This guide offers in-depth coverage of security certifications in the IT industry as well as resources for further study. IT Influencer Series Security Certification Resource Guide Essential information on security2 certifications003 for IT professionals and managers. Introduction 3 EC-Council: Know Your Enemy 14 (ISC)2 : Experience Counts 4 Blueprint for a Career 15 Contents in Security SANS: A Practical Approach 6 Guide to Security Job Titles 19 Microsoft: Locking Windows 7 Q&A: Can Security 22 Certifications Help Your Career? CompTIA: Security for the Masses 8 Salary Data for IT 23 Professionals Cisco: Hardware Lockdown 9 About Those U.S. Government 24 Check Point: Enterprise Certified 10 Security Clearances CWNP: Wireless Pro 10 15 Best Web Sites for Security 25 ISACA: Audit Secure 12 5 Must-Read Security 26 Newsletters TruSecure: TISCA Experience 12 5 Web Picks for Security 26 Symantec: Sleeper Hit 13 Certification SCP: Security Certified Pro 13 Security Bookshelf 28 SCSA: Seeking the Sun 14 Advertiser Index 30 Introduction ecurity is one of the hottest areas in IT certification today. S It can also be the most confusing. As little as two years ago, IT profes- sionals wanting to certify their security-related knowledge and expertise had only a handful of cre- dentials to choose from, most of which were reserved for the most experienced professionals. Since then, several vendors have added security-related titles and options, and those specializing in security are offering more credentials than ever. This boom has created a mix of titles that, while serving a wider cross-section of the IT commu- nity, also make understanding and an honest perspective from an indus- evaluating security certifications an try insider on exactly what certifica- arduous endeavor. tion can (and can’t) do for your We’ve created this guide to help career. We also share the real way IT professionals and managers sort those all-too-elusive U.S. security out the many options available. On clearances are obtained. its pages you’ll find profiles of almost To help in the learning process, every major security-related certifi- we’ve included our top picks for secu- cation available today. For each, we rity Web sites and newsletters, as well explain the audience they’re aimed as certification preparation resources. for, the requirements for obtaining Whether you’re an IT profes- the titles, and what separates each sional considering a career in securi- from the other credentials. ty or a manager who needs to guide But we also know that becoming your security staff’s professional an IT security professional takes more development, we hope the following than just certification. That’s why information will offer you the com- you’ll also find advice on developing prehensive overview of security cer- an IT security career, including frank tification you’ve been searching for. words from security maven and Enjoy. author Roberta Bragg on what it takes to excel in this field, as well as —The Editors All content was written and/or developed by Keith Ward, senior editor, Microsoft Certified Professional Magazine; Becky Nagel, editor, CertCities.com; Michael Domingo, editor, MCPmag.com and Dian Schaffhauser, editorial director, Microsoft Certified Professional Magazine. Page 3 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com certification profiles Experience Counts It takes more than just knowledge to earn (ISC)2’s CISSP and SSCP titles. The International Information Systems Security Certification to attempt the organization’s Systems Consortium, (ISC)2,formed in 1989 to create an industry Security Certified Practitioner (SSCP) title. This three-hour, 125-question standard for information security best practices. Since that exam focuses on seven of the above time, the organization has released several vendor-neutral domains and requires only one year of certifications that combine testing candidates’ knowledge of direct work experience. Like the CISSP, you must subscribe to the organization’s these practices along with experience, ethical and ongoing code of ethics and earn continuing edu- education requirements. cation units to maintain the title. If you don’t have enough experi- The organization’s flagship title, the degree can substitute for one year. This ence to earn either title but you still Certified Information Systems Security experience must be documented by an want to take the above exams, you can Professional (CISSP), focuses on 10 independent third-party and submitted become an Associate of (ISC)2. This common bodies of knowledge (CBKs) to the (ISC)2 for audit, along with a new program from the organization based on the above-mentioned standards: signed document stating that the candi- allows candidates without the required • Access Control Systems & Methodology date will subscribe to the organization’s experience to take the exams and then • Applications & Systems Development code of ethics. Only then will the title of earn the certifications once they obtain • Business Continuity Planning CISSP be granted. But that’s not the end the needed experience. • Cryptography of it—all CISSPs must complete 120 If you’re already a CISSP and want • Law, Investigation & Ethics units of continuing education per year to to distinguish yourself further, the • Operations Security keep their title active. organization recently announced sever- • Physical Security If you don’t quite have four years of al “concentrations” that candidates can • Security Architecture & Models direct work experience, you may want add on to their CISSP: CISSP Man- • Security Management Practices agement and CISSP Architecture. 2 • Telecommunications, Network & (ISC) There’s also the Information System Internet Security Vendor: The International Information Security Engineering Professional The resulting exam is a six-hour, Systems Security Certification (ISSEP), a concentration formed in 250-question affair, for which most can- Consortium (ISC)2 conjunction with the United States didates study months to prepare. Certifications: CISSP, SSCP, related National Security Agency that focuses Because of the broad depth of knowl- concentrations on the information security needs of edge covered on the exam, most stu- Certification Type/Focus: Vendor- federal government employees. dents prefer not to go it alone, joining neutral titles focusing on best practices Note that because the organization’s study groups or attending instructor-led for information security professionals. exams are paper-based, candidates must training courses. Candidates must meet experience sign up through (ISC)2 and travel to an However, simply passing the exam requirements and sign an ethics pledge. official testing location. Prices for the 2 won’t earn you the CISSP. (ISC) cites Exam Prices: $350 to $550 (U.S.) organization’s exams currently range its mission to create a “gold standard” Training Required?: No from $350 to $550, but will rise as much certification as the reason it requires all as $100 beginning January 1, 2004. Testing Centers: Available only candidates to have at least four years of More information on all of the through vendor “direct full-time security professional above titles can be found on (ISC)2’s work experience” in one or more of the More information: Web site at http://www.isc2.org. http://www.isc2.org test domains listed above. A college — Becky Nagel Page 4 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com MCPSecurityAd12-03 11/20/03 8:31 AM Page 1 STAY ON TOP OF THE LATEST SECURITY TRAINING... ...or your replacement will be happy to do it for you. With 28 hands-on Security Training courses, Global Knowledge offers the industry’s most comprehensive collection of Network Security courses delivered by real-world, expert instructors. Visit our web site now for more information: www.globalknowledge.com Keyword: MCPSECURE or call 1-800-COURSES. GET A FREE T-SHIRT When you take our 1-minute IT survey at www.globalknowledge.com/securitytee © 2003 Global Knowledge Network, Inc. All rights reserved. certification profiles A Practical Approach The SANS Institute’s GIAC certifications combine testing with practical assignments. Like (ISC)2, the SANS Institute’s Global Information Assurance Certification (GIAC) takes a vendor-neutral approach. However, this organization’s titles focus on the practical more than the theoretical, testing candidates’ skills in a wide variety of areas through online or in-person testing as well as practical assignments. Those interested in GIAC testing have Administrator; and GIAC Certified a wide variety of titles to choose from: Unix Security Administrator—can • GIAC Security Essentials earn the organization’s highest certifi- GIAC exam, candidates must complete Certification (GSEC) cation, the GIAC Security Engineer. a “practical assignment”—an original • GIAC Certified Firewall Analyst According to the organization, only research paper that demonstrates the (GCFW) two GIAC Security Engineers exist in candidate’s knowledge of the material • GIAC Certified Security the world today. being tested. These assignments are Leadership (GSLC) Before being allowed to take any reviewed and graded by the organiza- • GIAC Certified Intrusion Analyst tion, and those who pass are then (GCIA) SANS/GIAC allowed to sit the related exam. • GIAC Certified Incident Handler GIAC exams are delivered online (GCIH) Vendor: The SANS Institute and at SANS