Security Transcends Technology

(1)

INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC.

Career Enhancement and Support Strategies

for Information Security Professionals

Security Transcends Technology

(2)

Security Transcends Technology

Two Part Agenda

1. “As the World of the Information Security Professional Evolves…

2. (ISC)2 _{is also Evolving t}_{o Anticipate and Support:}_{o Anticipate and Support:}

– The Individual Careers of Trust Professionals,

– The Strategic and Tactical Needs of their Employers,

– The Changing Nature of our Profession

– The Information Community

with an Enhanced Menu of Training, Publications, Services and Credentials.”

(3)

Part One

“As the World of

the Information Security

(4)

Security Evolving to Trust

Trust -

We chose the term carefully because it is

the real essence of relationships in the networked

world.

Security is primarily defensive and inward looking

Control is a process to achieve it

But Trust is an ongoing and outgoing

interaction that establishes and maintains

mutual confidence among several or many

entities

(5)

The Basis of Trust

• The development of mutual Trust is based on each

player’s willingness and ability to continuously

demonstrate to all the other players’ satisfaction that the game is honest, open, following the rules and

properly controlled.

• This has some profound implications for security

and control technologies, processes, relationships, policies, standards, organizations and professionalsand professionals

(6)

21st Century Trust Characteristics

•

• ReciprocityReciprocity - the willingness of all the players to extend protection not only to all the other players but also to the network-based environment itself - the common cause. This does not mean equal protection for all. It means appropriate protection for all

•

• Clarity of Responsibility and LiabilityClarity of Responsibility and Liability

•

• Standardization of Processes, Interfaces and Standardization of Processes, Interfaces and Technologies

Technologies •

(7)

Trust

Trust requires security and control but it

goes beyond them. It depends on

technology and protective mechanisms

but it also involves professionalism,

reputation, contracts, law, openness,

familiarity, fair business practices and

ethics, quality, timeliness and a host of

other relationship characteristics

(8)

21st Century Trust Components

The Familiar

– Authentication – Authorization – Availability – Confidentiality – Privacy – Accountability – Path Integrity – Non-repudiation – Auditability – Process Integrity – Data Integrity

But

in Far Riskier, More Complex, Higher Stakes, Higher Speed, Rapidly Evolving, Larger, Widely Variable, and Interdependent Environments

(9)

Trust Guidance and Documentation

•

• Organization Policies (multi

Organization Policies (multi

-

level)

•

• Strategies

Strategies

•

• Architectures

Architectures

•

• Procedures

Procedures

•

• Standards

Standards

•

• Designs and Specifications

Designs and Specifications

•

• Awareness and Training Documents

Awareness and Training Documents

•

(10)

Trust Technologies

• Digital Certificates • PKI structure

• Certificate and Registration Authorities

• Integrated Authorization

• Digital Notaries & Time Stamping • Directory Services

• Single Sign-on • File Encryption

• Message Encryption • Path Encryption (VPN’s)

• Network Security (Firewalls, etc.)

• Two-Three Factor Authentication • Biometrics

• Smart Cards

• Platform Security • Anti-Virus Protection • Disaster Recovery

• High Availability Monitoring • Enterprise Application Security • Data Base Security

• Access Control Facilities

• Intrusion Detection and Response • ……And More

(11)

Implications for (ISC)

2 • Our Offerings of Credentials, Training,

Publications and Services

• MUST Anticipate and Support the Needs of

• A Widening Range of Individual

Professionals, their Employers, the

Profession Itself and the Larger Information

Community.

(12)

Source: The Economist, 2003 28% from 2000 to 2001 28% from 2000 to 200128% from 2000 to 2001 28% from 2000 to 2001 $4.7B to $6B revenue $4.7B to $6B revenue$4.7B to $6B revenue $4.7B to $6B revenue 116% from 2001 to 2005 ($13B) 116% from 2001 to 2005 ($13B)116% from 2001 to 2005 ($13B) 116% from 2001 to 2005 ($13B)

Job growth—75,000 unfilled US jobs

Job growth—75,000 unfilled US jobsJob growth—75,000 unfilled US jobs

Job growth—75,000 unfilled US jobs

(13)

IT Security – Fulfilling

the Need for Security Jobs

• IT Security Professionals who Understand

Vulnerabilities and Weaknesses

• IT Security Policy Makers Who Can

Develop Strategies to Mitigate Risk

• Improved Security of IT Infrastructures

through policies, standards, guidelines,

and procedures

(14)

• (ISC)2 _{– CISSP and SSCP Certification Credential (ISSEP,}

ISSAP, ISSMP)

• SANS – Global Information Assurance Certification (GIAC) • CPP – American Society for Industrial Security (ASIS)

• CIW – CIW Professional Certification

• CompTIA – Security + Certification Credential

• CIA – Certified Internal Auditor, Institute of Internal Auditors • ISACA – Certified Information Systems Auditor (CISA)

– Certified Information Systems Manager (CISM)

• Disaster Recovery Institute – Certified Business Continuity Planner (CBCP)

Vendor Neutral Certifications

(15)

Security Transcends Technology 700 1100 1836 3370 6907 15368 18764

0 2000

4000

6000

8000

10000

12000

14000

16000

18000

20000

(16)

Security Transcends Technology 150 1551 67 58 200 523 393 625 161 1793 1115 896 452 0 200 400 600 800 1000 1200 1400 1600 1800 2000

Canada Europe Asia Other

Dec 31 2000 Dec 31 2001 Dec 31 2002 July 31 2003

(17)

Part Two

How (ISC)

2

_{is Evolving to Anticipate and Support:}

• The Individual Career Needs and Aspirations

of Trust Professionals,

• The Strategic and Tactical Needs of their

Employers,

• The Changing Nature of our Profession

• The Information Community

(18)

Trust Roles and Organizations

•CISO/CSO including policy

•Business Security Strategy and Architecture •Technical Security Strategy and Architecture •Application / User Security DDDM*

•Infrastructure Security DDDM

•Network and Directory Services Management •Monitoring, Control, Reporting and Audit

•Intrusion Detection, Attack & Penetration, Incident Response •Access, Authorization and Accountability Management

•Classification and Data Management •Regulatory and “Dictates” Compliance •Education and Awareness

•Employee, Partner, Stakeholder, Government and Public Relations

(19)

Professional Offerings

Credentials

– CISSP – Certified Information Systems

Security Professional

– SSCP - System Security Certified Practitioner

– Specialized – e.g. ISSEP and others to come

• Concentrations – in depth specialized

credential enhancements

• (ISC)

2

_{Associate – early entry to the}

(20)

Professional Offerings

Training

• Pre-exam or stand alone

– CISSP – current and enhanced

– SSCP - new offerings

– Concentrations

• Advanced Architecture • Advanced Management • Others to come

(21)

• Training:

• Instructor Led

• Knowledge Transfer • Peer Networking

• Computer Based Training

• Flexible to adapt to student’s schedule and work requirements

• Self Taught

• Books, websites

(22)

• Examination

• Code of Ethics Adherence

• Continuing Professional Education

Credits/ Re-certification

(23)

(ISC)2 Career Path

Chief Information

Security Officer

Security Officer Chief Privacy Chief Privacy

or Security Officer

or Security Officer Senior Security Senior Security

Engineer

Engineer Senior Network

Senior Network

Security Engineer

Security Engineer Senior Security Senior Security

Systems Analyst

Systems Analyst Senior Security Senior Security

Administrator

• Credentials – The “Gold Standards”

Certified Information Systems Security

Professional (CISSP®)

System Security Certified Practitioner (SSCP®)

(24)

(ISC)2 Career Path – New Focus Areas

Management

Management ImplementationImplementation

CISSP

-

Concentrations

ISSAP – Information Systems

Security Architecture Professional ISSEP – Information Systems

Security Engineering Professional ISSMP – Information Systems

(25)

(ISC)² Certified Information Systems

Security Professional

• Tailored for experienced information security professionals

• Minimum four years cumulative experience in CBK domains

• Undergraduate degree required for one year experience abatement

• Subscribe to (ISC)² Code of Ethics

• Endorsed by another CISSP or senior management • Certification maintained through continuing education

(26)

CISSP

 CBK™ Domains

• Security Management Practices • Law, Investigation & Ethics

• Physical Security • Operations Security

• Business Continuity & Disaster Recovery Planning • Computer, System & Security Architecture

• Access Control Systems & Methodology • Cryptography

• Telecommunications & Network Security • Application Program Security

(27)

(ISC)² Systems Security Certified

Practitioner

• Tailored for systems and network security administration professionals

• Minimum one year cumulative experience in CBK domains

• Subscribe to (ISC)² Code of Ethics

(28)

SSCP



CBK™ Domains

• Access Control • Administration

• Audit and Monitoring

• Risk, Response and Recovery • Cryptography

• Data Communications • Malicious Code/Malware

(29)

Professional Offerings

Industry Support

• Industry Advisory Groups

–Government Advisory Board

for Cyber Security (GABCS)

• Planning Support for Employers and Groups

• Special Packaging of Training and Credentials

• Special Credentials and Exams

–CISSP ISSEP Concentration (developed in

conjunction with U.S. National Security Agency) –Others (TBD)

• Tailored Training

(30)

Professional Offerings

The Profession, Academia and our Constituents

• Publications, Forums and Communications

• Contributions to the Profession and Professional

Affiliations (including other Certifications)

• Academic Affiliations

• Constituent Services

(31)

Sorting It Out –

Roles, Credentials, Training

• The Diagram that follows maps what we believe are the most appropriate but by no means only (ISC)2 offerings

for some of the roles outlined earlier.

• These are intended as guides, not mandates

• Development of specially designed credential/training programs for specific industries, enterprises, agencies, institutions and geo-political entities are a major strategic priority for (ISC)2

• Our strategy is to carefully monitor marketplace and professional demands and to modify and enhance our offerings as appropriate in response to them.