Professional Certifications
Inserito da Redazione il Sab, 2005-01-01 14:48
Certificazioni professionali | Dicembre 2004 | English
0412-certifications.html
By: Francesco Mariani, CISA, CISM, CISSP
f.mariani (AT) isacaroma.it
Only recently administered in Italy, while widely known and spread all around the world, CISSP (Certified Information Systems Security Professional) designation is the well-deserved standard of vendor-independent infosecurity certifications, so that it was recently granted ISO17024 accreditation.
Managed by ISC² (International Information Systems Security Certification Consortium, what a cool compact way to form an acronym!!) Cissp certification is directed toward experienced Infosecurity professionals, with a strong technical orientation, while Isaca’s CISM is more management-oriented.
Structured in ten domains which spans from physical to logical and organisational security, CISSP b.o.k. (body of knowledge) covers nearly all main infosecurity-related tasks. No surprise that, in order to achieve the certification, you should sit for a very long and question-intensive (you should answer something like 250 questions in six-hour) exam.
Despite the differencies in the subject, preparation of the CISSP examination is quite close to any other similar well-estabilished independent ICT designation: you will need a strong field-experience, a lot of practice in multiple-choice Q&A techniques and, last but not least, a bit of good luck!
By: Fabrizio Bernini, CCNA, Security+, CISA. fabrizio48@yahoo.it
The selection of the most appropriate ICT Security certification could be very hard.
You would probably face with an easy exam, studying interesting arguments and obtaining valid acknowledgement in the ICT Security society. Some certifications dig deeper into specific issues like firewall (GCFW), many others provide a broad-based security credential for the frontline troops involved in handling security (CISSP), a few others face with information security management systems (BS7799) or auditing (CISA) or security management (CISM).
In this context, getting Security+ certification is not difficult, you only need to study one of the CompTIA manuals available in commerce and to make a lot of exam simulations. But you don’t have to put apart nothing, in the Security world every nuance could make the difference…
Security+ by CompTIA (non-profit trade association) was born in 2002 and aims to provide a high level broad knowledge, adapt to both manager (CIO, CEO, Security Officer) and technicians who want to complete their skills.
Security+ is most appreciated by ICT companies in United States. After the September 11 attacks, representatives from the FBI, the Secret Service and the National Institute of Standards Technology helped to guide the development of the certification, as did a variety of leading companies, including Microsoft, Sun Microsystems and VeriSign. The exam is available uniquely in English (the only alternative is Japanese…), has a duration of 90 minutes and includes 100 questions covering issues about general security concepts (authentication, biometrics, spoofing, TCP/IP hijacking, virus and worm), communication security (remote access, electronic mail, web, file transfer and wireless), infrastructure security (firewall, router, server, intrusion detection), basics of cryptography (algorithms, digital signature and certificates), physical and organizational security (disaster recovery, business continuity, forensics and risk analysis).
The minimum passing score is 764, graded on a scale of 100 - 900. You have more chances to get the Security+ certification if you are an IT professional with at least two years of networking experience and thorough knowledge of TCP/IP stack.
After getting Security+, you are on the right road for facing with other certifications like CISSP and Microsoft MCSA and MCSE security exams. Between the pros of Security+ there is the never ending validity. To maintain the certification you don’t have to do anything and you don’t have to renew it periodically. However this could have opposite effects…, competences are to be continually feeded, especially in the security world, in which every generation lasts only a few months!!
giovi.derfel@tiscali.it
GIAC Certified Firewall Analysts (GCFWs) have the knowledge, skills, and abilities to design, configure, and monitor routers, firewalls, and perimeter defense systems.
To attain the GCFW Certification (which is vendor-independent!), you must complete a practical/research paper, and two exams.
The practical is intended to design a “secure network solution” for a fictitious e-Business company. You will have to detail every choice and/or assumption you made to build the perimeter defense, including devices selection and configuration, and finally you are requested to verify your design by the mean of a penetration testing activity and attack simulation to your firewall and an internal system. You will also have to give some suggestions on how to mitigate those attacks and reduce and/or eliminate all the vulnerabilities you could eventually exploit.
You can find my paper here: http://www.giac.org/GCFW_400.php (my Analyst Number is 320).
Exams are taken online via the GIAC web site. Every exam consists of about 50 questions which you have to complete in no more than 90 minutes. You can take the exams from any Internet-connected computer: they are open-book exams, which you will surely pass provided you have opened your certification book at least once before attempting the exam J Be careful, since you have less than 2 minutes for every question …
GIAC web site (http://www.giac.org/program.php) is the right place to start if you’re interested in this kind of certification. It’s though, but it really worth all the effort.
The CIA certification, granted by the IIA, “The Institute of Internal Auditors” (http://www.theiia.org) reprented in Italy by the AIIA, Associazione Italiana Internal Auditors (http://www.aiiaweb.it) is the professional certification best known and authoritative for the internal auditing professionals.
Exam contents
The CIA exam is divided in “Three parts plus one” which means that the exam is articulated in four test to be taken in two consecutive days; the first three parts, fixed, are considered mandatory background ("core global syllabus") for every internal auditor and their focus is on themes like corporate governance, risk management and information technology.
The four section is aimed to take into account possible specialist issues the auditor might prefer.
The four sections contents are:
1. the role of the internal audit in theme of governance, control and risk management;
2. performing the internal audit assignment;
3. managerial analysis and information technology;
4. organisation management.
For those who already carry one of the professional certifications recognised by the Institute (e.g.: CISA, but also CCSA, CGAP or CPA) can request to be exonerated by the fourth exam part.
Exam test
Each section is constituted by 125 multi-choice questions. The candidate has 210 minutes to answer.
The minimum score requested to pass the exam is 600 points, corresponding to about 75% of the questions.
The next session is scheduled on 17 and 18 November in Milan (respectively for parts I – II, and III – IV).
The exam can be taken in one of the official languages, including Italian.
Prerequisites
The prerequisites consist in:
The candidate can sat for the exam before being in compliance with the experience request, he/she will not received the CIA designation until the requirements are satisfied.
By: Sonia Valerio, GCFW, CISSP, ISECOM-OPSA
giovi.derfel@tiscali.it
The OSSTMM Professional Security Analyst (OPSA – http://www.isecom.org/opsa) accreditation is the official security analysis certification based on the Open Source Security Testing Methodology Manual (OSSTMM) and accredited by La Salle University (Barcelona) as part of their Masters program. An OPSA certified professional can make resourceful, practical decisions and address the unexpected problems as they appear in security and security testing throughout the development of a security project. It is an accreditation that proves a deep understanding of security and the ability to analyze secure networks from the network map to the boardroom: any OPSA certified professional is capable to examine security test results, and critically analyze those results to define and apply an effective risk management policy in the organization.
Study material for this certification are the OSSTMM book, the Business Security Testing and Analysis Workbook (BSTA), and the OSSTMM Internal, all available at the Institute for Security and Open Methodologies (ISECOM) website – http://www.isecom.org/public_repository.shtml - in charge for this training program.
To achieve the certification every candidate has to go through a written exam (50 multiple choice questions): it is an open book exam, not so easy to pass … that’s why they let you use the books !
The exam consists of three main parts (Data Test & Log Analysis, Security Testing Projects e Professional Consulting), which couple with the ISECOM course content.
Every candidate can register for the exam even without attending the course, but I suggest this approach only to those with strong security and penetration skills, and at least a basic knowledge of the OSSTMM methodology.
To sit for the exam you should be confident in the following areas:
In a word, the candidate should possess the right combination of technical and management skills, besides having at least three years of ICT security field professional experience.
The OPSA accreditation can be an interesting and useful experience for any security professional, being him/her a security consultant, a SOC staff person, an ISO/BSI auditor or a security manager.
As an open methodology, OSSTMM has the great advantage of being the result of the efforts and experiences of over 150 international security experts, something which makes it a unique and distinctive mix knowledge in this field.
OSSTMM and the OPSA offer nowadays a methodology which is quickly emerging as a guide line and an accredited international standard for every security-tester, really a “need-to-know” security professionals.
By: Gian Luca Di Stefano, CISA, PMP, gianluca.distefano@ca.com
The Project Management Professional (PMP) qualification is probably the one that more than the others certifies competencies and professional knowledge of a Project Manager.
This qualification is universally recognized and it is assigned from the Project Management Institute (PMI) that stands as a global leader in the field of project management with more than 100.000 members shared in 125 countries and 200 chapters in 67 different nations. In Italy it is represented with the Rome, Milan and Naples chapters (http://www.pmi.org/prod/groups/public/documents/info/GMC_ChapterListingOutsideUS.asp#P1091_18782).
To be eligible for the PMP certification, you must first meet specific education and experience requirements and agree to adhere to a code of professional conduct. The final step in becoming a PMP is passing a multiple-choice examination designed to objectively assess and measure the candidate project management knowledge. The exam is passed if you give the right answer to the 70% of 200 questions in less than 4 hours.
This computer-based examination is administered globally but it can be done at the site of a local recognized and certified company to do this. The date can be arranged and the test language can be Italian.
The exam program is based on the PMBOK (Project Management Body of Knowledge) contents. It is considered “the bible” for the good PMI Project Manager.
The PMBOK describes the Project Management methodology by the PMI point of view and it is decomposed in 9 knowledge areas. They go from time, costs and resources management until risks and procurement management.
In addition, those who have been granted the PMP credential must demonstrate an ongoing professional commitment to the field of project management by satisfying PMI’s Continuing Certification Requirements Program. It is necessary to reach a defined score during the three years following the certification. The score can be increased attending to meetings, events, training initiatives and demonstrating his own improving in the Project Management knowledge.
In comparison with the CISA certification that regards the IT world, the PMP is based on the Project Management general discipline where the IT projects represent a very little part of it.It is possible to find references to Project Management discipline in the 6th Domain (Development) of the CISA Review Manual and few affinities can be found in some techniques described in Domains 2 and 7 (Organization and Risk Anlysis), with obvious considerations to be done for different contests where they must be used.
Recently PMI introduced the CAPM (Certified Associate in Project Management) certification. It is intended for those practitioners who provide project management services but are relatively new to the profession. Like the PMP, CAPM candidates must first meet specific education and experience requirements and then pass an examination.
To have more information regarding PMP and CAPM certification they can be found to the PMI site at http://www.PMI.org
CISSP
By: Francesco Mariani, CISA, CISM, CISSP
f.mariani (AT) isacaroma.it
Only recently administered in Italy, while widely known and spread all around the world, CISSP (Certified Information Systems Security Professional) designation is the well-deserved standard of vendor-independent infosecurity certifications, so that it was recently granted ISO17024 accreditation.
Managed by ISC² (International Information Systems Security Certification Consortium, what a cool compact way to form an acronym!!) Cissp certification is directed toward experienced Infosecurity professionals, with a strong technical orientation, while Isaca’s CISM is more management-oriented.
Structured in ten domains which spans from physical to logical and organisational security, CISSP b.o.k. (body of knowledge) covers nearly all main infosecurity-related tasks. No surprise that, in order to achieve the certification, you should sit for a very long and question-intensive (you should answer something like 250 questions in six-hour) exam.
Despite the differencies in the subject, preparation of the CISSP examination is quite close to any other similar well-estabilished independent ICT designation: you will need a strong field-experience, a lot of practice in multiple-choice Q&A techniques and, last but not least, a bit of good luck!
CompTIA Security+
By: Fabrizio Bernini, CCNA, Security+, CISA. fabrizio48@yahoo.it
The selection of the most appropriate ICT Security certification could be very hard.
You would probably face with an easy exam, studying interesting arguments and obtaining valid acknowledgement in the ICT Security society. Some certifications dig deeper into specific issues like firewall (GCFW), many others provide a broad-based security credential for the frontline troops involved in handling security (CISSP), a few others face with information security management systems (BS7799) or auditing (CISA) or security management (CISM).
In this context, getting Security+ certification is not difficult, you only need to study one of the CompTIA manuals available in commerce and to make a lot of exam simulations. But you don’t have to put apart nothing, in the Security world every nuance could make the difference…
Security+ by CompTIA (non-profit trade association) was born in 2002 and aims to provide a high level broad knowledge, adapt to both manager (CIO, CEO, Security Officer) and technicians who want to complete their skills.
Security+ is most appreciated by ICT companies in United States. After the September 11 attacks, representatives from the FBI, the Secret Service and the National Institute of Standards Technology helped to guide the development of the certification, as did a variety of leading companies, including Microsoft, Sun Microsystems and VeriSign. The exam is available uniquely in English (the only alternative is Japanese…), has a duration of 90 minutes and includes 100 questions covering issues about general security concepts (authentication, biometrics, spoofing, TCP/IP hijacking, virus and worm), communication security (remote access, electronic mail, web, file transfer and wireless), infrastructure security (firewall, router, server, intrusion detection), basics of cryptography (algorithms, digital signature and certificates), physical and organizational security (disaster recovery, business continuity, forensics and risk analysis).
The minimum passing score is 764, graded on a scale of 100 - 900. You have more chances to get the Security+ certification if you are an IT professional with at least two years of networking experience and thorough knowledge of TCP/IP stack.
After getting Security+, you are on the right road for facing with other certifications like CISSP and Microsoft MCSA and MCSE security exams. Between the pros of Security+ there is the never ending validity. To maintain the certification you don’t have to do anything and you don’t have to renew it periodically. However this could have opposite effects…, competences are to be continually feeded, especially in the security world, in which every generation lasts only a few months!!
GCFW
By: Sonia Valerio, GCFW, CISSP, ISECOM-OPSAgiovi.derfel@tiscali.it
GIAC Certified Firewall Analysts (GCFWs) have the knowledge, skills, and abilities to design, configure, and monitor routers, firewalls, and perimeter defense systems.
To attain the GCFW Certification (which is vendor-independent!), you must complete a practical/research paper, and two exams.
The practical is intended to design a “secure network solution” for a fictitious e-Business company. You will have to detail every choice and/or assumption you made to build the perimeter defense, including devices selection and configuration, and finally you are requested to verify your design by the mean of a penetration testing activity and attack simulation to your firewall and an internal system. You will also have to give some suggestions on how to mitigate those attacks and reduce and/or eliminate all the vulnerabilities you could eventually exploit.
You can find my paper here: http://www.giac.org/GCFW_400.php (my Analyst Number is 320).
Exams are taken online via the GIAC web site. Every exam consists of about 50 questions which you have to complete in no more than 90 minutes. You can take the exams from any Internet-connected computer: they are open-book exams, which you will surely pass provided you have opened your certification book at least once before attempting the exam J Be careful, since you have less than 2 minutes for every question …
GIAC web site (http://www.giac.org/program.php) is the right place to start if you’re interested in this kind of certification. It’s though, but it really worth all the effort.
CIA
by Claudio Cilli, CIA, CISA, CISSP, CISM, C.Cilli (AT) isacaroma.itThe CIA certification, granted by the IIA, “The Institute of Internal Auditors” (http://www.theiia.org) reprented in Italy by the AIIA, Associazione Italiana Internal Auditors (http://www.aiiaweb.it) is the professional certification best known and authoritative for the internal auditing professionals.
Exam contents
The CIA exam is divided in “Three parts plus one” which means that the exam is articulated in four test to be taken in two consecutive days; the first three parts, fixed, are considered mandatory background ("core global syllabus") for every internal auditor and their focus is on themes like corporate governance, risk management and information technology.
The four section is aimed to take into account possible specialist issues the auditor might prefer.
The four sections contents are:
1. the role of the internal audit in theme of governance, control and risk management;
2. performing the internal audit assignment;
3. managerial analysis and information technology;
4. organisation management.
For those who already carry one of the professional certifications recognised by the Institute (e.g.: CISA, but also CCSA, CGAP or CPA) can request to be exonerated by the fourth exam part.
Exam test
Each section is constituted by 125 multi-choice questions. The candidate has 210 minutes to answer.
The minimum score requested to pass the exam is 600 points, corresponding to about 75% of the questions.
The next session is scheduled on 17 and 18 November in Milan (respectively for parts I – II, and III – IV).
The exam can be taken in one of the official languages, including Italian.
Prerequisites
The prerequisites consist in:
- Full degree or Ph.D.;
- Undertaking the of the Ethics Code of Conduct issued by the Institute of Internal Auditors;
- Proof of at least two years of experience in auditing/evaluation fields, including External Audit, Quality Certification, Inspectorate and Accounting Management.
The candidate can sat for the exam before being in compliance with the experience request, he/she will not received the CIA designation until the requirements are satisfied.
OPSA
By: Sonia Valerio, GCFW, CISSP, ISECOM-OPSA
giovi.derfel@tiscali.it
The OSSTMM Professional Security Analyst (OPSA – http://www.isecom.org/opsa) accreditation is the official security analysis certification based on the Open Source Security Testing Methodology Manual (OSSTMM) and accredited by La Salle University (Barcelona) as part of their Masters program. An OPSA certified professional can make resourceful, practical decisions and address the unexpected problems as they appear in security and security testing throughout the development of a security project. It is an accreditation that proves a deep understanding of security and the ability to analyze secure networks from the network map to the boardroom: any OPSA certified professional is capable to examine security test results, and critically analyze those results to define and apply an effective risk management policy in the organization.
Study material for this certification are the OSSTMM book, the Business Security Testing and Analysis Workbook (BSTA), and the OSSTMM Internal, all available at the Institute for Security and Open Methodologies (ISECOM) website – http://www.isecom.org/public_repository.shtml - in charge for this training program.
To achieve the certification every candidate has to go through a written exam (50 multiple choice questions): it is an open book exam, not so easy to pass … that’s why they let you use the books !
The exam consists of three main parts (Data Test & Log Analysis, Security Testing Projects e Professional Consulting), which couple with the ISECOM course content.
Every candidate can register for the exam even without attending the course, but I suggest this approach only to those with strong security and penetration skills, and at least a basic knowledge of the OSSTMM methodology.
To sit for the exam you should be confident in the following areas:
- Security Analysis: provides the baseline for understanding security test results (log files, security tools output, protocol dumps) and to apply effective risk evaluation strategies;
- Red Team Strategies: provides an in depth review of the security consulting rules of engagement from the pre-sales and preparation phase through to the final reporting and workshop;
- Security Project Management: provides insight and knowledge transfer in the realm of OSSTMM testing projects and their applications; the focus of this component will be project management (time reporting, estimations, team management, contracts, client interaction, testing efficiency, cost controls and Return of Investment)
In a word, the candidate should possess the right combination of technical and management skills, besides having at least three years of ICT security field professional experience.
The OPSA accreditation can be an interesting and useful experience for any security professional, being him/her a security consultant, a SOC staff person, an ISO/BSI auditor or a security manager.
As an open methodology, OSSTMM has the great advantage of being the result of the efforts and experiences of over 150 international security experts, something which makes it a unique and distinctive mix knowledge in this field.
OSSTMM and the OPSA offer nowadays a methodology which is quickly emerging as a guide line and an accredited international standard for every security-tester, really a “need-to-know” security professionals.
PMP
By: Gian Luca Di Stefano, CISA, PMP, gianluca.distefano@ca.com
The Project Management Professional (PMP) qualification is probably the one that more than the others certifies competencies and professional knowledge of a Project Manager.
This qualification is universally recognized and it is assigned from the Project Management Institute (PMI) that stands as a global leader in the field of project management with more than 100.000 members shared in 125 countries and 200 chapters in 67 different nations. In Italy it is represented with the Rome, Milan and Naples chapters (http://www.pmi.org/prod/groups/public/documents/info/GMC_ChapterListingOutsideUS.asp#P1091_18782).
To be eligible for the PMP certification, you must first meet specific education and experience requirements and agree to adhere to a code of professional conduct. The final step in becoming a PMP is passing a multiple-choice examination designed to objectively assess and measure the candidate project management knowledge. The exam is passed if you give the right answer to the 70% of 200 questions in less than 4 hours.
This computer-based examination is administered globally but it can be done at the site of a local recognized and certified company to do this. The date can be arranged and the test language can be Italian.
The exam program is based on the PMBOK (Project Management Body of Knowledge) contents. It is considered “the bible” for the good PMI Project Manager.
The PMBOK describes the Project Management methodology by the PMI point of view and it is decomposed in 9 knowledge areas. They go from time, costs and resources management until risks and procurement management.
In addition, those who have been granted the PMP credential must demonstrate an ongoing professional commitment to the field of project management by satisfying PMI’s Continuing Certification Requirements Program. It is necessary to reach a defined score during the three years following the certification. The score can be increased attending to meetings, events, training initiatives and demonstrating his own improving in the Project Management knowledge.
In comparison with the CISA certification that regards the IT world, the PMP is based on the Project Management general discipline where the IT projects represent a very little part of it.It is possible to find references to Project Management discipline in the 6th Domain (Development) of the CISA Review Manual and few affinities can be found in some techniques described in Domains 2 and 7 (Organization and Risk Anlysis), with obvious considerations to be done for different contests where they must be used.
Recently PMI introduced the CAPM (Certified Associate in Project Management) certification. It is intended for those practitioners who provide project management services but are relatively new to the profession. Like the PMP, CAPM candidates must first meet specific education and experience requirements and then pass an examination.
To have more information regarding PMP and CAPM certification they can be found to the PMI site at http://www.PMI.org
» email this story | printer friendly version | 6173 reads
