CSCE 727CSCE 727

Industry Certifications in IA Industry Certifications in IA

Global IA Workforce Trends Global IA Workforce Trends A Frost & Sullivan Market Survey Sponsored

by (ISC)2® Prepared by Robert Ayoub, CISSP, Global Program Director, Information Security – CISSP® - Certified Information Systems Security

Professional, https://www.isc2.org/CISSP/Default.aspx

Electronic survey, conducted through a Web-based portal

Information Warfare - Farkas 2

Summary of FindingsSummary of Findings

Increased stress for IA service providers: extended context of protection (system, data, reputation, end-users, customers)

Gap between needed skills and skills of workforce

Ill-prepared workforce for future threatsGrowing area for workforce, need better

trainingInformation Warfare - Farkas 3

Summary of FindingsSummary of Findings

Number one threat: application vulnerability (secure software development)

Number two threat: security for mobile devices (policies and tools)

New threat: social media (lack of control)Skills gap between IA professionals, e.g.,

dealing with new technologies, such as cloud computing

Information Warfare - Farkas 4

Good News for IA Good News for IA ProfessionalsProfessionals

IA professionals weathered economic recession well

IA workforce is forecasted to show strong growth Good salary

Information Warfare - Farkas 5

Back to the IA workforce Back to the IA workforce surveysurvey

Role of IA professionals:– Changing from technology oriented to a multi-

faceted job– Must address: regulatory compliance, human

resource, legal compliance, data security, threats via new technologies, loss of control (e.g., cloud environment)

Information Warfare - Farkas 6

Demand for IA Workforce Demand for IA Workforce

Worldwide:– 2010: 2.28 million – 2015: 4.24 (projected)– Compound Annual Growth Rate: 13.2%

Americas:– 2010: 920,845– 2015: 1,785,– Compound Annual Growth Rate: 14.2%

Information Warfare - Farkas 7

New Technologies New Technologies Major impact on IA:

– Mobile devices– Cloud computing– Social media

Information Warfare - Farkas 8

IA Spending TrendIA Spending Trend

Chances since 2007: Increase/same/decrease

WorldwideAmericas

Personnel: 34/57/9 33/58/9HW & SW: 37/55/8 36/56/8 Professional services: 25/66/9 23/68/9Outsource: 28/63/9 25/66/9

Information Warfare - Farkas 9

IA Training and CertificationIA Training and Certification

Worldwide AmericasTraining and Education: 33/57/10 31/59/10Certification: 28/62/10 27/63/10

Education level (current): Worldwide/AmericasHigh school: 11/12B.S.: 48/50M.S.: 38/36Ph.D.: 3/3

Information Warfare - Farkas 10

SalarySalary

2011Annual salary(ISC)2® Member/non-memberWorldwide: $98,600/$78,500Americas: $106,900/$92,900

Information Warfare - Farkas 11

Security CertificationSecurity Certification

Hiring criteria by organizations– Worldwide: 44% very important, 45% important– Americas: 45% very important, 44% important

Top reasons for requiring certification:– Employee competence, quality of work,

regulatory requirements, company image and reputation, etc.

Information Warfare - Farkas 12

Growing Need for TrainingGrowing Need for Training Information risk management 47% Application and system development security 41% Forensics 39% End-user security awareness 39% Security architecture and models 38% Access control systems and methodology 38% Security management practices 37% Business continuity and disaster recovery planning 34%

Information Warfare - Farkas 13

What kind of certifications to get?Where to get it?How much is it going to cost?Etc.

Information Warfare - Farkas 14

Information Assurance Information Assurance CertificationsCertifications

National Training StandardsIndustry certification

Information Warfare - Farkas 15

Information Warfare - Farkas 16

National Training StandarNational Training Standardsds Committee on National Security Systems (CNSS) and the

National Security Agency (NSA) National Training Standards– CNSS-4011, National Training Standard for Information Systems

Security (INFOSEC) Professionals– CNSS-4012, National Information Assurance Training Standard

for Senior Systems Managers (SSM)– CNSS-4013, National Information Assurance Training Standard

For System Administrators (SA)– CNSS-4014, Information Assurance Training Standard for

Information Systems Security Officers (ISSO) – CNSS-4015, National Training Standard for Systems Certifiers

(SC)– CNSS-4016, National Information Assurance Training Standard

For Risk Analysts (RA)

USC Courses and CNSS USC Courses and CNSS CertificationsCertifications

NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals

– CSCE 522 NSTISSI-4013, National Information Assurance Training

Standard For System Administrators (SA)– CSCE 522, CSCE 715

NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)

– CSCE 522, CSCE 715, CSCE 727

Information Warfare - Farkas 17

Information Warfare - Farkas 18

CNSS-4011CNSS-4011 National Training Standard for Information

Systems Security (INFOSEC) Professionals Base-level of training Provides the minimum course content for the

training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.

Information Warfare - Farkas 19

CNSS-4011CNSS-4011 National Security Telecommunications and

Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals.

INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle.

Information Warfare - Farkas 20

CNSS-4011CNSS-4011Training Standards: two levels

– “Awareness Level: Creates a sensitivity to the threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”

Information Warfare - Farkas 21

CNSS-4011CNSS-4011“Performance Level: Provides the employee

with the skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices. This level of understanding will ensure that employees are able to apply security concepts while performing their tasks.”

Information Warfare - Farkas 22

Awareness-levelAwareness-level

Instructional Content Behavioral OutcomesTopical Content

Information Warfare - Farkas 23

Information Systems Security Model

“…acknowledges information, not technology, as the basis for our security efforts. The actual medium is transparent in the model. This eliminates unnecessary distinctions between Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences. As a result, we can model the security relevant processes of information throughout an entire information system automated or not.“

Information Warfare - Farkas 24

Security ModelSecurity Model

Confidentiality

Integrity

Availability

Characteristics

Transmission Storage ProcessingState

Third Dimension

TechnologyPolicy

Education, training, awareness

Industry CertificationsIndustry Certifications

Information security certification governed by the International Information Systems Security Certification Consortium (ISC)²

CiscoMany more…

Information Warfare - Farkas 25

International Information Systems International Information Systems Security Certification Consortium, Inc., Security Certification Consortium, Inc.,

(ISC)²®(ISC)²®

Internationally acceptedGood reputationMembership

Information Warfare - Farkas 26

CertificationsCertifications Associate of (ISC)² SSCP® - Systems Security Certified Practitioner CAP® - Certified Authorization Professional CSSLP® - Certified Secure Software Lifecycle

Professional CISSP® - Certified Information Systems Security

Professional CISSP® - concentrations, architecture, engineering,

management

Information Warfare - Farkas 27

Certification ProcessCertification Process

Required Experience Study Application Examination (ISC)² Code of Ethics Endorsement Process

Information Warfare - Farkas 28

Years of ExperienceYears of ExperienceAssociate of (ISC)² - noneSSCP® - 1 yearCAP® - 2 yearsCSSLP® - min. 4 years in SDLCCISSP® - min. 5 years full time

Information Warfare - Farkas 29

Seminar CostSeminar Cost

# of days/costAssociate of (ISC)² - 5/$2,695SSCP® - 5/$2,695CAP® - 2/$1,095CSSLP® - 5/$2,695CISSP® - 5/$2,695

Information Warfare - Farkas 30

Exam CostExam Cost

Hours of exam/costAssociate of (ISC)² - 6/$599SSCP® - 3/$300CAP® - 3/$469CSSLP® - 4/$599CISSP® - 6/$599

Information Warfare - Farkas 31

Information Warfare - Farkas 32

Certified Information Systems Certified Information Systems Security Professional (CISSP)Security Professional (CISSP)

Information security certification governed by the International Information Systems Security Certification Consortium (ISC)², http://www.isc2.org/

June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation

Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories

Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program

Information Warfare - Farkas 33

CISSP – Common Body of CISSP – Common Body of Knowledge Knowledge

Based on the CIA triad Ten areas of interest (domains):

1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and Investigations7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security

Information Warfare - Farkas 34

Specialized ConcentrationsSpecialized Concentrations

Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture

Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering

Information Systems Security Management Professional (ISSMP), Concentration in Management

CiscoCisco

Levels of certificationNetwork security:

– Entry-level: CCENT– Associate: CCNA Security (CNSS 4013)– Professional: CCSP, CCNP Security (CNSS

4011)– Expert: CCIE Service Provider

Information Warfare - Farkas 35

Cisco: Entry, and Associate-Cisco: Entry, and Associate-levellevel

CCENT: Cisco Certified Entry Networking Technician, http://www.cisco.com/web/learning/le3/le2/le45/learning_certification_level_home.html

CCNA: Cisco Certified Network Associate, CCNA Security: http://www.cisco.com/web/learning/le3/le2/le0/le1/learning_certification_type_home.html – develop a security infrastructure, recognize threats and

vulnerabilities to networks, and mitigate security threat

Information Warfare - Farkas 36

Cisco – Professional levelCisco – Professional level Old: CCSP: Cisco Certified Security Professional,

http://www.cisco.com/web/learning/le3/le2/le37/le54/learning_certification_type_home.html – advanced knowledge and skills required to secure Cisco networks

New: CCNP Security: Cisco Certified Network Professional Security, http://www.cisco.com/web/learning/le3/le2/le37/le9/learning_certification_type_home.html– Security in Routers, Switches, Networking devices and

appliances, as well as choosing, deploying, supporting and troubleshooting Firewalls, VPNS, and IDS/IPS solutions

Information Warfare - Farkas 37

Cisco – Expert levelCisco – Expert level CCIE: Cisco Certified Internetwork Expert CCIE Security,

http://www.cisco.com/web/learning/le3/ccie/security/index.html – No formal prerequisites– 2-hour written exam– 8-hour hands-on

Cost:– CCIE written exam: $350– CCIE lab exam: $1,400

Information Warfare - Farkas 38