(ISC)2 is the premier organisation dedicated to providing information security professionals and practitioners worldwide with the standard for professional certification. CISSP is the term used for the (certified information system security professional), and is a certification reflecting the qualifications of information systems security practitioners. CISSP Certification was designed to recognise mastery of an international standard for information security and understanding of a common body of knowledge (CBK). Certification can enhance a professional’s career and provide added IS credibility.
According to Mervin Pearce, CEO of South African concern, Security Audit and Control Solutions, which offers training geared towards the CISSP certification locally, says that the CISSP examination consists of 250 multiple choice questions, covering topics such as access control systems, cryptography, and security management practices.
Mervin Pearce: CEO, Security Audit and Control Solutions
Why choose certification?
Says Pearce, "Information security (IS) professionals invest substantially in information assets, including technology, architecture and process. But how can protection of these assets be ensured? Only through the strengths of the professionals in charge. Industry standards, ethics and certification of IS professionals and practitioners becomes critical to ensuring a higher standard for security is achieved. (ISC)2, as the only not-for-profit consortium charged with maintaining, administering and certifying IS professionals in the common body of knowledge (CBK), is the premier resource for IS professionals worldwide."
Adds Pearce, "The CISSP common book of knowledge (CBK) covers network and communication security as one of the 10 domains where a candidate has to prove his specialist skill to successfully attain the certification. This article serves to highlight some of the management and technology issues covered, from a network and communications perspective."
Communication Security can essentially be divided into two sections: management concepts and technology concepts. During a security and compliance review, there is more weight focused on the management concept than there is placed on the technological front.
The foundation of information security is based on the classic 'three-legged' approach, namely the CIA (confidentiality, integrity and availability) triad. One has to assure confidentiality, integrity and availability of information and resources within our domain. Management concepts are covered by policies and best practices that have been documented and accepted within an organisation. Says Pearce, "Your policy may include statements similar to:
* Network 'sniffing' may not be done unless approved by Information Security management;
* Secret information has to be encrypted when transmitted.
"Within the management compliance review, the existence of policies and practice statements are reviewed to determine if they cover accepted best practices. If they do exist and their content is applicable, management will feel 'a warm fuzzy feeling'."
Figure 1. Management concepts and technology concepts
Adds Pearce, "During a SACS security audit, a user ID and password was 'sniffed' from an enterprise network. The password obtained during the review was found to be the same as the user ID. This is a fundamental flaw that is found often within high risk environments.
"As an example we consult the supporting domains to determine what could be done to ensure that the security risk can be minimised. As an initial step, select domains that will be implemented without great effort and cost into your solution. For example:
* Security management practice - A security management practice may include a procedure to review all user IDs and test if the user ID and password is similar. If this is a case a security incident must be raised and the password changed.
* Application and systems development - If the application is developed in-house or we can request feature enhancements, it is recommended to use the trusted computing base (TCB) guide and create encrypted secure areas and make sure that the password is never transmitted in the clear.
If the focus is on communication security, the CISSP CBK suggests that the other domains are consulted to ensure that our security implementation is adequate. The other nine domains are:
1. Security management practices.
2. Access control systems.
4. Security architecture and models.
5. Operations security.
6. Applications and systems development.
7. Business continuity and disaster recovery planning.
8. Law investigation and ethics.
9. Physical security.
Says Pearce, "Each of these domains has a role to play in your final communications security solution and cannot be excluded, even if you feel that the weighting is not significant. Depending on the final solution each domain will have a different weighting."
"Using a risk ranking questionnaire you can address each supporting domain with the appropriate weighting factor. Communication security has to be addressed as one of the 10 domains, with each domain supporting the final solution. If this is part of the process, only then can we say with greater certainty that we have addressed the inherent risks," says Pearce.
Benefits of (ISC)2 certification to the enterprise
* Establishes best practices.
* Provides a solutions-orientation, not specialisation, particularly with the broader understanding of the IS CBK
* Access to a network of global industry and subject matter/domain experts.
* Resource for broad-based security information.
* Adds to credibility with the rigor and regimen of the certification examinations.
* Provides a business and technology orientation to risk management.
Benefits of (ISC)2 Certification to the Professional
* Confirms a working knowledge of information security.
* Confirms passing of a rigorous examination.
* Career differentiator, with peer networking and added IS credibility.
* Broadening expectation of credentials.