CHAPTER 5

Organizations Providing Resources for Professionals

Because of the eclectic nature of information assurance, you must have some basic structure to guide you. The first step in this process is to define certification and professionalism. They are quickly becoming recognized as critical factors in the success of a corporation as well as a government agency.

Indeed, information assurance and security are often cited as core competencies in industry and government redesign. Prahalad and Hamel referred to corporate core competencies as the roots of competitiveness.

Professional certification is a procedure to identify individuals who have a common education and experience, who demonstrate some quantifiable level of knowledge and skills, and who subscribe to a code of professional ethics.

As organizations become more reliant on information systems, information assurance professionals are challenged to put forth formidable efforts to secure information systems against myriad threats. A security professional should be equipped with knowledge in all areas of information assurance and should observe the highest code of professional ethics to assist an organization in protecting information.

Organizations and institutions exist to train and equip security professionals by providing information, security-related information, guidelines, best practices, frameworks, and certification. This chapter presents the background and functions of some of these organizations. In addition, the chapter explores the codes of ethics promoted by organizations for security professionals.

Organizations Providing Resources for Professionals

This section outlines some of the well-known organizations providing professional certifications. Individuals should consider the relevancy to their job requirements and industry recognition before attaining a professional certification.

There are four characteristics of a professional certification standard.

      • Agreement on certification criteria specific to ethics, education, and experience and a course of study that meets a prescribed set of standards. This is done by establishing a common body of knowledge that is agreed upon by recognized leaders in the information security field.

      • Creation and validation of a testing program that should be professionally supervised by individuals skilled in test development (ISO 17024).

      • Definition of an acceptable level of work experience to qualify an individual for certification.

      • Examination to demonstrate some quantifiable level of knowledge. Mastery of the common body of knowledge is one indication of competency in this field, while performance testing is another indicator.

Organizations should understand different certification bodies and the drivers of their mission.

(ISC)² International Information System Security Certification Consortium

The International Information System Security Certification Consortium (ISC)² is a nonprofit, vendor-neutral organization known for its guidance of best practices in the areas of information assurance. Established in 1989, (ISC)² provides certification for more than 120,000 professionals. Such certification programs include Certified Information System Security Professionals (CISSP), Systems Security Certified Professional (SSCP), Certified Authorization Professional (CAP), Certified Cyber Forensics Professional (CCFP), HealthCare Information Security and Privacy Practitioner (HCISPP), and Certified Secure Software Lifecycle Professional (CSSLP). For those who have several years’ working experience in information assurance or networking and intend to develop a career in this field, CISSP would be the recommended certification to pursue. (ISC)², with more than 120,000 members, is the largest and most senior computer security certifying organization that provides a comprehensive overview of information assurance–related knowledge.

Computing Technology Industry Association

The Computing Technology Industry Association (CompTIA) is a nonprofit trade association that provides a broad spectrum of professional certifications including A+, Network+, and Security+. Additionally, CompTIA provides Cloud+ for implementing secure clouds, Mobile App Security+ for secure mobile deployments, and Social Media Security Professional for secure social media use. CompTIA’s certifications are vendor neutral, and proceeds are directly reinvested into programs. CompTIA has been offering a wide range of certifications for more than 20 years in the United States, Indian, Japan, South Africa, and the United Kingdom.

Information System Audit and Control Association

Since 1967, the Information System Audit and Control Association (ISACA) has been involved in the research and expansion of knowledge in information technology governance. Security and audit experts globally know it for the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) professional certifications. CISA is generally recommended for information security auditors, whereas CISM is recommended for those who are involved in managerial-related information security tasks. In addition, ISACA publishes the Control Objectives for Information and Related Technology (COBIT) standard, which provides management and business process owners with an IT governance model that helps in delivering value from IT and understanding and managing the risks associated with IT.

Information System Security Association

As a nonprofit organization, the Information System Security Association (ISSA) since 1984 has been organizing and facilitating various information system security initiatives. An example would be conducting forums and knowledge-sharing programs on the information system security environment. These efforts contribute to enhancing the knowledge and skills of practitioners. ISSA’s main function is to ensure the confidentiality, integrity, and availability of information resources by promoting good management practices.

SANS Institute

The SysAdmin, Audit, Network and Security (SANS) Institute was established as a privately held training organization involved in cooperative research in 1989. The organization conducts certifications in specialized areas such as forensic analysis, incident handling, and security audits along with the Global Information Assurance Certificate (GIAC). The institute is involved in delivering and maintaining one of the largest collections of research documents on information security. The SANS Institute provides various free resources on information security–related news, vulnerabilities, alerts, and warnings. There are various tracks and certification programs provided by SANS Institute. They are recommended for highly technical professionals who deal with implementing and operating technology.

Disaster Recovery Institute, International

Established in 1988, the Disaster Recovery Institute, International (DRII) focuses on gathering and building contingency planning and risk management knowledge. Educational programs managed by DRII are in the areas of business continuity planning and management. Published standards and industry best practices by DRII are to promote knowledge sharing and act as a common knowledge reference for the business continuity planning/disaster recovery industry.

Business Continuity Institute

The Business Continuity Institute (BCI) was founded in 1994 with the ambition of ensuring that the provision and maintenance of business continuity planning and services are of the highest quality. Business continuity practitioners often refer to BCI for guidance on maintaining high professional competency standards and commercial ethics.

Deciding Among Certifications

Some of the decision criteria that inform an analysis of the value of a certification include the following:

      • How long has the certification been in existence?

      • Does the certification organization’s process conform to established standards?

      • How many people hold the certification?

      • How widely respected is the certification?

      • Does the certification span industry boundaries?

      • What is the probability that five or ten years from now the certification will still be useful?

      • Does the certification span geographic boundaries?

Answers to each of these questions provide insight into the value of a certification to both the potential employee and the employer.

Codes of Ethics

Different individuals may have different perceptions of ethics. You may have heard of the term ethical hacker.

What makes the action of a hacker legitimate and ethical? The action would be legitimate and ethical if consent of the owner is obtained prior to performing an assessment of system security. The consent necessary for ethical hacking is simply the application of one code of ethics among those found in professional security organizations.

Even if an action is not ethical, it may still be legal. Organizations should develop guidelines on computer or business ethics and disseminate this information to their employees through awareness or training sessions.

These ethical guidelines show stakeholders and employees that management is sincere in developing and supporting an ethical environment within the organization. This will limit the occurrence of unethical conduct within the organization eventually.

Certifying organizations may require their certified security professionals to comply fully with their code of ethics. By reference to these guidelines, organizations and the information assurance community can establish ethical guidelines to conform to local custom and in accordance with national laws and regulations in this area.

Table 5-1 summarizes the codes of ethics from organizations such as (ISC)², SANS Institute, ISACA, ISSA, BCI, and Computer Ethics Institute (CEI).

Table 5-1 Common Features of Codes of Ethics

Further Reading

      • (ISC)². www.isc.org.

      • BCI. www.thebci.org/about.htm.

      • DRII. www.drii.org.

      • Guide to CISSP. Information Security Certification, 2007. www.guidetocissp.com.

      • ISACA. www.isaca.org/.

      • ISSA. www.issa.org/.

      • NIATEC training materials web site. http://niatec.info/pdf.aspx?id=169.

      • Ryan, D., et al. On Security Education, Training and Certifications. Information Systems Audit and Control Association, 2004.

      • SANS Institute. www.sans.org/.

      • Prahalad, C.K., and G. Hamel. “The Core Competence of the Corporation.” Harvard Business Review, May–June 1990.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

Critical Thinking Exercises

        1. A chief information security officer (CISO) continuously reports issues of risk to senior management even though they continue to deny requests for resources to mitigate the risk. The CISO holds a CISSP. Why is the CISO continuing to report the risk if the board has not done anything about it in the past?

        2. An organization has decided they need a chief security officer to help determine the best way to implement the information assurance strategy of the organization. What certifications might best determine a strategic information assurance individual?