information security training and certification 1.02

8/3/2019 Information Security Training and Certification 1.02

http://slidepdf.com/reader/full/information-security-training-and-certification-102 1/8

Focus on Training Tel: 0845 450 6120 Web: www.focus-on-training.co.uk

ITIL and PRINCE2 are Trade Marks of the Office of Government Commerce

© 2010 Focus on Training

Information SecurityTraining & Certification CISM, CISMP and other IT Security Certifications Explained






IInnf f oorrmmaattiioonn SSeeccuurriittyy TTrraaiinniinngg aanndd CCeerrttiif f iiccaattiioonn

Prominent lapses in information security have demonstrated all too clearly how

organisations can quickly fall foul of the law – and undermine trust and confidence builtup over decades.

A new business critical body of knowledge is rapidly developing in the area of information security. Training and certification is now available which providesindividuals with the necessary skills, and companies with the necessary assurance that

they are employing competent individuals.

The notes below provide background on the industry bodies involved, and thequalifications for which they are responsible.

1. Why Information Security?2. Formal Qualifications3. Relevant Industry Bodies

4. Leading Certifications5. Which Certification is Right for Me?

Prepared by:

Rex Gibson Development Director

Version 1.02 October 2010

About: Focus on Training offers the largest UK schedule of accredited courses for thesecertifications. Explore them on the Focus website at:http://www.focus-on-training.co.uk/it-governance-and-security-training/courses/skillarea/15/

Rex Gibson leads the IT team at Focus. He has successfully executed majorbusiness change and IT projects, and has managed international engineeringcompanies with significant IT [email protected]






1. Why Information Security?Recent prominent lapses in information security have demonstrated all too clearly howorganisations can quickly fall foul of the law – and undermine trust and confidence built

up over decades.

The importance of Information Security is increasing rapidly as information processing

comes centre stage in many organisations – and as technological advances allow vastamounts of electronic information to be stored in databases and shared across networks.

It is a highly complex area spanning fast developing computer hardware, software, and

systems. It also interfaces with many business functions. There are difficult trade-offswhich cannot be made in isolation from business strategy: the long recognised balancebetween Confidentiality, Integrity and Availability is increasingly supplemented withconsideration of aspects such as Utility and Accountability.

This is creating demand for Information Security Professionals with up to date skills andexperience. These individuals can be amongst the highest paid in the IT sector; they

are able to influence at senior levels, and their skill sets are sought after internationally.

2. Formal Qualifications

Formal qualifications are increasingly important in the field of Information Security, in

part reflecting the assurance and compliance nature of the task.

There is a confusing array of different certifications from a number of industry bodies.The following is a summary of the more commonly recognised qualifications:

CISM Certified Information Security Manager ISACA

CISA Certified Information Systems Auditor ISACA

CISSP Certified Information Security Professional (ISC)2

ISMAS Information Security Management Advanced EXIN

CISMP Certificate in Information & Security Principles BCS/ISEB

Security+ CompTIA Security+ Certification CompTIA

CEH Certified Ethical Hacker EC-Council






3. Relevant Industry BodiesISACA

- Originally the Information Systems Audit and Controls Association

- A world leading authority on IT Governance, Control and Security- A professional membership organisation (90,000 members)- Based in US but has chapters in 75 countries, and members in 160

- Accredited qualifications focus on info security management and audithttp://www.isaca.org/

(ISC)2

- International Information Systems Security Certification Consortium- A leader in educating and certifying information security practitioners- Maintains a Critical Body of Knowledge (CBK) on info security topics- Based in US but with offices in London, Hong Kong & Tokyo- 60,000 certified members gain networking and information benefitshttps://www.isc2.org/

EXIN- The Examination Institute for Information Science- Based in Holland but has certified a million IT professional worldwide- A leading ITIL exam authority – and it also covers ISO/IEC 20000 & 27000

http://www.exin-exams.com/

BCS/ISEB

- ISEB is the examination board of the British Computer Society (BCS)- Based in the UK but operates worldwide- The leading membership organisation for IT professionals in the UK- Specialises in ITIL, Business Systems Development and IT Governance

http://www.iseb-exams.com/

CompTIA- A leading provider of vendor-neutral IT certifications

- US based but adopted worldwide- Target practical IT specialisms eg network administration & computer repair- Provides bridge from entry level to more specialised certification from othershttp://www.comptia.org/

EC-Council- The International Council of Electronic Commerce Consultants

- Newcomer, offering tools and education for professionals to avert cyber attacks- US based; 30,000 certified worldwide since established less than 10 years ago- Ethical Hacker is the most prominent of its series of specialist qualifications

http://www.eccouncil.org/






4. Leading CertificationsCISM Certified Information Security Manager

CISM is a management focused certification that has been earned by more than 13,000professionals since its introduction in 2003. CISM is for the individual who manages,designs, oversees and assesses an enterprise's information security. The emphasis is on

risk management rather than technical expertise.

As well as passing the CISM exam it is necessary to evidence a minimum of five years of information security work experience, with a minimum of three years of information

security management work experience in three or more of the “job practice analysisareas”. The work experience must be gained within the ten-year period preceding theapplication date for certification or within five years from the date of originally passingthe exam. There are one or two year offsets to the experience requirements dependingupon prior certification and education.

Exams are held in June and December each year and are organised directly by ISACA.

The exam is a closed book, 4 hour paper with 200 questions. Candidate scores arereported on a common scale from 200 to 800. A candidate must receive a score of 450or higher to pass the exam. In the UK exams are held in London, Birmingham andManchester.

Exam preparation courses are typically 5 days in order to cover the growing curriculumcovered. They are often scheduled to take place a few weeks prior to the June and

December exams.

CISA Certified Information Systems Auditor

The CISA certification was launched in 1978 and has become a globally acceptedstandard of achievement among information systems (IS) audit, control and securitypractitioners.

It was the precursor to the CISM and follows the same structure. Closed book examsare held in June and December. Five years’ experience is required for certification –though subject to certification and education waivers.

This qualification specifically identifies those with the competency to conduct andinterpret systematic information system audits.

CISSP Certified Information Security Professional

The CISSP certification is governed by the International Information Systems SecurityCertifications Consortium (ISC)2 and has gained importance as a key component in theselection process for mid and senior level information security management positions.






CISSP was the first security certification to be endorsed by American Standards

Institute, ANSI.

As well as passing a demanding examination, candidates for this credential must be ableto demonstrate extensive security experience. You must have at least five full years of

experience in information security (though there is a one year waiver for a relevantdegree or other specified qualification). Your experience must cover two or more of these 10 (ISC)² CISSP domains:

Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security

Security Architecture and Design Telecommunications and Network Security

The CISSP exam is booked with (ISC)2. It is a closed book multiple choice paper with250 questions. Up to six hours are available to complete the paper. The pass mark is70%. Allow 6 weeks for papers to be marked.

It is recommended that candidates attend a 5 day course which will cover the subjectmatter and prepare students for the exam.

ISMAS Information Security Management Advanced

The ISMAS certification is relatively new – but is unique in that it is specifically alignedto ISO/IEC 27001. This is the international standard for Information Security which

replaced BS 7799 and is achieving rapid global uptake.

EXIN offers both Foundation and Advanced certification. The Foundation level providesan overview and is appropriate for those needing awareness of the topic. Advanced isfor those who need to apply the principles. A third certification tier (Expert) with morecomplex exam and experience pre-requisites is under development.

Those requiring this certification will typically attend a 5 day course which includes bothFoundation and Advanced exams.

CISMP Certificate in Information & Security Management Principles

The CISMP does also reference ISO/IEC 27001. It provides a base level of knowledgefor individuals moving into a security or security related function. It also offers theopportunity for IT security managers to enhance or refresh their knowledge.






Candidates must have a minimum of twelve months experience in IT; six months of this

experience must have been in a security control activity. The certification is described as “Foundation” by ISEB. It is true that it is relevant to new entrants but equally there is awide range of knowledge expected. This qualification is probably better recognised inthe UK than internationally.

The exam is a two hour, 100 question, multiple choice paper with pass mark of 65%.The exam is typically taken on the final day of a 5 day instructor led training course.

Security+ CompTIA Security+ Certification

Security+ is one of a series of specialist certifications offered by CompTIA. It is an

international, vendor-neutral certification that proves competency in system security,network infrastructure, access control and organizational security.

Although not a prerequisite, it is recommended that CompTIA Security+ candidates haveat least two years of technical networking experience, with an emphasis on security. TheCompTIA Network+ certification is also recommended.

The exam is a 90-minute, 100 question multiple choice paper available at Prometric andPearson Vue test centres. The pass mark is 750 on a scale of 100-900.

CEH Certified Ethical Hacker

The CEH certification has achieved rapid international recognition – because it is uniquein recognising those individuals who command the skills, expertise and trust to test theintegrity of the latest web based systems.

The definition of an Ethical Hacker is very similar to a Penetration Tester. The EthicalHacker is an individual who is usually employed with the organization and who can betrusted to undertake an attempt to penetrate networks and/or computer systems using

the same methods as a Hacker.

To prepare for the exam students attend an intensive 5 day class where they learn to

think like a hacker. The class will immerse the students into a hand’s on environmentwhere they will scan, test, hack and secure their own systems. The lab intensiveenvironment gives each student in-depth knowledge and practical experience with thecurrent essential security systems.

This course prepares you for EC-Council Certified Ethical Hacker exam. The four hourexamination consists of 150 multiple choice questions. The exam can be taken at

Pearson Vue and Prometric test centres. The pass mark is 70%.






5. Which Certification is Right for Me?Each of the above Information Security certifications is well recognised by employersand will provide valuable knowledge for those working in this area.

The appropriateness of each certification to your own circumstances will depend on levelof experience, job role, employer preferences and geographical emphasis.

ExperienceJob Role -Seniority

Job Role –Technical Bias

ISO27001Alignment

UKRecognition

CISM *** *** * ** ***

CISA *** ** ** ** **

CISSP *** *** * ** **

ISMAS ** ** ** *** **

CISMP * ** * ** ***

Security+ * * ** * **

CEH ** ** *** * **

* Low** Medium*** High

This is for outline guidance only. Focus would be pleased to advise on your specificrequirements.

information security training and certification 1.02

Documents