Certification and Accreditation for Information Security

With the continued growth of cybercrimes and increased focus on regulators’ mandates to protect individuals’ data privacy, information security auditing remains a top priority for many organizations. It is imperative for a business to be proactive in addressing any such potential threats and attacks and have an effective cybersecurity strategy in place. This is exactly why an IT security audit can be helpful. It not enough just to know how to audit. It is equally important to understand how information security controls should work. This is true whether you are auditing or charged with managing an information security control environment.

Both Computing Technology Industry Association (CompTIA) and (ISC)² offer technology specific certifications that are commonly obtained by auditors.

A goal of (ISC)² is to protect the integrity and value of these certifications as well as the professionalism of the information security industry. As a result, the organization requires credential holders and candidates to adhere to the (ISC)² code of ethics. There are four mandatory principles or code of ethics canons:

• Protect society, the commonwealth, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

• Provide diligent and competent service to principals.

• Advance and protect the profession.

The four principles of ethical behavior come with additional guidelines to help resolve ethical dilemmas. The goal is to encourage correct behavior through research, teaching, advancing the profession, and valuing the certifications. The guidelines also discourage certain behaviors. For example, they discourage associating or appearing to associate with criminals or criminal behavior. They also discourage attaching vulnerable systems to the public network, providing unwarranted reassurance, and promoting unnecessary fear, uncertainty, and doubt.

The guiding principles for each requirement are listed on the (ISC)² website at http://www.isc2.org/ethics/default.aspx. The code of ethics states that complying with these guiding principles is not required, nor does compliance ensure ethical conduct. (ISC)² provides the principles to help members resolve ethical dilemmas they may face during the course of their careers. The (ISC)² board of directors, however, may use the principles to judge the behavior of members.

To protect the reputation of the profession, (ISC)² provides a procedure for ethics complaints. (ISC)² will only consider complaints directly related to one of the four principles. The board of directors established an ethics committee to oversee the process and provide recommendations to the board.

Auditors have an important duty to evaluate organizational controls. These controls affect the confidentiality, integrity, and availability of IT assets and information. As a result, IT auditing professionals must understand both technology and accounting concepts. In many cases, it’s not just desirable but necessary for IT auditing professionals to demonstrate certain levels of competence. If you choose to become certified, you will demonstrate your willingness to improve your knowledge and skills. This provides career benefits as well. It proves your expertise in specific areas to your organization, prospective employer, and clients.

Certification programs are available that focus solely on IT. Certification programs are also available that focus on auditing. Additionally, certifications exist that blend the two. Such certifications are more aligned to information system auditing and assurance.

Professional certifications have been around for a long time across many different fields. In the IT field, the number of certifications has skyrocketed over the past decade. This is due in part to the many vendor certification programs that are oriented toward specific technologies. These programs are managed by the corresponding vendors, and the programs benefit the vendors from a marketing aspect.

There are also many nonvendors, also called vendor-neutral, certifications. The Computing Technology Industry Association (CompTIA) provides one of the oldest nonvendor IT-related certification programs. CompTIA is a nonprofit organization that provides vendor-neutral certification exams. In addition, the organization provides educational programs and market research and has been involved in activities to advance the IT profession. CompTIA’s beginnings go back to 1982. It introduced its first exam, the A+ certification, in 1993. CompTIA was truly a pioneer in the IT security industry. CompTIA certifications include the following:

• CompTIA A+—This covers basic operating systems and computer installation, troubleshooting, and communication.

• CompTIA Network+—This covers managing and maintaining the basic network infrastructure.

• CompTIA Security+—The CompTIA Security+ certification covers computer and network security, cryptography, and assessments and audits.

• CompTIA Server+—This covers the more advanced computing concepts related to servers.

• CompTIA Linux+—This covers the management of Linux operating systems.

• CompTIA CTT+—This covers presentation and communication skills for both traditional and virtual class environments.

• CompTIA CySA—This covers the behavior analytics to improve information security.

• CompTIA PenTest—This covers penetration testing to identify vulnerabilities.

• CompTIA Project+ certification—This covers the role of project manager.

• CompTIA Cloud+—This covers the topics required to implement and maintain cloud technologies.

• CompTIA Data—This covers data analysis and how data drives business decision-making.

• CompTIA Cloud Essentials—This covers the secure implementation and maintenance of cloud technologies.

• CompTIA IT Fundamentals—This covers broad IT skills.

• CompTIA Advanced Security Practitioner (CASP)—This covers advanced security topics and solutions across complex environments.

Those interested in IT auditing and assessment may find the Project+ and the Security+ certifications especially beneficial. Unlike some of the more advanced certifications discussed in the next section, these certifications are a great starting point. The other certifications that CompTIA offers can also benefit auditing and assessment professionals required to prove knowledge in more specialized areas.

Many certification programs are increasingly seeking American National Standards Institute (ANSI) accreditation. ANSI oversees thousands of standards and guidelines across nearly every business sector. ANSI accreditation is based on ISO/IEC international standards to ensure that certification programs are of high quality. ANSI accreditation helps maintain the value of certification programs as ANSI accreditation is recognized as a stamp of approval for a quality certification program.

The following sections discuss three well-known and well-respected organizations that offer programs that require a candidate to sufficiently demonstrate competencies in the auditing of information systems. A complete list of professional certifications is beyond the scope of this chapter.