Welcome Guest. | Log In| Register | Membership Benefits

Columnist

December 13, 1999

Printer ready
Printer ready
IMHO:
New IS Security Requisites
James W. Meritt is a senior security systems engineer at Wang Government Services. He can be reached at Jim.Meritt@wang.com.

By James W. Meritt

ColumnistnameA s the Internet and network technology become a bigger part of everyday life, security plays an increasingly important role for IS professionals. Aside from the obvious technical know-how-from understanding jargon to installing and operating secure servers-a robust set of skills is needed to keep up with rapid changes in security requirements. Two IS security certifications, the Certified Information Systems Security Professional (CISSP) and the Certified Information Systems Auditor (CISA), mandate specific needs for IS security practice. Another way to determine the skill sets that will be needed for IS security is to take a look at the state of the job market.

The International Information Systems Security Certification Consortium, which grants the CISSP certification (see www.isc2.org), has this to say: "The CISSP certification identifies you as a professional who has met a certain standard of knowledge and experience, and who continues to keep his or her knowledge current and relevant to what is happening in the practice of information security."

The CISSP certification program is divided into 10 "domains":

  • Access control systems and methodology

  • Cryptography

  • Business continuity and disaster recovery planning

  • Security architecture and models

  • Law, investigations, and ethics

  • Security management practices

  • Computer operation security

  • Application and systems development

  • Telecom and network security

  • Physical security.

The CISA certification, awarded by the Information Systems Audit and Control Association and Foundation (www.isaca.org), focuses on a slightly different skill set: "The CISA designation is awarded to those individuals with an interest in information systems auditing, control, and security."

Like CISSP, the CISA program is divided into domains, but CISA uses five:

  • Information systems audit standards and practices and information systems security and control practices: Adheres to general IS audit standards, statements, and practices, as well as security and control practices.

  • IS organization and management: Analyzes and evaluates IS strategy, policies and procedures, management practices, and organization structures.

  • IS process: Analyzes and evaluates IS process, including hardware and software platforms, network and telecommunications infrastructure, operational practices, utilization of IS resources, and business processes.

  • IS integrity, confidentiality, and availability: Analyzes and evaluates logical, physical, environmental, data validation, processing, and balancing controls, as well as business continuity planning and testing process.

  • IS development, acquisition, and maintenance: Analyzes and evaluates development, acquisition, and maintenance.

  • For the past year and a-half, I have also tried to get a handle on the security market by collecting job advertisements for IS professionals. In examining these ads, from both print and online sources, I noticed that a few categories were repeatedly sought:

  • Skills related to security risks, including risk analysis, risk assessment, penetration analysis, security evaluation, vulnerability analysis, and general risk management.

  • A variety of skills pertaining to firewalls.

  • Experience in policies and standards, in particular research, writing, and keeping established policies and standards in effect.

  • Skills in network or system monitoring.

  • An increasing demand for manage-ment skills, especially in more senior positions. These included teamwork, ethics, communication, work skills, leadership, planning and executing plans, and personnel management.

  • An increasing emphasis on the business marketplace, in particular concern with products, marketing, sales, and consulting.

  • Some emphasis on training, for the applicant and the applicant's ability to train

  • others.

It thus seems imperative that IS security professionals establish an ever-wider and up-to-date skill set as the Internet and other networks continue to proliferate. The day of business managers saying "let the techie do it" is long gone. In the new Information Age, technology and business acumen will become part of a single requirement for security personnel and for IS workers in general.


Back to the Columnist page
Send Us Your Feedback
Top of the Page