Certifications provide a way to expand and/or demonstrate professional expertise. A wide variety of certifications are available in security and related disciplines. This directory provides brief descriptions of certs in information and physical security, business continuity, audit and other areas, with links to details from the issuing organizations.
MOST RECENT UPDATE 10/24/12 (Added forensic and risk management certs; other updates)
For more personal development resources, see also: Dual Threats: How to Build Expertise in Multiple Subjects.Security and Business: Communication 101.
And of course our Security Job Board - free for job posters and seekers alike.
INFORMATION SECURITY CERTIFICATIONS
Certificate of Cloud Security Knowledge
Issuing Org.: Cloud Security Alliance
Description: "The Cloud Security Alliance has developed a widely adopted catalogue of security best practices, the "Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1". In addition, the European Network and Information Security Agency (ENISA) whitepaper "Cloud Computing: Benefits, Risks and Recommendations for Information Security" is an important contribution to the cloud security body of knowledge.
More information: https://ccsk.cloudsecurityalliance.org/
The Certificate of Cloud Security Knowledge (CCSK) provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA guidance and ENISA whitepaper. "
Certified Information Systems Professional, CISSP
Issuing Org.: Information Systems Security Certification Consortium (ISC)2
Description: "The CISSP is a certification for information security professionals&for the purpose of recognizing individuals who have distinguished themselves as an experienced, knowledgeable, and proficient information security practitioner. The CISSP certificate also provides a means of identifying those persons who subscribe to a rigorous requirement for maintaining their knowledge and proficiency in the information security profession."
Requirements: "Certification is awarded to those individuals who achieve a prescribed level of information security experience, comply with a professional code of ethics, and pass a rigorous examination on the Common Body of Knowledge of information security. In order to maintain currency in the field, each CISSP must be recertified every three years by participation in research or study, attendance at recognized subject-matter training and professional educational programs, presentation or publication of information security papers, contributions to the information security Common Body of Knowledge, and service in professional organizations."
More information: www.isc2.org/cissp/default.asp
Systems Security Certification Practitioner (SSCP)
Issuing Org.: (ISC)2
Description: "SSCP Certification was designed to recognize an international standard for practitioners of information security [IS] and understanding of a Common Body of Knowledge (CBK). It focuses on practices, roles and responsibilities as defined by experts from major IS industries. Certification can enhance an IS career and provide added credibility. Seven SSCP information systems security test domains are covered in the examination pertaining to the Common Body of Knowledge: Access Controls, Administration, Audit and Monitoring, Risk, Response and Recovery, Cryptography, Data Communications, Malicious Code/Malware
Requirements: Examination, Certification, Endorsement, Audit
More information: www.isc2.org
To be issued a certificate, a candidate must:
-Pass the SSCP examination with a scaled score of 700 points or greater
-Submit a properly completed and executed Endorsement Form
-Successfully pass an audit of their assertions regarding professional experience, if the candidate is selected for audit
Endorsement - Once a candidate has been notified they have successfully passed the SSCP examination, he or she will be required to have his or her application endorsed before the credential can be awarded. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.
Audit Passing candidates will be randomly selected and audited by (ISC)² Services prior to issuance of any certificate. Multiple certifications may result in a candidate being audited more than once."
Global Information Assurance Certification (GIAC)Issuing Org.: SANS InstituteDescription: "Designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. GIAC course specifications & combine the opinions, knowledge, and expertise of many of the world's most experienced front-line security and system administrators, intrusion detection analysts, consultants, auditors, and managers. Requirements: "There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge and ability to pass the certification requirements may take the certification. However, students should be aware of the technical level of the course they wish to take. The 500 level courses are more advanced than the 400 and the 400 more advanced than the 300. Be certain you are not starting at a level that is more difficult than you are prepared for. Some class descriptions provide a "quiz" to make sure you are prepared for that level course, such as Sec-502 and Sec-503 which assume that the student has a working knowledge of the technology in question and a firm grasp of TCP/IP."More information: www.giac.org
The GIAC certification program consists of:
-Information Security KickStart
-LevelOne Security Essentials
-LevelTwo subject area modules"
Certified Information Security Manager (CISM)
Issuing Org.: ISACA
Description: "Awarded by the Information Systems Audit and Control Association& a new certification and is specifically geared toward experienced information security professionals. CISM is business-oriented and focused on information risk management while addressing management, design and technical security issues at the conceptual level. It is for the individual who must maintain a view of the big picture by managing, designing, overseeing and assessing an enterprise's information security."
More information: www.isaca.org
-Successfully complete the CISM Examination
-Adhere to the Information Systems Audit and Control Association's Code of Professional Ethics
-Submit verified evidence of a minimum of five (5) years of information security work experience, with a minimum of three (3) years of information security management work experience in three or more the CISM job practice areas
CompTIA Security+ Certification
Issuing Org.: CompTIA
Description: "CompTIA Security+ validates knowledge of systems security, network infrastructure, access control, assessments and audits, cryptography and organizational security."
Requirements: "Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years of on-the-job technical networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended."
More information: certification.comptia.org/security/default.aspx
Certified CISO (C|CISO)
Issuing Org.: EC Council
Description: "Technical knowledge grounded in organizations' operations and objectives." Requirements: "Must have cumulative minimum of 3 years of professional experience across 2 C|CISO domains: Governance (policy, legal and compliance) and IS Management Controls and Auditing Management (projects, technology and operations)." A 250-question multiple-choice exam is also required.
More information: https://www.eccouncil.org/ciso/
OSSTMM Professional Security Analyst
Issuing Org.: ISECOM (Institute for Security and Open Methodologies)
Description: "The OPSA is a certification of applied knowledge designed to improve the work done as a professional security analyst. This is an important certification for those who want or need to prove they can walk the walk in data network security analysis, the discipline which covers critical security evaluations and decision-making required in both technical and management fields."More information: www.isecom.org
Requirements: "OPSA certification requires a grade of D (60%) or better [on the relevant exam]. Each certificate is accompanied by a transcript which reflects the grade and areas of strengths and weaknesses. The grade of A (90% or better) includes a seal of excellence."
Certified Ethical Hacker (CEH)
Issuing Org.: EC Council
Description: "The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. If hacking involves creativity and thinking 'out-of-the-box', then vulnerability testing and security audits will not ensure the security proofing of an organization. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective."
Requirements: Pass the CEH exam 312-50
More information: www.eccouncil.org/CEH.htm
EC-Council Certified Security Analyst (ECSA)
Issuing Org.: EC Council
Description: "EC-Council Certified Security Analyst (ECSA) complements the Certified Ethical Hacker (CEH) certification by exploring the analytical phase of ethical hacking. While CEH exposes the learner to hacking tools and technologies, ECSA takes it a step further by exploring how to analyze the outcome from these tools and technologies. Through groundbreaking penetration testing methods and techniques, ECSA class helps students perform the intensive assessments required to effectively identify and mitigate risks to the security of the infrastructure."
Licensed Penetration Tester (LPT)
Issuing Org.: EC Council
Description: "EC-Council's Licensed Penetration Tester (LPT) is a natural evolution and extended value addition to its series of security related professional certifications. The Licensed Penetration Tester standardizes the knowledge base for penetration testing professionals by incorporating the best practices followed by experienced experts in the field. "
More information: www.eccouncil.org/lpt/Licensed_Penetration_Tester.htm
-Achieve Certified Ethical Hacker (CEH) Certification.
-Achieve EC-Council Certified Security Analyst (ECSA) certification.
-Complete LPT Training Criteria:
-- Submit LPT Application form
-- Documentation on criminal background check, or an authentication from an investigation agency absolving a criminal history.
-- Resume with detailed professional experience, previous certification /certificates and references for verification to be submitted.
-- Agree to EC-Council Code of Ethics.
-Attend LPT Workshop at selected EC-Council's Accredited Training Centers
Professional in Critical Infrastructure Protection (PCIP) (formerly CCISP)
Issuing Org.: Critical Infrastructure Insitute
Requirements: "The PCIP certification is divided into three (3) seperate Classes. PCIP Class 1: CIP Program Course, PCIP Class 2: CIP Technical Course, and PCIP Class 3: CIP Applied Course. Individual class certificates will be award upon completion of each class but the PCIP certification is only awarded upon successful completion of all three (3) classes. Each class is small in size ensuring maximum personalization, a challenging hands on training environment, and follows a specifically designed curriculum focusing on critical infrastructure.
More information: www.ci-institute.org
"Critical infrastructure is defined by the office of Homeland Security as those assets, facilities, industries, and capabilities that are needed to support commerce and our daily lives. This includes SCADA, energy, utility, oil & gas, financial, communications, and transportation to name a few. Since the birth of the internet, the threats that these industries face are becoming increasingly more complex, and alarmingly more common, as these, once isolated, environments are now faced with viruses, hackers, cyber terrorists, and remote threats of high available system outages. Securing the systems and network environments that support this critical infrastructure is more important in today's world now more than ever and requires an extended set of specialized skills.
Professionals carrying the PCIP designation will have demonstrated the necessary knowledge and professional skills required for designing, maintaining, and managing security architectures for critical infrastructure, SCADA, and high-availability environments. These skills range from security architecture design & management to highly advanced technical skills such as those used by hackers to circumvent security measures as well as countermeasure techniques all specific to these critical infrastructure, SCADA, and high availability environments."