Cyber Professional Certification :: Log In



Information Assurance Qualifications for CESG Job Roles

Contents

Background 1

Professionalisation, Education and Training 1

Existing Qualifications mapped to IA Job roles and SFIA Levels 3

Other qualifications in Security, which may be considered by Information Assurance Professionals 10

Cabinet Office 11

Postgraduate Degree Courses in Information Security 11

Professional Bodies: 12

References 13

Background

CESG is the Information Assurance (IA) arm of GCHQ and the UK Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing.

CESG aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. They deliver information assurance policy; services and advice that government and other customers need to protect vital information services.

With experience acquired over decades of working with customers on projects and problems, CESG specific services include technical advice, documentation and training. In collaboration with others, CESG is working to improve information risk management across HMG, the wider public sector and their suppliers by raising levels of Information Assurance awareness and professionalism.

Professionalisation, Education and Training

In order to provide professionalisation, education and training, CESG is working with a range of stakeholders including other government departments, professional bodies, academia and industry to create an environment where government employees and suppliers have the appropriate IA awareness and skills to do their job.

Recognising that a great deal of good work has already been done in the private sector on the need for an ‘IA profession’ for IA specialists, CESG adopted the Institute of Information Security Professionals’ (IISP) skills framework as an excellent starting point for the development of the competency framework for the public sector.

The roles currently defined are:

• Security & Information Risk Advisor

• IA Architect

• IA Auditor

• Accreditor

• IT Security Officer (ITSO)

• Communications Security Officer (ComSO)

• Penetration Tester

Each IA role defined at several levels of responsibility (which map to the SFIA level definitions)

• Practitioner; SFIA Level 2, Assist

• Senior Practitioner; Level 4, Enable

• Principal Practitioner; Level 5, Ensure/Advise

• Lead Practitioner; Level 6, Influence/Initiate

Existing Qualifications mapped to IA Job roles and SFIA Levels

Organisations researched via the web:

• Communications-Electronics Security Group (CESG)

• International Information Systems Security Certification Consortium (ISC)²

• British Computer Society (BCS) / Information Systems Examination Board (ISEB)

• Information Systems Audit and Control Association (ISACA)

• SANS Institute – Certifications provided by Global Information Assurance Certifications (GIAC)

• International Register of Certificated Auditors (IRCA)

• British Standards Institute (BSI)

• Cabinet Office - Central Sponsor for Information Assurance (CSIA) (ITPC)

• International Council of Electronic Commerce Consultants (EC-Council)

• CompTIA Certification UK

Notes:

1. Information Assurance is not normally the qualification title; it is tied up in Security and Risk, also see Other qualifications listed on page ??

2. The IISP offer a certification scheme, but when looking further they are actually the ISEB qualifications, except 1 which has no examination associated with it.

3. The CESG Training for the Public Sector is most about Risk and there does not appear to be any qualifications associated with the training.

4. SFIA levels based on the SFIA descriptions, eg: 3 = apply, 4 = enable for Practitioner levels and taking account of the course objectives and examination style (SFIA levels are not outlined in the exam syllabuses).

5. Not all courses cover the full range of IISP skills outlined for each role

6. Without the examination syllabus and exam type it is difficult to assess SFIA levels

7. The only BCS qualification listed as Information Assurance is CISMP

8. IISP mapping for the ISACA qualifications is by observation of the Job Practice Areas against the CESG Certification Skills, not explicitly referenced in the ISACA certification information. It has been assumed that it is Practitioner level only at this stage as it is a multi-choice exam, although it may be at the higher levels due to the additional requirements prior to becoming Certified by ISACA

|Qualification Name |Format |Training Provider |Exam Supplier |Role Map |Role Level |IISP Map |SFIA Level |

|Practitioner Certificate in |5 day training course with |IISP Accredited Training |BCS- ISEB |Accreditor |Practitioner |B1, B2 |3,4 |

|Information Risk Management |written assignment exam |Provider – Ultima Risk Mgmt | |Security and Information Risk Advisor |Senior | | |

|IS1 for Practitioners |Training course only |IISP Accredited Training |N/A |Accreditor |Practitioner |A1, A2, A3, B1, D2 |3 |

| | |Provider – Ultima Risk Mgmt | |Security and Information Risk Advisor | | | |

|Certificate in Information |5 day training course |IISP Accredited Training |BCS- ISEB |Accreditor |Practitioner |A1, A2, A3, A4, A5, |3 |

|Security Management Principles | |Provider – Ultima Risk Mgmt | |IA Auditor | |A6, A7, B1, D2, E1, | |

|(CISMP) |2hr - 100 question multi-choice | | |Security and Information Risk Advisor | |E2, E3, F1, F2, F3, | |

| | | | |IT Security Officer | |G1, H1, H2 | |

| | | | |Communications Security Officer | | | |

|Certified Information Systems |To be issued a certificate, a |There does not appear to be |ISC – Security |Syllabus not available without emailing|Unknown – although |No mapping shown |See note 6 |

|Security Professional (CISSP) |candidate must: |any training associated with |Transcends |ISC for the Candidate Information |the exam style | | |

| |Pass the CISSP examination with |this Certificate |Technology |Bulletins |appears to mean this | | |

| |a scaled score of 700 points or | | | |could be assessing at| | |

| |greater | | | |Senior level | | |

| | | | | | | | |

| |Submit a properly completed and | | | | | | |

| |executed Endorsement Form. | | | | | | |

| | | | | | | | |

| |Successfully pass an audit of | | | | | | |

| |their assertions regarding | | | | | | |

| |professional experience, if the | | | | | | |

| |candidate is selected for audit | | | | | | |

| |The examination appears to be | | | | | | |

| |the assignment style as there | | | | | | |

| |are only 4 questions to answer | | | | | | |

|Systems Security Certified |As above |As above |ISC |As above, however using the list of |As above |No mapping shown |See note 6 |

|Practitioner (SSCP) | | | |jobs in the overview the following job | | | |

| | | | |roles could be linked: | | | |

| | | | |IA Auditor | | | |

| | | | |IT Security Officer | | | |

| | | | |IA Architect | | | |

| | | | |Security & Information Risk Advisor | | | |

|Certifications and |As above |As above |ISC |As above |As above |No mapping shown |See note 6 |

|Accreditation Professional | | | |IA Auditor | | | |

|(CAP) | | | |Accreditor | | | |

| | | | |IT Security Officer | | | |

| | | | |IA Architect | | | |

| | | | |Security & Information Risk Advisor | | | |

|Certified Secure Software |As above except the exam is CBT |ISC e-learning packages |ISC |As above: |As this is CBT – |No mapping shown |See note 6 |

|Lifecycle Professional (CSSLP) |via Pearson Vue |offered | |Security Architect |likely to be | | |

| | | | | |Practitioner | | |

|Certificate in Information |5 day training course |BCS-ISEB |BCS- ISEB |Accreditor |Practitioner |A1, A2, A3, A4, A5, |3 |

|Security Management Principles | |Accredited Training Providers | |IA Auditor | |A6, A7, B1, D2, E1, | |

|(CISMP) |2hr - 100 question multi-choice |Net-Security Training Limited | |Security and Information Risk Advisor | |E2, E3, F1, F2, F3, | |

| | |QinetiQ | |IT Security Officer | |G1, H1, H2 | |

| | |QT & C Limited | |Communications Security Officer | | | |

| | |Ultima Risk Management Limited| | | | | |

| | |Foster Melliar (Pty) Limited | | | | | |

|Certified Information Systems |Successful completion of the |ISACA |ISACA |IA Auditor |See Note 8 |A6, G1 |3, 4 |

|Auditor (CISA) |CISA examination | | | |Practitioner | | |

| |Submit an Application for CISA | | |IA Architect |Senior |C1, C2, D1 | |

| |Certification | | | | | | |

| |Adherence to the Code of | | | |Could be higher with |A6, E1, E2, E3, F1 | |

| |Professional Ethics | | |IT Security Officer |the additional | | |

| |Adherence to the Continuing | | | |requirements |A6, E1, E2, F1 | |

| |Professional Education Program | | | | | | |

| |Compliance with the Information | | |Communications Security Officer | | | |

| |Systems Auditing Standards | | | | | | |

| | | | | | | | |

| |Exam is 200 question | | | | | | |

| |multi-choice | | | | | | |

|Certified Information Security |As above |ISACA |ISACA |Security & Information Risk Advisor |As above |A2, A3, A4, B1, B2, |3, 4 |

|Manager (CISM) | | | | | |F1, F2 | |

| | | | | | | | |

| | | | |IA Architect | |A4, C1, C2, D1 | |

| | | | | | | | |

| | | | | | |B1, B2, D1 | |

| | | | |Accreditor | | | |

| | | | | | |E1, E2, E3, F1 | |

| | | | |IT Security Officer | | | |

| | | | | | |E1, E2, F1 | |

| | | | | | | | |

| | | | |Communications Security Officer | | | |

|Certified in the Governance of |As above |ISACA |ISACA |Security & Information Risk Advisor |As above |A2, A3, A4, A6, B1, B2|3, 4 |

|Enterprise IT (CGEIT) | | | | | | | |

| | | | | | |A4, D1 | |

| | | | |IA Architect | | | |

| | | | | | |A6, D1, F2, G1 | |

| | | | |IA Auditor | | | |

| | | | | | |A6, B1, B2, D1 | |

| | | | | | | | |

| | | | |Accreditor | | | |

|Certified in Risk and |As above |ISACA |ISACA |Security & Information Risk Advisor |As above |B1, B2 |3, 4 |

|Information Systems Control | | | | | |F1, F2 | |

|(CRISC) | | | |IA Architect | | | |

| | | | | | |A4, C1, C2, | |

| | | | | | | | |

| | | | |Accreditor | |A6, B1, B2, D1 | |

| | | | | | | | |

| | | | | | |E1, E2, E3, F1 | |

| | | | |IT Security Officer | | | |

| | | | | | |E1, E2, F1 | |

| | | | |Communications Security Officer | | | |

|The ISMS Programme has six |Technical Assessment and Work |IRCA |IRCA |IT Security Officer |Practitioner. Senior,|No mapping shown – |3,4,5 & 6 |

|grades of certification: |Based Evidence | | | |& Lead |syllabus does not list| |

|ISMS Provisional Internal | | | |IA Auditor | |skills covered in the | |

|Auditor | | | | | |assessments | |

|ISMS Internal Auditor | | | | | | | |

|ISMS Provisional Auditor | | | | | | | |

|ISMS Auditor | | | | | | | |

|ISMS Lead Auditor | | | | | | | |

|ISMS Principal Auditor | | | | | | | |

|ISO 27001 Awareness Training |1-day training course |BSI |N/A |IT Security Officer |Introduction only |E1, E2. E3, F1. |2 |

|Course - 1 | | | | | | | |

| | | | |IA Auditor | | | |

|ISO 27001 Awareness Training |5 day training course |BSI |BCS-ISEB |Accreditor |Practitioner |A1, A2, A3, A4, A5, |3 |

|Course - 2 | | | |IA Auditor | |A6, A7, B1, D2, | |

|ISEB Certificate in Information|2hr - 100 question multi-choice | | |Security and Information Risk Advisor | |E1, E2, E3, F1, F2, | |

|Security Management Principles | | | |IT Security Officer | |F3, G1, H1, H2 | |

|(CISMP) | | | |Communications Security Officer | | | |

|ISO/IEC 27001 Implementation |3-day training course as |BSI |N/A |IT Security Officer |Practitioner |E1, E2, E3, F1 |3 |

|Course |introduction to certification | | | | | | |

| | | | | | |D1, F2, G1 | |

| | | | |IA Auditor | | | |

|ISO/IEC 27001 Lead Implementer |3-day training course with an |BSI |Unknown |Security and Information Risk Advisor |Practitioner |A2, A3, A4, A6, B1, |3, 4 |

|Course |Exam | | | |Senior |B2, F1, F2 | |

| | | | | | | | |

| | | | |IA Architect | |A4, C1, C2, D1 | |

| | | | | | | | |

| | | | | | |E1, E2, E3, F1 | |

| | | | |IT Security Officer | | | |

| | | | | | |D1, F2, G1 | |

| | | | | | | | |

| | | | |IA Auditor | | | |

|ISO/IEC 27001 Internal Auditor |2-day training course – |BSI |N/A |IT Security Officer |Practitioner |E1, E2, E3, F1 |2 |

|Training Course |refresher course | | | | | | |

| | | | | | |D1, F2, G1 | |

| | | | |IA Auditor | | | |

|ISO/IEC 27001 Lead Auditor |5-day training course |BSI |N/A |IT Security Officer |Practitioner, Senior |E1, E2, E3, F1 |3, 4, 5, 6 |

|Training Course | | | | |& Lead | | |

| |Attendance on this information | | | | |D1, F2, G1 | |

| |security training course will | | |IA Auditor | | | |

| |provide delegates with 40 CPD | | | | |A6, B1, B2, D1 | |

| |points. | | |Accreditor | | | |

| | | | | | | | |

| |This information security | | | | | | |

| |training course qualifies you | | | | | | |

| |for stage 1 of the BSI | | | | | | |

| |Registered Lead Auditor. | | | | | | |

|Certified Security Analyst |5-day training course followed |EC Council |exam |IT Security Officer |Practitioner |A6, E1, E2, E3, F1 |3 |

|(ECSA) |by exam | |412-79 | | | | |

|Certified Security Specialist |2-day training course followed |EC-Council |Prometric |Security and Information Risk Advisor |Practitioner |A6, E1, E2, E3, F1 |3 |

|(ECSS) |by exam | | | | | | |

| | | | |IT Security Officer | |E1, E2, E3, F1 | |

|Certified Security Officer |Unclear on website |EC-Council |unknown |Security and Information Risk Advisor |unclear |No Syllabus | |

|(ECSO) | | | | | |information available | |

| | | | | | | | |

| | | | |IA Architect | | | |

| | | | | | | | |

| | | | |IT Security Officer | | | |

|Security+ |25 – 30 hours of study to take |CompTIA |CompTIA |IT Security – this is more technical |Practitioner |Not really |3 |

| |the exam | | |because before attending this course, | |appropriate, but | |

| | | | |students must have completed A+ and | |included for | |

| | | | |Network+ certifications, or equivalent | |completeness | |

| | | | |knowledge, or 6-9 months experience in | | | |

| | | | |networking, including experience | | | |

| | | | |configuring and managing TCP/IP | | | |

Other qualifications in Security, which may be considered by Information Assurance Professionals

Whilst conducting research into Information Assurance Qualifications it became clear that the term Information Assurance has not been used historically to provide qualifications specifically, however it appears that Qualifications in Security have provided the industry with certifications in this area. Therefore it seemed appropriate to list this for information purposes and completeness, although they did not reference the job roles within the CESG Certification for IA Specialists scheme as follows:

|Qualification Name |Format |Training Provider |Exam Supplier |Role Map |

|Global Information Assurance Certifications (GIAC):|Unclear, no exam information |SANS Institute |uCertify |For network and system security: Security Manager, Security Administrator, |

| |available without | | |Security Analyst, System Administrator etc. Related certifications are GSLC, and |

|GIAC Security Leadership Certification (GSLC) |buying/downloading a “PrepKit” | | |GISF |

| | | | |For Network Administration and Security: Network administartor, and Security |

|GIAC GPEN Certification | | | |Professional. Related Certification is: GISP |

| | | | |For Security in the .NET domain: Secure Software Programmer, IT Auditor. Related |

|GIAC GCIA Certification | | | |Certification is: GIAC Secure Software Programmer – .NET |

| | | | |For Auditing domain: System Auditor, Technical Auditor, and Network Auditor. |

|GIAC GISP Certification | | | |Related certifications are G7799, and GSNA |

| | | | |For Incident Handling: Incident Handler. Related Certification is GCIH |

|GIAC GISF Certification | | | | |

| | | | | |

|GIAC GSEC Certification | | | | |

| | | | | |

|GIAC GSSP-NET Certification | | | | |

| | | | | |

Cabinet Office

The Central Sponsor for Information Assurance (CSIA) is a unit of the UK Government's Cabinet Office and works with partners in the public and private sectors, as well as its international counterparts, to help safeguard the nation's IT and telecommunications services.

The CSIA has a lead role in helping government to ensure the following strategic outcomes:

▪ Government is better able to deliver public services through the appropriate use of ICT

▪ The UK's national security is strengthened by protecting information and information systems at risk of compromise

▪ The UK's economic and social well-being is enhanced as government, businesses and citizens realise the full benefits of ICT.

The 2007 National Information Assurance Strategy outlines an approach for the UK in adopting information risk management by ensuring the right level of: professionalism, education and training; availability of IA products and services as well as compliance and adoption of standards.

The CSIA provides a certification scheme through Infosec Training Paths and Competencies (ITPC). ITPC qualifications offer recognised formal training and development for IT security professionals working for the UK government and related organisations. The scheme develops and supports Infosec core competency profiles for key security roles within UK government and related sectors. ITPC is the ‘recommended qualification’ for CESG Listed Adviser Scheme (CLAS) consultants undertaking work for government clients.

ITPC has now closed and directs all enquiries regarding the scheme to the Institute of Information Security Professionals which have all been listed. See Explanation leaflet attached.

Postgraduate Degree Courses in Information Security

There are academic courses in information security, a broad selection is listed below.

• Royal Holloway, University of London - MSc in Information Security - isg.rhul.ac.uk

• Royal Holloway, University of London - PhD in Security - isg.rhul.ac.uk

• Westminster University - MSc in IT Security - wmin.ac.uk

• Loughborough University - Postgraduate Programme in Security Management (Certificate, Diploma and MSc) - lboro.ac.uk

• University College London (UCL), Centre for Security and Crime Science, MSc in Information Security -

• University of Salford - MSc in Information Security - isi.salford.ac.uk

• University of Glamorgan - MSc in Computer Systems Security - glam.ac.uk

• Sheffield Hallam University - MSc/PgDip/PgCert Information Systems Security - shu.ac.uk

• Southampton University - MSc in Corporate Risk & Security Management - management.soton.ac.uk

• University of East London (UEL) - Professional Doctorate in Information Security - uel.ac.uk

• University of East London (UEL) - MSc in Information Security and Computer Forensics - uel.ac.uk

• University of East London (UEL) - PgCert in Information Security - uel.ac.uk

Professional Bodies:

• Emergency Planning

• Society Fire Brigades Union

• Foreign and Commonwealth Office

• Greater London Authority

• ICDDS

• ICDO

• Institute of Risk Management

• International Landslide Centre

• London Fire Brigade

• London Resilience

• The World-Wide Earthquake Locator

• UK Resilience

References

National IA Strategy - .uk/images/working_with_us/nia_strategy.pdf

The Cyber Security Strategy -

CLAS - .uk

SFIA - .uk

IISP - .uk

CESG IA Policy Portfolio -

HMG Security Policy Framework -

HMG IA Standard No 1 – Technical Risk Assessment -

HMG IA Standard No 2 - Risk Management & Accreditation of Information - Systems,

CESG Good Practice Guide 19; Managing Accreditation – Governance, Structure & Culture -

Zachman Framework - framework.html

CHECK - .uk

Infosec Training Paths Competency scheme - SSLPage.aspx?pid=363

All links are correct at the time of writing.[pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic][pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download