[ISN] ISO endorses key security certification

From: InfoSec News (isn@private)
Date: Tue Jun 29 2004 - 06:25:38 PDT

  • Next message: InfoSec News: "[ISN] REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw"

    By Jaikumar Vijayan 
    JUNE 28, 2004 
    The International Standards Organization last week gave its stamp of
    approval to the CISSP security certification for IT workers, and a
    half-dozen security managers said the endorsement should help enhance
    the certification's legitimacy and acceptance.
    They added that boosting CISSP's credibility would be a welcome
    development at a time when companies are increasingly being asked by
    their boards of directors and by auditors and regulators to prove that
    they have done due diligence on all matters related to IT security --
    including the hiring of security managers and other IT staffers.
    The American National Standards Institute, the U.S. representative to
    the Geneva-based ISO, announced that the standards bodies are granting
    certificate accreditation to the Certified Information Systems
    Security Professional credential. Roy Swift, an ANSI program director,
    said CISSP is the first IT certification to be accredited under
    ISO/IEC 17024, a global benchmark for workers in various professions.
    The accreditation will hopefully give CISSP a shot in the arm, said
    Christofer Hoff, director of enterprise security services at Western
    Corporate Federal Credit Union, a San Dimas, Calif.-based company with
    $25 billion in assets. "While broadly accepted as a benchmark
    credential, it's still viewed in some circles as being somewhat soft
    in the certification process," he added.
    In fact, most IT certification programs "are often under fire for
    being too lenient and not reflecting the actual skills of the person,"  
    said Andrew Plato, president of Anitian Corp., a network security
    consulting firm and systems integrator in Beaverton, Ore. "The ISO
    accreditation will likely help dispel notions that the CISSP
    certification is meaningless."
    'A Positive Step'
    The CISSP credential is awarded by International Information Systems
    Security Certification Consortium Inc., a nonprofit organization in
    Vienna, Va., known informally as (ISC)2. Although it's just one of
    several similar certifications, CISSP is considered the most popular.  
    More than 27,000 IT security workers have earned the certification so
    far, according to (ISC)2.
    The ISO's accreditation of CISSP should lessen some of the uncertainty
    that now exists for IT managers because of the competing certification
    programs, said Kim Milford, information security manager in the IT
    department at the University of Wisconsin-Madison.
    "It's made hiring more confusing at times, as we need to weigh the
    strengths of different certifications against each other," Milford
    said. The university now plans to require security professionals to
    have CISSP credentials in order to qualify for senior positions, she
    David Stacey, global IT security director at St. Jude Medical Inc. in
    St. Paul, Minn., already requires a CISSP certificate for any senior
    security position at the $1.6 billion maker of cardiovascular
    equipment. Stacey said the ISO's official recognition of the
    certification program is a positive step, given the growing importance
    of IT security to companies like his.
    "Security is now a business enabler, and security leaders need to be
    better trained, more experienced and more business-savvy," Stacey
    said. "The CISSP is a good metric of that leadership ability."
    However, Swift said other organizations that offer IT security
    certifications have also applied to the ISO for accreditation.  
    "There's a strong demand for third-party review of these
    certifications to reassure the consumer and the government that the
    people who have these certifications do have the knowledge and skills
    they say they have," he added.
    Alan Paller, director of research at the SANS Institute in Bethesda,
    Md., said his organization is seeking accreditation for its IT
    security certification program. The Information Systems Audit and
    Control Association in Rolling Meadows, Ill., has filed similar
    applications for separate certifications it offers to IT security
    managers and auditors.
    To qualify for CISSP certification, security professionals need to
    have either four years of work experience or a three-year college
    degree in a related field, said James Duffy, executive director of
    (ISC)2. They must also pass a six-hour exam designed to test their
    knowledge of technology and business issues related to information
    Swift said the accreditation was granted after a review of (ISC)2's
    policies and procedures, including those for testing, maintaining,
    reviewing and withdrawing certification. The test itself was also
    reviewed to ensure that the questions are relevant to the skills being
    assessed, he said.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 09:16:31 PDT