Information Security Certifications & Standards

By John Laskey

On behalf of APMG-International [1], I look forward to presenting to IAITAM at its 2016 Spring ACE at New Orleans, when I’ll consider the widening range and uses of information security standards and certifications.

In this piece, I’ll focus on InfoSec certifications: (note: the term credentialing is used less in the InfoSec arena, though that essentially describes the same thing, i.e. (a) “[p]rocess by which the eligibility of an entity for a particular job or task is established by determining if the entity has the specified qualifications and fulfills the defined requirements”. [2] So I’ll use certification).

I spent two decades involved in security for the UK government. Much of this included conceiving a new information security certification for individuals and installing information security standards across several organizations. This gives me a wide perspective of some of the most important InfoSec certifications/credentialing and I’ll be sharing my knowledge in more detail at the Spring ACE.

IAITAM has a brace of popular certifications [3] that support the full range of asset management skills . But asset management has an increasingly close relationship with information security – and InfoSec certifications have mushroomed over the past two decades. So it makes sense to get some sort of perspective upon the most popular certifications to understand how they might (or might not) fit in with your asset management planning.

For convenience, I’ll sort InfoSec certifications into four basic blocks, i.e.: those for systems (including management systems); those for components; those that are personal but also vendor-specific; and those which cover a range of personal InfoSec skills.

*Systems certifications*. Perhaps the best known (and oldest) management certification for systems is ISO 27001, which has a number of touch-points with asset management, in particular a strong emphasis on identifying assets and responsibilities for their ownership. The standard has evolved since it was introduced in the mid-1990s, and is still a global gold standard for organizations wanting to demonstrate good security credentials. It provides comprehensive security coverage, including physical and personnel security. But it is also flexible: in theory, organizations of any size can adapt it. Certification has to be maintained through strict application of a common, manufacturing-based cycle [4] called ‘plan, do, check, act’. Take up varies, but in 2014 there were around 24,000 formal certifications worldwide (the highest concentration being in Japan). Some disadvantages are that it can be difficult to set up and expensive to maintain (though this of course must be balanced against the expenses it offsets through refined security management). Nor does it provide bullet-proof security: certifications are granted upon the say-so of an occasional external audit team, which can never check every claim to compliance.

*Security product certifications*. One of the most important to know about is the Common Criteria, established in the late 1990s and still growing. There are currently around 2,000 Common Criteria certified products. The authorization process is quite complex, but basically a security product vendor will submit a detailed self-assessment of their product to an authorized, vendor-neutral Certificate Authorizing Scheme from any of the Common Criteria participant countries (the scheme has 17 certificate authorizing and eight certificate “consuming” countries). When approved, the vendor can badge and sell their product with the agreed certification. Some disadvantages are that the scheme can be labor intensive (and expensive) for vendors and time-consuming to achieve. Of course there is no guarantee, in spite of the investment, that claims made for a product will be accepted by a Certificate Authorizing Scheme.

*Vendor-specific certifications* are my third class of certification. As the name suggests, these enable individuals to present credentials on their understanding of specific applications or services. CISCO’s Certified Network Associate and IBM’s Certified Deployment Professional are just some examples and there are many others. Organizations which use a certifying company’s components are likely to put a value upon individuals who are formally certified in its deployment and use. The US DoD requires technicians with privileged access to defense systems to get security certifications provided by the vendors of those systems.

*Other Certifications for individuals*. There are many more certifications that cover broader, non-vendor-specific InfoSec skills. Among the better known are CISSP (Certified Information Systems Security Professional) one of a range of individual certifications provided by (ISC)2; CISM (Certified Information Security Manager) from the range provided by ISACA, and the GIAC family of 24 ‘hands-on’ skill-based certifications, including GSEC (i.e. GIAC Security Essentials Certification). These are all based on the body of knowledge produced by the SANS organization. Each certification enables holders to declare skillful knowledge of a range of security issues. CISSP is probably the gold standard, with around 104,000 certifications to date. [5] All rest upon the candidate’s success in multiple-choice exams. In most cases the certification body will require individuals to maintain their achievements through ongoing professional education and development.

This is a necessarily quick ride through the wide range of security certifications available and there are many opinions about which combinations of them give the best all round value. A common thread of InfoSec certifications is the application of risk management principles, which also chimes in with many of today’s InfoSec standards. This reflects the growth and ubiquity of information management, which consistently undermines attempts to apply strict security rules. This lesson was being learnt during the 1990s and early 2000s, when security was geared to preventing loss or compromise of assets.

The gradual realization that security had to move away from fixed controls towards risk management was a slow and sometimes painful process. More recently, the migration of risk responsibilities to asset owners (helped by the commonplace use of IT) has moved security away from the hands of a few experts to those with mainstream responsibilities, including C-suite executives. I will argue that, while security continues to develop as a niche profession, requiring skilled expertise and understanding, a ‘leave it to the (security) experts’ approach must be checked. Otherwise it will result in continued conflict between progress-oriented senior managers and security staff in the face of the never-ending business need to adapt to new information systems and processes.

The breaking of formal control and shift onto risk management has put increased onus upon the systems of certification for people, processes and assets, and the skills by which these are applied. There is still no universally agreed system of risk managed security and we must rely on our ability to utilize certifications in ways that will help our organizations. This is why I believe it is important to think about the wide range of security certifications when making decisions about asset management.

[1] APMG-International is an IAITAM accredited training organization. Based in the UK and with offices worldwide, it is a leading examination institute accrediting training and consulting organizations and managing certification schemes for professionals.

[2] BusinessDictionary.com definition.

[3] i.e. CSAM, CAMP, CHAMP, CMAM, CITAM, CITAD.

[4] i.e. The Deming Cycle.

[5] December, 2015

About the Author

John Laskey is Cyber Consultant for APMG International, an IAITAM accredited training organization. Based in the UK and with offices worldwide, it is a leading examination institute accrediting training and consulting organizations and managing certification schemes for professionals.