Chapter 14 Flashcards
DoD Directive 8570.01
“Information Assurance Training, Certification and Workforce Management”
Affects any DoD facility or contractor organization
Ensures that all personnel who are directly involved with information security possess security certifications
DoD Directive 8140
A new, operationally focused cybersecurity training framework
Will replace the 8570.01 directive
Developed by the Defense Information Systems Agency (DISA)
Roles identified by the 8140 directive include:
Security provision Operate and maintain Protect and defend Analyze Operate and collect Oversight and development Investigate
U.S. DoD/NSA Training Standards
Are actually training requirements for specific job responsibilities
Developed by the CNSS and NSTISS committees
Provide guidance for course and professional certification vendors to develop curriculum and materials that meet DoD/NSA requirements
NSTISS-4011
National Training Standard for Information Systems Security (InfoSec) Professionals
CNSS-4012
National Information Assurance Training Standard for Senior System Managers
CNSS-4013
National Information Assurance Training Standard for System Administrators (SA)
CNSS-4014
Information Assurance Officer (IAO) Training NSTISSC-4015 National Training Standard for System Certifiers
CNSS-4016
National Information Assurance Training Standard for Risk Analysts
Vendor-Neutral Professional Certifications
A certification is an official statement that validates the fact that a person has satisfied specific job requirements, including:
Possessing a certain level of experience
Completing a course of study
Passing an examination
Seven Main (ISC)^2 Certifications
Systems Security Certified Practitioner (SSCP)
Certified Information Systems Security Professional (CISSP)
Certified Authorization Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Cyber Forensics Professional (CCFP)
HealthCare Certified Information Security Privacy Practitioner (HCISPP)
Certified Cloud Security Professional (CCSP)
SSCP
Covers the seven domains of best practices for information security
CISSP
Demonstrates competence in the eight domains of the (ISC)2 CISSP Common Body of Knowledge (CBK)
CAP
Provides a method to measure the knowledge and skills of professionals involved in authorizing and maintaining information systems
CSSLP
Evaluates professionals for the knowledge and skills necessary to develop and deploy secure applications
CCFP
Tests and evaluates professionals for the knowledge and skills necessary to perform and conduct a digital forensics investigation
HCISPP
Tests and evaluates professionals for the knowledge and skills necessary to perform and conduct security and privacy work for health care organizations
CCSP
Tests and evaluates professionals for the knowledge and skills necessary to secure and manage cloud computing environments
(Additional (ISC)^2 Professional Certifications)
Architecture (CISSP-ISSAP)
Two years of professional experience in the area of architecture; appropriate for chief security architects and analysts
(Additional (ISC)^2 Professional Certifications)
Engineering (CISSP-ISSEP)
Road map for incorporating security into projects, applications, business processes, and all information systems
(Additional (ISC)^2 Professional Certifications)
Management (CISSP-ISSMP)
Two years enterprise-wide security operations and management; contains deeper managerial elements
Certified Internet Webmaster (CIW)
Credentials focus on both general and web-related security
Credentials that satisfy CIW requirements include:
(ISC)^2 SCCP or CISSP
Various GIAC credentials
CompTIA Security+
Several vendor-specific credentials
CompTIA
Security+
- Globally recognized
- Entry-level information security certification of choice for IT professionals
- Meets the ISO 17024 standard and is approved by the DoD 8570.01-M requirements
- Is industry supported
CompTIA Advanced Security Practitioner (CASP)
ISACA
Is a nonprofit global organization that promotes “the development, adoption, and use of globally accepted, industry leading knowledge and practices for information systems”
Provides security training at conferences and training events
Offers four certifications for IT security professionals: CISM, CISA, CGEIT, and CRISC
Vendor-Specific Professional Certifications
Certifications offered by vendors of hardware and software products
Holding a certification for a specific vendor implies competence
If an applicant meets requirements for a certification, applicant has a certain level of knowledge and skills
Cisco Systems
One of the largest manufacturers of network security devices and software
Offers a range of certifications for its networking products
Offers several different certification levels along different tracks that enable security professionals to focus efforts on specific knowledge and skills they need to get the most out of Cisco equipment
Juniper Networks
Manufactures a variety of network security hardware and software
Offers a varied range of certifications for its networking product line
Four levels from 11 different tracks
Does not offer certifications at all levels for every track
RSA
Global provider of security, risk, and compliance solutions for enterprise environments
Provides specific training and certifications to help security professionals use RSA products effectively
Offers certifications for RSA Archer and RSA SecurID
Symantec
Provides a wide range of security software products
Offers certifications for its product lines, including:
Administration of Symantec NetBackup for UNIX
Administration of Symantec Enterprise Vault for Exchange
Administration of Symantec Endpoint Protection
Administration of Symantec NetBackup for Windows
Check Point
Global manufacturer of network and security devices and software
Provides training and certification paths for security professionals to encourage highest level of knowledge and skills in the use of Check Point products
Requires that applicants pass an exam that involves 80 percent study materials and 20 percent hands-on experience
