[ISN] ISO endorses key security certification

InfoSec News isn at c4i.org
Tue Jun 29 09:25:38 EDT 2004


http://www.computerworld.com/securitytopics/security/story/0,10801,94169,00.html

By Jaikumar Vijayan 
JUNE 28, 2004 
COMPUTERWORLD

The International Standards Organization last week gave its stamp of
approval to the CISSP security certification for IT workers, and a
half-dozen security managers said the endorsement should help enhance
the certification's legitimacy and acceptance.

They added that boosting CISSP's credibility would be a welcome
development at a time when companies are increasingly being asked by
their boards of directors and by auditors and regulators to prove that
they have done due diligence on all matters related to IT security --
including the hiring of security managers and other IT staffers.

The American National Standards Institute, the U.S. representative to
the Geneva-based ISO, announced that the standards bodies are granting
certificate accreditation to the Certified Information Systems
Security Professional credential. Roy Swift, an ANSI program director,
said CISSP is the first IT certification to be accredited under
ISO/IEC 17024, a global benchmark for workers in various professions.

The accreditation will hopefully give CISSP a shot in the arm, said
Christofer Hoff, director of enterprise security services at Western
Corporate Federal Credit Union, a San Dimas, Calif.-based company with
$25 billion in assets. "While broadly accepted as a benchmark
credential, it's still viewed in some circles as being somewhat soft
in the certification process," he added.

In fact, most IT certification programs "are often under fire for
being too lenient and not reflecting the actual skills of the person,"  
said Andrew Plato, president of Anitian Corp., a network security
consulting firm and systems integrator in Beaverton, Ore. "The ISO
accreditation will likely help dispel notions that the CISSP
certification is meaningless."

'A Positive Step'

The CISSP credential is awarded by International Information Systems
Security Certification Consortium Inc., a nonprofit organization in
Vienna, Va., known informally as (ISC)2. Although it's just one of
several similar certifications, CISSP is considered the most popular.  
More than 27,000 IT security workers have earned the certification so
far, according to (ISC)2.

The ISO's accreditation of CISSP should lessen some of the uncertainty
that now exists for IT managers because of the competing certification
programs, said Kim Milford, information security manager in the IT
department at the University of Wisconsin-Madison.

"It's made hiring more confusing at times, as we need to weigh the
strengths of different certifications against each other," Milford
said. The university now plans to require security professionals to
have CISSP credentials in order to qualify for senior positions, she
added.

David Stacey, global IT security director at St. Jude Medical Inc. in
St. Paul, Minn., already requires a CISSP certificate for any senior
security position at the $1.6 billion maker of cardiovascular
equipment. Stacey said the ISO's official recognition of the
certification program is a positive step, given the growing importance
of IT security to companies like his.

"Security is now a business enabler, and security leaders need to be
better trained, more experienced and more business-savvy," Stacey
said. "The CISSP is a good metric of that leadership ability."

However, Swift said other organizations that offer IT security
certifications have also applied to the ISO for accreditation.  
"There's a strong demand for third-party review of these
certifications to reassure the consumer and the government that the
people who have these certifications do have the knowledge and skills
they say they have," he added.

Alan Paller, director of research at the SANS Institute in Bethesda,
Md., said his organization is seeking accreditation for its IT
security certification program. The Information Systems Audit and
Control Association in Rolling Meadows, Ill., has filed similar
applications for separate certifications it offers to IT security
managers and auditors.

To qualify for CISSP certification, security professionals need to
have either four years of work experience or a three-year college
degree in a related field, said James Duffy, executive director of
(ISC)2. They must also pass a six-hour exam designed to test their
knowledge of technology and business issues related to information
security.

Swift said the accreditation was granted after a review of (ISC)2's
policies and procedures, including those for testing, maintaining,
reviewing and withdrawing certification. The test itself was also
reviewed to ensure that the questions are relevant to the skills being
assessed, he said.





More information about the ISN mailing list