Certification standards

The need for precise standards for the ICT industry is becoming more evident, especially in the field of security.

commentary The need for precise standards for the ICT industry is becoming more evident, especially in the field of security.

You're a security specialist? Great, here are the keys...

Walk into an emergency ward and offer to do brain surgery with your Swiss Army knife, and someone will probably demand something more than enthusiasm by way of credential and qualification.

Present yourself as an ICT security specialist and you might just crack the job -- the credentials are far less clear cut and qualifications less formal.

Certainly there is a plethora of internationally accepted technical certifications, both generic and vendor-specific, but in the area of security management particularly there is more work to be done to ensure that business knows what it's getting when it hands over the keys to its information kingdom. As the manifold responsibilities of security management continue to demand ever greater knowledge of technology, legal issues such as privacy, and the business acumen required at this critical level of management, the international ICT community has moved to set some standards required to meet a burgeoning threat.

The range of existing security certifications have varying levels of application and requirements for regular renewal, but share a common factor -- all are set, administered, and registered overseas. This, in itself, is not a detraction, but existing requirements should be tailored for Australian laws and technical conditions.

CSSIP or Certified Information Systems Security Professional is the best known qualification. It requires four years' ICT security experience or three years' experience and an appropriate degree. The US-based International Information Systems Security Certification Consortium, informally known as (ISC)2, have recently been given ISO accreditation, the first ICT certification to be accredited under ISO/IEC 17024, a global benchmark for workers in a number of professions.

Prof Vijay Varadharajan has made significant progress in developing a security certification framework for Australia.
There are about 27,000 security professionals on (ISC)2's register which is viewable online. Checking on the bona fides of others claiming credentials is less easy -- and that's the rub.

In a further development, ASIS (which administers the certified protection professional [CPP] certification for physical security) has signed an MoU with (ISC)2 under which each endorses the other's qualification.

This is significant given the growing trend for CIOs to be given responsibility for their organisation's physical, as well as information, security.

Prof Vijay Varadharajan, professor of computing at Macquarie University and director of the ACS's technical board, has made significant progress in developing a security certification framework for Australia under which existing international standards like those mentioned above are recognised, but expanded.

It offers an option of recognising existing certifications and adding others to create a national scheme, or to develop an additional series of tailored modules specific to cover business, legal, and ethical issues prevailing in Australia.

The willingness of (ISC)2 and other organisations to share their knowledge base with universities and professional bodies gives valuable impetus to the development of this project, and reflects the importance being given to security management issues worldwide.

A recent (ICS)2 survey of more than 5000 full-time security professionals in 80 countries, conducted by analysts IDC, shows that 97 percent of respondents had higher expectations of career advancement, higher base salaries and general prospects than other areas of ICT.

Given that IDC predicts that the number of information security professionals will rise from 1.3 million to 2.1 million in the next three years, again reflecting industry and governments' recognition of the escalation of security threats, the need for professional development against precisely defined and accepted standards is even more pressing.

Edward Mandla is National President of the Australian Computer Society (ACS, www.acs.org.au). The ACS attracts a membership (over 16,000) from all levels of the IT industry and provides a wide range of services. The society can contacted on 02 9299 3666, or e-mail info@acs.org.au.

This article was first published in Technology & Business magazine.
Click here for subscription information.