For most people, the events of September 11 elevated the importance of security. Many security professional associations assessed themselves in a new light, and new organizations sprung up dedicated to addressing one or another security function.
Four years later, it is worth looking at the current roster of security association certifications. CSOs and others with responsibility for both physical and IT security will need to know a little about the certifications in both disciplines.
Certification can play many roles in your career as a security manager.
- It provides direct benefit from the educational programs and certification training.
- Employers or clients may give you more consideration for your demonstration of advanced knowledge through certification.
- You gain expanded knowledge and a bigger contacts pool through your colleagues in certification.
- It helps you identify employees and service providers with the skill sets you require.
Certification reflects a set of professional standards that have to be met, which include the demonstration of a certain level of expertise or competence. Thus security certifications commonly involve both an experience and an educational component. Some certifications require sponsorship or endorsement of the applicant by one or more association members. Certifications usually require periodic renewal involving continuing education, so it is prudent to check an association's current membership list to verify that an asserted certification standing is current.
Technology and Certifications
Some security certifications are technology focused, while others are more general or pertain to security management issues. Security is a business function, and the business security requirements are primary drivers for the deployment of security technology. This means that practitioners in security management positions must have some understanding of the uses and limitations of technology. Conversely, those who specify, design, provide, operate and maintain security systems must have some understanding of the role the technology plays in the overall security scheme, in support of management's security strategies, policies and procedures. There are significant bodies of knowledge at each level (managerial and technological).
Being a Professional
The most common comment from practitioners who attend certification preparation classes or embark on a personal course of study is, "I should have done this a long time ago."
A professional knows what he knows, and also knows what he doesn't know. Achieving the latter is the greater challenge, but it can be answered by obtaining a good understanding of the spectrum of knowledge that exists in one's profession; that's something that security management and high-level certifications provide. The advantage of having such knowledge is that one is never at a loss, but instead knows that someone else knows the answer and can reach out for the required knowledge when needed.
Most certification programs provide a list of books and reference materials and offer study guides. Some associations offer certification test preparation classes, and some private organizations offer comprehensive training for certifications in the IT domain. Professional education is often an evolutionary process, beginning with specialization in a limited area and progressing to a more general command of the field, enabling one to assume larger and more complex responsibilities. Thus a common and workable path is to become certified first in the area closest to one's current or intended area of specialization, and then to proceed with additional education as best fits one's job requirements or personal interests.
Security Certification Subjects
The table on pages 38 and 39 of the hard copy of this issue of ST&D provides a chart of professional security certifications for corporate, physical and IT security. Rather than reflect the specific knowledge elements of each certification, the chart is designed to minimize the number of knowledge categories to provide an overview that's succinct and comprehensible. Because the full breadth and depth of each certification isn't depicted in the chart, a list of certification descriptions is provided to furnish a little more information about each.
The table identifies whether a security certification covers primarily the realm of corporate security management, physical security, information security or IT security. Note that information security overlaps with IT security. Information security deals with information in all forms, paper, human memory as well as electronic information systems. IT security deals not only with electronic information systems and networks, but with telecommunications and messaging systems as well.
Although safety and security go hand in hand, certifications related to fire and life safety issues are excluded from this review due to space reasons. Academic degrees, certifications by private companies and law enforcement-related certifications are also not included; nor are certifications that do not include a validated educational component (for example, those that are based upon years of experience only).
In recent years national legislation such as HIPAA and Sarbanes-Oxley, as well as state legislation like California Senate Bill 1836, have impacted the risk management picture. As a result, privacy certifications are being developed, such as the Certified in Healthcare Privacy (CHP) designation jointly developed by the Healthcare Information and Management Systems Society (HIMSS) and the American Health Information Management Association (AHIMA), which also developed the Certified in Healthcare Security (CHS) certification. Fulfilling both the CHP and CHS achieves the Certified in Healthcare Privacy & Security (CHPS) designation. In addition, the International Association of Privacy Professionals has developed the Certified Information Privacy Professional (CIPP) certification.
While privacy certifications are outside the intended scope of this article, they are mentioned here because chief security officer responsibilities will generally encompass privacy where a separate chief privacy officer position does not exist.
Finally it should be noted that certifications originating from outside the United States are not included here.
Security-related academic educational opportunities are significant and should be considered in addition to the professional association certifications presented in this article. For a listing of universities offering degrees and classes in security, see the document links on the Academic Resources page of the ASIS International Web site: www.asisonline.org/education/academicresources.xml. This page also contains downloadable documents chronicling in-depth research in support of security academic education by the ASIS International Academic/Practitioner Symposiums. Also check the National Academic Consortium for Homeland Security (NACHS) at http://homelandsecurity.osu.edu/NACHS/members.html for a list of more than 290 consortium member universities.
The following certification descriptions are numbered to match the column numbers in Table 1.
1) Certified Protection Professional (CPP) - From ASIS International. Covers five major security management subject areas in depth: security principles and practices, business principles and practices, personnel security, physical security and information security. The development of the PSP designation has allowed the CPP certification to adjust its focus slightly, incorporating more elements of enterprise risk security management. This certification is ideal for CSOs, corporate security directors and senior security managers. (www.asisonline.org)
2) Physical Security Professional (PSP) - From ASIS International. For security professionals whose primary responsibility is to conduct threat surveys; design integrated security systems that include equipment, procedures and people; or install, operate, and maintain those systems. It covers the subject areas of physical security assessment, selection of integrated physical security measures and implementation of physical security measures. (www.asisonline.org)
3) Professional Certified Investigator (PCI) - From ASIS International. For security professionals whose primary responsibility is conducting investigations. This certification covers the subject areas of case management, evidence collection and case presentation. (www.asisonline.org)
4) Certified Fraud Examiner (CFE) - Offered by the Association of Certified Fraud Examiners. This certification covers four areas of knowledge: criminology and ethics, financial transactions, fraud investigation and the legal elements of fraud. (www.cfenet.com)
5) Industrial Security Professional (ISP) - Offered by the National Classification Management Society, whose purpose is to advance the practice of classification management in the disciplines of industrial security, information security, government-designated unclassified information, and intellectual property. This certification is primarily for those working in government or private industry projects that involve the management and protection of classified government information. (www.classmgmt.com)
6) Certified Healthcare Protection Administrator (CHPA) - Offered by the International Association of Healthcare Security and Safety Professionals (IAHSSP). This certification covers these four areas of knowledge as they specifically apply to healthcare organization security: management, security, safety and risk management. (www.iahss.org)
7) Certified in Healthcare Security (CHS) - Sponsored by the Healthcare Information and Management Systems Society and administered by the American Health Information Management Association. This certification denotes advanced competency in designing, implementing and administering comprehensive security protection programs in all types of healthcare organizations. (www.ahima.org)
8) Certified Lodging Security Supervisor (CLSS) - Offered by the Educational Institute of the American Hotel and Lodging Association (AH&LA). This certification is perfect for the responsible general manager with security obligations. The subject matter includes lodging security overviews, legal system, operational policies and procedures, locks and keys, investigating and reporting, handling disturbances, patrols and grounds. (www.ahma.com)
9) Certified Lodging Security Director (CLSD) - Offered by the AH&LA. This designation is the premier symbol of professional achievement for lodging security directors and executives. The subject matter includes the material of the CLSS certification plus the additional subjects of security planning, operational policies and procedures, managing security department human resources & crisis management and emergency response procedures. (www.ahma.com)
10) Certified Information Systems Security Professional (CISSP) - Offered by the International Information Systems Security Certification Consortium (ISC)?. The CISSP credential is ideal for mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or senior security engineers. It demonstrates competence in the following 10 domains of the (ISC)? CISSP Core Body of Knowledge: access control systems and methodology; applications and systems development security; business continuity planning (BCP) and disaster recovery planning (DRP); cryptography; law, investigation and ethics; operations security; physical security; security architecture and models; security management practices; and telecommunications and network security. (www.isc2.org)
11) Systems Security Certified Practitioner (SSCP) - Offered by (ISC)?. The SSCP credential is ideal for those who are working toward or who have already attained positions as senior network security engineers, senior security systems analysts or senior security administrators. (www.isc2.org)
12) Certified Information Systems Auditor (CISA) - Offered by the Information Systems Audit and Control Association. This is for the experienced computer auditor or computer security professional. The subject areas include management, planning and organization of IS; technical infrastructure and operational practices; protection of information assets; disaster recovery and business continuity; business application system development, acquisition, implementation and maintenance; business process evaluation and risk management. (www.isaca.org)
13) Certified Information Security Manager (CISM) - Offered by the Information Systems Auditing and Control Association. CISM was specifically developed for the information security professional who has five years or more of experience managing the information security function of an enterprise. This certification covers information security governance, risk management, information security program management, information security management and response management. (www.isaca.org)
14) Global Information Assurance Certificate (GIAC) - Offered by SANS Institute. This is actually a series of certifications for information systems, computer and network security. Each GIAC certification is designed to stand on its own and represents a certified individual's mastery of a particular set of knowledge and skills. The certifications fall into three categories: audit, management and security administration. (www.giac.org)
15) The Certified Information Forensics Investigator™ (CIFI) - Offered by the International Information Systems Forensics Association. CIFI is specifically developed for experienced information forensics investigators who have practical experience in performing investigation for law enforcement or as part of a corporate investigations team. The CIFI certification is designed to demonstrate expertise in all aspects of the information investigative process and is dedicated to bringing a level of consistency to the profession that can be recognized outside the field. (www.iisfa.org)
16) Certified Critical Infrastructure Security Professional (CCISP) Basic and Advanced - Two certifications offered by the Critical Infrastructure Institute and recognized by the Information Systems Security Association (ISSA). The CCISP domain includes knowledge and professional skills required for designing, maintaining and managing security architectures as well as the extended skills required for critical infrastructure, SCADA, or other high-availability environments. (www.ccispcert.com)
17) Certified in Homeland Security Levels IV and V (CHS Level-IV and CHS Level-V) - Offered by the American College of Forensic Examiners Institute (ACFEI). After becoming certified in homeland security at CHS Level III (based upon homeland security-related experience, training, knowledge, skill and education) members may pursue Levels IV and V, which require specific education by CHS instructors. Level IV covers incident command management and terrorism, and provides particular understanding of the differences between a HAZMAT incident and a nuclear, biological and chemical incident, and includes WMD incidents involving chemical, biological, radiological, nuclear and high-yield explosives (CBRNE). Level V addresses CBRNE and catastrophic events in detail, including event analysis and medical, physiological and personnel management considerations. (www.acfei.com/certification_programs-chs.php)
18) The Certified Security Project Manager (CSPM) - Offered by the Security Industry Association. CSPM provides professional accreditation of project managers involved in the design and installation of security systems. The program certifies individuals who have demonstrated their proficiency in every aspect of project management as it relates to security systems. The certification program is designed specifically to meet the practical requirements of designing and managing security projects that involve electronic security systems. (www.SecurityLearningNetwork.com)
Ray Bernard, PSP is principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. Mr. Bernard has provided direction and technical advice in security and building automation for more than 18 years. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.