unix or Windows, network technology, Internet communications, and TCP/IP. Certification comes with free access to Checkpoint technical support staff (three incidents) and a copy of SecureNet, a technical reference CD.

Once you’ve obtained CCSA, for more validity go for CheckPoint Certified Security Engineer (CCSE), intended for engineers who manage multiple FireWall-1 systems. You’re expected to attend the class, “Advanced FireWall-1 Management.” Here you learn how to implement sophisticated security requirements for enterprise networking. Pass the exam and gain five support incidents and a one-year subscription to SecureNet.

Certification exams exist for other CheckPoint products, specifically, FloodGate and Meta IP. Certified professionals are expected to keep up with exams on new product releases or they’ll be considered retired professionals.

Learn more at www.checkpoint.com/services/education/certification/index.html.

• Network Associates Certifications

Network Associates (www.nai.com/naicommon/partners/resources/training-exams.asp) offers the Network Associates Certified Professional (NCP) certification in NAI products for partners. Certification requires the completion of a Partner Services course and testing via Sylvan Prometrics. Products covered include PGP, Gauntlet NT, and CyberCop.

Industry Certifications

• Certified Information Systems Security Professional

An information systems security Common Body of Knowledge or CBK forms the basis for the International Information Systems Security Certification Consortium, or ISC2 (www.isc2.org). This exam was developed using a professional testing service—no quickie exam process here. To become a Certified Information Systems Security Professional (CISSP), you must meet pre-requisites and pass the exam. You get six hours to complete 250 multiple-choice questions over 10 test domains from the CBK. These domains are:

• Access Control Systems & Methodology
• Computer Operations Security
• Cryptography
• Application & Systems Development
• Business Continuity & Disaster Recovery Planning
• Telecommunications & Network Security
• Security Architecture & Models
• Physical Security
• Security Management Practices
• Law, Investigations & Ethics

Before you can sit the exam, you must subscribe to the ISC2 Code of Ethics and have three years of direct work experience in one or more of the 10 test domains. Examples of qualifying individuals are IS auditors, consultants, vendors, investigators, and instructors who require IS security knowledge and the direct application of that knowledge. The exam fee is $395 and exams are held at international locations periodically throughout the year.

Recertification is required every three years. It’s obtained by earning 120 Continuing Professional Education credits.

• Certified Information Systems Auditor

The Information Systems Audit and Control Association (www.isaca.org/cert1.htm) sponsors the Certified Information Systems Auditor certification, which has been in existence since 1978. This designation is often sought by IS audit, control, and/or security professionals.

To obtain certification, individuals must:

1. Pass the CISA exam.
2. Adhere to the ISACA’s Code of Professional Ethics.
3. Submit evidence of five years of professional information systems auditing, control, or security work experience.

The four-hour exam consists of 200 multiple-choice questions, and it’s offered only in June. The exam is comprehensive, covering auditing standards and practices; security and control practices; IS strategies, polices, procedures, and management practices; IS hardware and software platforms; network and telecommunications; and data validation, development, acquisition, and maintenance. To get a taste, try the 25-question sampler at www.isaca.org/examsamp.htm. Maintaining certification requires continuing education hours and fees.

• Certified Internet Webmaster

A third type of certification may be offered by a training association. An example of this is Certified Internet Webmaster. Not quite a product certification and not quite an industry association certification, the Certified Internet Webmaster program (administered by Prosoft Training at http://www.ciwcertified.com/certifications/mcasp.asp?comm=home&llm=3) offers a Security Professional track. This certification consists of taking a number of classes and passing exams administered by Sylvan Prometric.

The track identifies a security professional as one who implements security policy, identifies security threats, develops countermeasures using firewall systems and attack-recognition technologies, and is responsible for managing the deployment of e-business transaction solutions and payment security solutions.

To obtain the certification, students must pass a foundations exam, internetworking professional exam, and the security professional exam. Eight days of security-related Prosoft courses or equivalent experience is recommended before taking the security exam.

Broader is Better

In the real world, knowledge and ability should always count more than paper titles—but sometimes you need to have both. As professionals, we should seek those certifications that reflect our real abilities. One way to do this is to look for certifications that emphasize a broad industry knowledge and that hold industry experience as prerequisites.