Made in Australia security qualification?

commentary Last October, the Australian Computer Society mooted a grandiose plan to create a software accreditation policy, proposing that developers be members of a professional association before being allowed to practise their trade.The idea was swiftly rejected by programmers, many questioning the right of the ACS to act on their behalf.

commentary Last October, the Australian Computer Society mooted a grandiose plan to create a software accreditation policy, proposing that developers be members of a professional association before being allowed to practise their trade.

The idea was swiftly rejected by programmers, many questioning the right of the ACS to act on their behalf. The organisation, after all, does not exclusively represent the interests of software developers.

One ZDNet Australia&nbsp reader rebuked the organisation, saying: "ACS is, and has always been in the 12 years I have been a professional programmer, a joke of an association. For the money you pay out, they do very little, and have absolutely no power in controlling how an employer may treat you."

Another reader asked if the software accreditation policy was a way for the ACS to display its elitist mentality. "They are trying to disguise it under the idea of securing Australia's place in the international development arena. What a joke. Developers having to be accredited in order to work is a sure fire way to disaster."

For now, the ACS has remained mute about plans to endorse the credentials of software developers.

There is a vast chasm between certification and accreditation. Certification is a prerequisite for accreditation. Not everyone understands the difference but hopefully the government does.

The Department of Communications, Information Technology and the Arts (DCITA) has released a request for tender in the hope of creating an Australia-specific skills accreditation and certification scheme for IT security professionals.

DCITA concluded that although vendor-specific and international IT security qualifications exist, there is a need for a widely-accepted or consistent framework for e-security qualifications and skills recognition in the Australian marketplace.

This requirement was first highlighted by a number of unnamed industry representatives and associations. They argued that a localised qualification would improve IT consumer choice and enhance overall industry standards. How this is so remains to be seen.

The government will adopt a hands-off approach -- the scheme is to be driven, administered and funded by the domestic technology and communications industry. Unfortunately, this could lead to a waste of time, money and resources since Australia has existing policies and procedures to ensure minimum standards for ICT security. This is currently applied across all government agencies and led by the Defence Signals Directorate, the national authority for signals intelligence and information security.

For instance, the Australasian Information Security Evaluation Program (AISEP) ensures that a range of evaluated IT products is available to meet the needs of Australian and New Zealand government agencies. Security companies that want to do business with the government should have their products evaluated under AISEP.

The Department of Foreign Affairs and Trade certifies the physical security of sites for computer systems located overseas while the certification for IT systems is conducted by the Defence Signals Directorate.

It's also hard to imagine how a pure Australian IT security qualification can match the likes of internationally-renowned and recognised certifications such as CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CCSP (Cisco Certified Security Professional), and GSE (SANS/GIAC Security Expert).

Although security requirements for government and commercial entities may vary, DCITA can take the cue from the Defence Signals Directorate and build on security policies that are already in place ... instead of reinventing the wheel.

Developing the framework is the easy part. The biggest challenge will come when it's time to administer such a scheme. Who can we trust to get the job done? Certainly none of our industry associations.