Steal This Data

Whether you’re interested in becoming an information security professional or in hiring one, it’s helpful to know what the blizzard of infosec certifications out there are and what they mean. There are several organizations that issue reputable infosec certifications for IT professionals. In this post, I cover the certifications that can be obtained from the International Information Systems Security Certification Consortium, also known as the ISC-squared.

CISSP

CISSP stands for Certified Information Systems Security Professional. Considered by many to be the gold standard in infosec certifications, the CISSP measures an individual’s knowledge as well as their experience, requiring at least 5 years of experience working in information security in two or more of the following areas:

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography, Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To obtain a CISSP certification, individuals must go through a four step process that includes passing a CISSP certification exam, pass the exam with a score of 700 or more, and the submit an endorsement by another member of the ISC-squared that can attest to the candidates professional experience. Recertification is required every 3 years.

If you don’t have the required five years of professional experience, you can have one year waived if you possess another security certification recognized by the ISC-squared. Alternatively, you can take the CISSP certification exam early and obtain an associate of ISC-squared certification which will become a CISSP if you obtain the requisite professional experience in the following 6 years.  For more information, visit CISSP.

CAP

CAP stands for Certification and Accreditation Professional and measures measures the skill level of individuals responsible for defining processes used to assess risk and establish security requirements. The CAP credential is aimed at information assurance professionals who have a responsibility for adherence to NIST (National Institute of Standards and Technology) guidelines. It is recognized by civilian, state and local governments in the U.S., as well as commercial markets. It is designed for employees who perform  rights authorization, system owners, information owners, information system security officers, and senior system managers.

The CAP requires at least two years of professional experience in the following areas:

• Understanding the Purpose of Certification
• Initiation of the System Authorization Process
• Certification Phase
• Accreditation Phase
• Continuous Monitoring Phase

 Like the CISSP, CAP candidates need to pass an examination, obtain an endorsement to be certified, and remain in good standing by attending continuing professional education classes. For more information, visit CAP.

SSCP

SSCP stands for Systems Security Certified Practioner and only requires one year of professional infosec experience to apply for. It is designed for Network Security Engineers, Security Systems Analysts, and Security Administrators or other information technology and software development positions that require an understanding of security but do not have it as a primary part of their job description.

Although the SSCP is not as prestigious as the CISSP it is still a valuable certification to obtain if you are interested in an information security career. Organizations such as the US Department of Defense and the British Ministry of Defense require certifications for their information security personnel and the SSCP is an internationally recognized certification which can differentiate your resume.

For certification, your professional experience has to be in one of the following seven security domains: 

• Access Controls
• Analysis and Monitoring
• Cryptography 
• Malicious Code
• Networks and Telecommunications
• Risk, Response and Recovery
• Security Operations and Administration

Like the CISSP, SSCP candidates need to pass an examination, obtain an endorsement to be certified, and remain in good standing by attending continuing professional education classes. For more information, visit SSCP.