Two new certifications have recently been announced and it is likely that their respective acronyms will soon find their ways into the resumes of information security professionals.
ISACA recently announced the creation of CGEIT (Certified in the Governance of Enterprise IT) certification, as did SCIPP with their SCIPP Security Certification.
Security certifications are valuable commodities to employers, who are demanding qualified information security staff. Many view certified candidates as having an advantage over others. Job seekers go for certifications for numerous reasons, the most of which are that certification offers a career differentiator, which gives them enhanced credibility and marketability.
CGEIT
CGEIT is meant to lessen the gap that exists between security and audit groups and their counterparts in management and in the boardroom. For too long, information security staff has often been far too technical; speaking to management in a language they do not understand or want to hear. Executive management does not really care about encryption key length or which brand of firewall is being used. They want to know that the business they run is compliant with required standards and regulations.
Governance has long existed in the corporate world, and CGEIT certification is about ensuring that it transcends to the world of IT.
Publically announced in November 2007, CGEIT is in no way meant to be an introduction certification. ISACA developed it for professionals who have extensive experience in management, advisory, or assurance roles relating to the governance of IT. ISACA states that the certification intended to:
· support the growing business demands related to IT governance
· increase the awareness and importance of IT governance good practices and issues
· define the roles and responsibilities of the professionals performing IT governance work
Requirements for CGEIT Certification
Earning the CGEIT certification is a four-step process. First is to pass the CGEIT examination, which will first be offered in December 2008. Similar to the ISC CISSP certification, ISACA requires and individual to adhere to the ISACA Code of Professional Ethics and agree to comply with the CGEIT Continuing Education Policy.
Finally, the candidate must provide ISACA with evidence that they have five or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise is required to apply for certification. This work experience can be in any of the following six practice domains as defined by ISACA:
1. IT Governance Framework
2. Strategic Alignment
3. Value Delivery
4. Risk Management
5. Resource Management
6. Performance Measurement
Of the five year requirement, ISACA allows a substitution of up to 2 years for those with other management experience or have specific certifications or degrees.
For those that do not want to wait until 2008 to achieve CGEIT certification, ISACA is offering CGEIT certification to experienced professionals under a grandfathering clause. Until October 2008, ISACA is allowing experienced professionals who have had a significant management, advisory and/or assurance role relating to the governance of IT to apply for certification as a CGEIT without being required to pass the CGEIT examination.
To earn the CGEIT designation during this period, one is required to do everything a normal candidate does (submit evidence of appropriate work, agree to adhere to the ISACA Code of Professional Ethics and agree to comply with the CGEIT Continuing Professional Education Policy), and pay the application fee, which ranges between $595 - $725.
SCIPP
While certifications such as CISSP, GIAC, CISM and others are for the information security elite, the newly formed SCIPP organization is not targeting the security elite, rather the tens of millions of end-users, who are often oblivious to security and privacy issues. At a high-level, SCIPP targets everyone from remote telecommuters, to partners, vendors and consultants.
SCIPP International is a new non-profit security organization which was recently formed by noted security professional and author Winn Schwartau. SCIPP is formed around security training and awareness and its certification program is made for not for experienced security professionals, rather for just about anyone who touches a computer.
SCIPP is focusing on the end-user base given that a majority of computer security breaches stem from basic user errors. SCIPP feels that it makes the most sense to train the most significant potential weak link in the information system security chain, that being the end-user.
On the policy side, the organization is developing SCIPP Generally Accepted Practices (SCIPP GAP), which is a common body of knowledge of security awareness best practices to be used to expand the role and influence of security awareness training and certificate programs for end-users. Like the CISSP CBK (Common Body of Knowledge), SCIPP GAP contains 10 practice areas, from security event reporting, password procedures, corporate policies and compliance and more. SCIPP GAP will face hurdles as the industry is lined with similar initiatives that have crashed and burned. A similar recent initiative GAISP (Generally Accepted Information Security Principles), of which the author was a co-chairman, was recently terminated by the ISSA.
SCIPP will be offering a certificate of security awareness in a number of programs, namely:
1. SCIPP-CE - corporate employees
2. SCIPP-CC - corporate entities
3. SCIPP-GE - government employees
4. SCIPP-GC – government entities
5. SCIPP-SE - self-employed professionals
6. SCIPP-ED – educators
Each SCIPP security awareness training and certificate program consists of three parts:
1. optional pre-assessment metrics, ROI and improvement measurement statistics
2. self-paced three-chapter on-line course
3. 25-question multiple choice post-assessment
Upon successful completion, the candidate is awarded a SCIPP certificate of security awareness. SCIPP certificates are valid for one year from the date of successfully completing the awareness course and passing the post-assessment.
One unique aspect of SCIPP is its organizational certification. As part of the process, SCIPP International monitors an organization’s security awareness course and their post-assessment progress. SCIPPS offers organizational certification dependant on the percentage of end-users who participate in the annual SCIPP course and pass the post-assessment. The levels are:
· Master - 90%
· Level 4 - 75%
· Level 3 - 50%
· Level 2 – 25%
· Level 1 – 10%
Conclusion
Information security certification plays an important and every increasing role in the success of security professionals. The benefits certification offers are significant, and a resume that is lacking in a certification is often viewed with suspicion. It is likely that in a matter of time, CGEIT and SCIPP will be on more and more information security candidate’s resumes.