http://www.computerworld.com/securitytopics/security/story/0,10801,94169,00.html By Jaikumar Vijayan JUNE 28, 2004 COMPUTERWORLD The International Standards Organization last week gave its stamp of approval to the CISSP security certification for IT workers, and a half-dozen security managers said the endorsement should help enhance the certification's legitimacy and acceptance. They added that boosting CISSP's credibility would be a welcome development at a time when companies are increasingly being asked by their boards of directors and by auditors and regulators to prove that they have done due diligence on all matters related to IT security -- including the hiring of security managers and other IT staffers. The American National Standards Institute, the U.S. representative to the Geneva-based ISO, announced that the standards bodies are granting certificate accreditation to the Certified Information Systems Security Professional credential. Roy Swift, an ANSI program director, said CISSP is the first IT certification to be accredited under ISO/IEC 17024, a global benchmark for workers in various professions. The accreditation will hopefully give CISSP a shot in the arm, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union, a San Dimas, Calif.-based company with $25 billion in assets. "While broadly accepted as a benchmark credential, it's still viewed in some circles as being somewhat soft in the certification process," he added. In fact, most IT certification programs "are often under fire for being too lenient and not reflecting the actual skills of the person," said Andrew Plato, president of Anitian Corp., a network security consulting firm and systems integrator in Beaverton, Ore. "The ISO accreditation will likely help dispel notions that the CISSP certification is meaningless." 'A Positive Step' The CISSP credential is awarded by International Information Systems Security Certification Consortium Inc., a nonprofit organization in Vienna, Va., known informally as (ISC)2. Although it's just one of several similar certifications, CISSP is considered the most popular. More than 27,000 IT security workers have earned the certification so far, according to (ISC)2. The ISO's accreditation of CISSP should lessen some of the uncertainty that now exists for IT managers because of the competing certification programs, said Kim Milford, information security manager in the IT department at the University of Wisconsin-Madison. "It's made hiring more confusing at times, as we need to weigh the strengths of different certifications against each other," Milford said. The university now plans to require security professionals to have CISSP credentials in order to qualify for senior positions, she added. David Stacey, global IT security director at St. Jude Medical Inc. in St. Paul, Minn., already requires a CISSP certificate for any senior security position at the $1.6 billion maker of cardiovascular equipment. Stacey said the ISO's official recognition of the certification program is a positive step, given the growing importance of IT security to companies like his. "Security is now a business enabler, and security leaders need to be better trained, more experienced and more business-savvy," Stacey said. "The CISSP is a good metric of that leadership ability." However, Swift said other organizations that offer IT security certifications have also applied to the ISO for accreditation. "There's a strong demand for third-party review of these certifications to reassure the consumer and the government that the people who have these certifications do have the knowledge and skills they say they have," he added. Alan Paller, director of research at the SANS Institute in Bethesda, Md., said his organization is seeking accreditation for its IT security certification program. The Information Systems Audit and Control Association in Rolling Meadows, Ill., has filed similar applications for separate certifications it offers to IT security managers and auditors. To qualify for CISSP certification, security professionals need to have either four years of work experience or a three-year college degree in a related field, said James Duffy, executive director of (ISC)2. They must also pass a six-hour exam designed to test their knowledge of technology and business issues related to information security. Swift said the accreditation was granted after a review of (ISC)2's policies and procedures, including those for testing, maintaining, reviewing and withdrawing certification. The test itself was also reviewed to ensure that the questions are relevant to the skills being assessed, he said. _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 09:16:31 PDT