Hiring Guide to the Information Security Profession
|
|
- Sharyl Teresa Murphy
- 8 years ago
- Views:
Transcription
1 Hiring Guide to the Information Security Profession
2 INTRODUCTION Welcome to the (ISC) 2 Hiring Guide to the Information Security Profession. It s no secret that it s not easy to find qualified experts to protect your organization. As the world s largest body of information security professionals, with more than 60,000 certified members in 130 countries, (ISC) 2 wants to help HR professionals, recruiters and hiring managers understand the scope of this burgeoning profession and lessen the pain of obtaining the best and brightest information security staff. The information security profession is expanding rapidly. The 2008 (ISC) 2 /IDC Global Information Security Workforce Study (GISWS) showed that the number of professionals worldwide will increase to slightly more than 2.7 million by 2012, a compound annual growth rate of 10 percent from 2007 to It wasn t always this way. Twenty years ago, the field of information security was in its infancy, and companies often brushed off threats to their infrastructure. Today, driven by legal and regulatory compliance and the desire to maximize global commerce, hiring first-rate information security staff is critical to mitigating risks that can destroy a company s reputation, violate privacy, result in the theft or destruction of intellectual property, and, in some cases, even endanger lives. We hope this hiring guide, compiled with significant contributions from Alta Associates, will shine some light on the significance of this relatively new profession, as well as offer tips on ensuring your security staff is filled with talented and qualified professionals. You can also find more tools at the online (ISC) 2 Hiring Resource Center at Best of luck in your recruiting efforts! W. Hord Tipton, CISSP-ISSEP, CAP, CISA Executive Director (ISC) 2 (1)
3 TABLE OF CONTENTS TABLE OF CONTENTS What is Information Security? The Evolving Role of the Information Security Profession What Types of Job Functions Exist? What are the Ideal Traits of an Information Security Professional? What are Typical Career Paths?...11 Crafting a Job Description Certification Requirements Recruiting Screening Interviewing References/Security Checks Crafting and Presenting an Offer Retention Resources (2)
4 WHAT IS INFORMATION SECURITY? WHAT IS Information Security? Governments, military, financial institutions, healthcare and private business today amass volumes of confidential information about their employees, customers, products, and financial status. Most of this information is now collected, processed and stored on computers and servers and transmitted across networked systems. Should such confidential information fall into the hands of outsiders, such a breach of security could lead to lost business, lawsuits, reputation damage and even bankruptcy. Protecting confidential information is a common sense requirement these days, and in most cases is also a legal requirement. Information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The purpose of information security is to ensure that all information held by an organization, regardless of whether it resides on a computer hard drive or in a filing cabinet, is maintained with: Confidentiality - ensuring that information is accessible only to those authorized to have access; Integrity - safeguarding the accuracy and completeness of information and processing methods; Availability - ensuring that authorized users have access to information and associated assets when required; and (3)
5 WHAT IS INFORMATION SECURITY? Compliance ensuring that all laws and industry regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers in the United States, Sarbanes-Oxley (SOX) for companies traded on the New York Stock Exchange and the European Directive on Data Protection for companies operating in Europe, are met. The objective of an information security policy is to minimize damage to the organization by preventing and controlling the impact of security breaches. Information security provides the essential protective framework in which information can be shared while ensuring its protection from unauthorized users. (4)
6 THE EVOLVING ROLE OF THE INFORMATION SECURITY PROFESSION The Evolving Role of the Information Security Profession Years ago, the majority of people responsible for protecting information assets entered the field without a formal background or education and obtained their experience in broader disciplines, such as information technology (IT) or engineering, transferring into information security only as the need arose. Unlike two decades ago, many younger professionals in today s sophisticated cyber world have information security in mind from the beginning, pursuing college degrees in information security, information assurance, or a related discipline such as computer science. They also likely have a working knowledge of network systems and security protocols, security software programs and implementation, and best practices for developing security procedures and infrastructure. A secure organization requires seasoned professionals who can create and implement a program, obtain support and funding for the program, and make every employee a security conscious citizen, all while adhering to necessary regulatory standards. In addition, it requires a team of technical practitioners to implement the policies set by the security manager. Today s information security professionals work closely with HR, legal, audit, IT and other areas of business to mitigate risk throughout the organization. Many are now called upon as critical contributors to business-decision making. In the face of these daunting challenges, the role of the professional has changed dramatically over the past few years. The successful professional must now quickly and securely respond to change, whether brought on by external and internal threats, or by customer demand for new goods and services. The professional must also (5)
7 THE EVOLVING ROLE OF THE INFORMATION SECURITY PROFESSION implement integrated security solutions at all levels where people, processes and technologies intersect, and ensure they support the objectives of the organization. Although having qualified information security professionals on staff is a necessity for organizations of all industries and sizes, it is especially important to those who have critically sensitive information, such as financial, healthcare or insurance entities, or those who have to comply with strict legal or regulatory mandates. (6)
8 WHAT TYPES OF JOB FUNCTIONS EXIST? WHAT Types of Job Functions EXIST? In the early days of information security, an organization hired a single security engineer who was an adjunct to the IT department and focused on network security and security administration. The position required an understanding of network protocols, firewalls and network vulnerabilities. Today, with the increasing dependence upon the virtual world in every corner of business and society, the requirements and job functions of the information security profession have exploded. Security-specific roles include: Forensics Specialist IT Security Manager Certification & Accreditation Specialist Risk Manager Compliance Officer The scope of traditional security roles has also expanded. The early role of security engineer now has expanded to include numerous areas of specialization, such as identity and access management, vulnerability management and application security. These positions require extensive technical backgrounds, as well as business risk analysis so the security controls appropriate to the specific organization can be developed. Security Architect Chief Information Security Officer Information Assurance Manager (7)
9 WHAT TYPES OF JOB FUNCTIONS EXIST? (8)
10 WHAT ARE THE IDEAL TRAITS OF AN INFORMATION SECURITY PROFESSIONAL? (9) WHAT ARE THE Ideal Traits of an Information Security Professional? While the information security profession has become too complex for any one set of specific skills, there are general attributes that are important to consider when seeking a professional. A few of these ideal traits include: Skills and Competencies A track record of developing information security and risk management solutions; A keen understanding of technology and the ability to leverage this knowledge to implement effective security solutions; An understanding of the industry, the company s place in the market, relevant regulatory and legal requirements, and how they can add value; Solid communications skills. These include the ability to influence employee behavior and perceptions. The best security policies won t be effective without buy-in from all employees; The ability to articulate business value. Professionals must know their audience and talk in a language they understand; Understands and manages risk. Security professionals must tailor their security postures to the specific needs and risk appetites of the organization; Ability to build strong relationships with the key stakeholders of the organization, including legal, HR, audit, physical security, PR, and risk managers; and Ability to see the overall security needs of an organization. Even in more traditional network security roles, organizations need professionals who can interpret technology in a way that s useful and in line with its business and risk management goals.
11 WHAT ARE THE IDEAL TRAITS OF AN INFORMATION SECURITY PROFESSIONAL? Personal Attributes A positive attitude. While professionals need a healthy dose of caution, the professional should emphasize the power of defense, rather than the negatives or costs of vulnerability; Commitment to ethics. To be effective, a professional must always tell the truth and never exaggerate about what can and can t be done; and Embraces the need to stay current in the latest security and technology knowledge. (10)
12 WHAT ARE TYPICAL CAREER PATHS? WHAT ARE Typical Career Paths? An information security professional can come from many different, non-security disciplines. Indeed, many exemplary professionals began their careers in technology and went on to learn security. Although professionals typically have technology backgrounds, increasingly they are also coming from risk assessment areas with strong project management experience. The two most common job paths available to information security professionals are the security technologist or the security manager/strategist. Some professionals enjoy meeting the day-to-day technical challenges of the security technologist role and will remain there throughout their careers, although even this role is increasingly requiring the soft skills of business knowledge, communication and collaboration. Others acquire the management skills needed to bridge the gap between an organization s technical and business priorities. Desired attributes for a security technologist may include: Deep understanding of multiple technologies Subject matter expertise in a technical domain Desire to remain part of technical implementation and monitoring side of security Desired attributes for a security manager may include: Broad understanding of multiple technologies Executive management and presentation skills Particular knowledge of a business line or product Desire to manage broader risk issues (11)
13 WHAT ARE TYPICAL CAREER PATHS? (ISC) 2 CAREER PATH (ISC) 2 provides a career path for information security professionals from the beginning of their career until retirement. We offer a unique blend of certifications, advanced education, rigorous testing and specialized concentrations. (ISC) 2 members are at the forefront of today s dynamic information security industry. Look for one of these credentials when you make your next hiring decision. (12)
14 CRAFTING A JOB DESCRIPTION Crafting a Job Description A common misconception that still exists in many HR departments is that information security is part of information technology. In fact, because of expanding business requirements, the information security profession has splintered into many different facets beyond IT and offers specialization in process, auditing, policy, compliance and other topics. As with many fields, even a position with the identical job title in two departments of the same company can have different requirements. If you are working with an experienced external recruiter who specializes in information security, this is the time to get them involved in the process. A knowledgeable recruiter can advise you on competitive salary ranges for the role and assist with the creation of the job description. Getting the recruiter involved this early in the process lays the groundwork for a successful partnership by creating a common understanding of the role and responsibilities and consistent messaging to potential candidates. The key to developing a solid job description for the information security field is to ensure the hiring manager has an in-depth conversation with the HR department. Regardless of the level of the position, this initial discussion should help the hiring manager focus on what the organizational chart looks like, where this position sits, its roles and responsibilities, how the position relates to the larger organization, and expectations for success. (13)
15 CRAFTING A JOB DESCRIPTION An information security manager s job description may include: Develop and oversee implementation of the organization s information security policies and procedures; Oversee implementation of the organization s information security policies and procedures; Ensure unauthorized intrusions, access and tampering are prevented, and detect and remediate security incidents quickly; Ensure the most effective and appropriate security technology tools are selected and correctly deployed; Provide information security awareness training to all employees, contractors, alliances, and other third parties; Monitor compliance with the organization s information security policies and procedures among employees, contractors, alliances, and other third parties; Monitor internal control systems to ensure that appropriate information access levels and security clearances are maintained; Perform information security risk assessments and ensure auditing of information security processes; Prepare the organization s disaster recovery and business continuity plans for information systems; Monitor changes in legislation and accreditation standards that affect information security. (14)
16 CERTIFICATION REQUIREMENTS Certification Requirements In the requirements area, in addition to the education and experience level you are seeking, it s important to determine the professional certification that best validates a candidate s suitability for the position. If you are seeking a security technologist, a vendor certification that matches your organization s particular technology environment, such as certifications from Microsoft or Cisco, might be desirable. A vendor-neutral certification to ensure the security technologist understands the overarching principles of effective security and can communicate well with security management is also desirable. These include certifications such as the Systems Security Certified Practitioner (SSCP ) from (ISC) 2 and the GIAC from SANS. According to the 2008 Global Information Security Workforce Study, 78 percent of security hiring managers worldwide believe in the importance of information security certifications as a hiring criterion. Employee competency and quality of work remain the top reasons that employers and hiring managers continue to place emphasis on security certifications. Company policy and regulations are becoming critical reasons as well. For security management positions, the industry s gold standard certification is the Certified Information Systems Security Professional (CISSP ), also from (ISC) 2. The CISSP was developed by information security pioneers in the early 1990s and is the first and most respected security credential on the market. It tests the broadest knowledge of any information security certification with a six-hour exam on its CISSP CBK, a regularly updated taxonomy of global (15)
17 CERTIFICATION REQUIREMENTS information security topics. It also requires the candidate to possess five years of experience in at least two domains of the CBK, obtain endorsement by a certified (ISC) 2 professional, subscribe to the (ISC) 2 Code of Ethics, and complete annual continuing professional education requirements to remain certified. Other professional security certifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from ISACA, as well as CISSP Concentrations from (ISC) 2 in management, architecture and engineering. (16)
18 RECRUITING (17) Recruiting Information security professionals possess highly specialized skills that are in high demand. Because of this demand, talented professionals are often available for just a few weeks. It s a fact of the current market that organizations must hire a desired candidate quickly. Many qualified candidates are lost because the hiring process went on too long. To be competitive in successfully recruiting information security professionals, the HR department should partner with the hiring manager and a specialized recruiter to streamline the hiring process before recruiting begins. Engaging a specialized recruiter can have many benefits, including reducing your time to hire, reaching passive candidates and extending your brand in a positive manner to the community. Make sure you choose a firm that has an established track record of success in the types of roles that you are filling and knowledge of your industry. Ask for references and gain a comfort level with the recruiter to ensure that you are confident that they are capable of partnering with you on the full life cycle of recruitment, from sourcing the candidate through negotiating an acceptance. Developing a tru zed recruiter will enable you and the hiring manager to have confidence that you are finding the best possible candidate in the most expedient time frame. Professional associations can also be an excellent resource for finding the right candidate. (ISC) 2, for instance, offers employers access to more than 60,000 certified members worldwide through its online Career Tools. Employers can post jobs and search resumes by industry, specific certification and location. Only certified (ISC) 2 credential holders may post resumes on the (ISC) 2 Career Tools. The service is free of charge.
19 RECRUITING Another avenue of recruiting is to build a partnership with an association and sponsor programs or provide informational sessions that might be appealing to their membership. Placing your organization s name regularly in front of security professionals is a great way to connect with the person who is not actively looking but may be interested when he or she hears about an opportunity. If your position is one that a recent college graduate would be qualified for and is in the United States, consider contacting schools that have been qualified as a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) Program ( gov/ia/academic_outreach/nat_cae/index.shtml). The goal of the U.S. program is to identify fouryear colleges and graduate-level universities that demonstrate academic excellence in information security education. Currently, there are 85 National Centers of Academic Excellence in Information Assurance Education. If the position is outside of the United States, check for similar schemes in the country in which you operate. You may also wish to consider a student or recent graduate who has attained the Associate of (ISC) 2 designation. This designation is earned by those who pass the rigorous the CISSP exam and have committed to the professional Code of Ethics but do not yet possess the requisite experience to be certified. (18)
20 SCREENING (19) Screening Detailed initial screening of the information security candidate will allow for a better assessment of whether an individual s goals and motivators are in line with what the organization is seeking. Information security is a relatively new discipline and has a recently established educational curriculum and career path. For instance, many academic institutions have only been offering security-focused programs in the past five years or so. Besides the IT field, many more senior information security professionals have come from the military, law enforcement and security auditing fields. Below are some general requirements or suggestions, broken down by education, technical skills and general skills. Education Options/Requirements: Associate Degree in systems administration BA in information technology or related field BS/BSc in computer science or equivalent information security experience MS/MSc, MA or MBA for director or higher position Ph.D. for professor, researcher, advanced developer Technical Skills Required: Knowledge of network systems and security protocols Knowledge of security software programs and implementation Knowledge of best practices in developing security procedures and infrastructure
21 SCREENING General Skills and Aptitudes: Excellent oral, written and presentation skills Strong conceptual and analytical skills Ability to effectively relate security-related concepts to a broad range of technical and non-technical staff. * Ability to operate as an effective member of a team Ability to manage multiple diverse tasks simultaneously Strong project management skills (ability to manage the overall project while understanding the subcomponents and how they relate to the total project) Possess a vendor-specific or vendor-neutral professional certification * Excellent leadership qualities * Demonstrate interpersonal and conflict management skills * * Helpful for advancement to information security management. (20)
22 INTERVIEWING Interviewing Before any interview, HR should work with the hiring manager and specialized external recruiter to develop a set of evaluation criteria for all to follow and confirm who the final decision maker will be. The final decision maker, along with the interviewers, may then create an evaluation form listing agreed upon critical profile points for each position. It can include specific technical requirements, cultural fit, communication and presentation skills, potential for growth, and relevant past experiences. Each interviewer ought to touch on all topics but also be assigned specific profile points to delve into. This approach will facilitate a comprehensive understanding of the candidate s strengths and weaknesses, allowing the decision maker to make an informed choice when extending an offer. Companies need to devote attention to selecting and preparing the interviewers. Those selected should have a clear understanding of the roles and responsibilities of the position and know the priority of skills required. In addition, all interviewers must provide a consistent message about the details of the position, such as reporting structure, title, compensation, and responsibilities. Everyone must also take part in selling or closing the candidate. This means everyone in the interview process must be positive and informative, and highlight the position s potential for growth. Interviewers must recognize that they are the face of your department and company, and the image they present will make a significant impression on the candidate. While the hiring manager will likely focus on the hard technical skills, HR should help the interviewers get a sense of the candidate s soft skills that he or she can communicate effectively (21)
23 INTERVIEWING and articulate business value. If the information security professional cannot positively influence employees, especially those not under his or her direct authority, processes and technology won t solve anything. Asking the candidate to explain a security issue to a non-technical person can be one way in evaluating their communications skills. The candidate should know how to deliver appropriate messages to different audiences and tailor security posture to fit the specific needs and risk appetites of an organization. Ask the candidate to provide examples of where he/she has utilized common ground to build credibility and gain consensus. Leadership is another key desired attribute, and asking for a specific example where the candidate demonstrated leadership can be helpful. Both the answer and the manner in which it is answered reflects leadership qualities. Another good interview question can center on what differentiates the candidate from other information security professionals. A quality to look for includes how well a candidate articulates the effect their efforts have had on the success or bottom line of their organization. Ask the candidate to describe a specific security issue and how he or she solved it. The type of answers you hear define the traits of a successful security professional: Did they display an understanding of the cause of the problem before they implemented the solution? Did they consider and anticipate the impact of different courses of action? Were they able to tailor the solution to meet the needs and risk appetites of the business, and how successful were they in communicating the results? (22)
24 INTERVIEWING Also, identify what your candidate reads and the Websites they visit. Information security is a field that s constantly changing, so you should make sure a candidate is well-informed and keeping up with the latest forums, discussion groups and other industry sites. (23)
25 REFERENCES/SECURITY CHECKS References/Security Checks Checking references and verifying background information are critical when hiring an information security professional, as information security professionals have more access to employee, customer and proprietary data than often any other single job function. Strong ethics and honesty are imperative. Professional references not only validate and verify an information security candidate s technical ability to do the job but also his/her communication skills, personality and moral compass. An information security candidate who fails a background check either for errors of omission, misstatements of facts, or financial or legal problems presents a red flag, and great care should be taken before proceeding any further with the hiring process. Test the candidate s credibility by verifying academic and professional credentials, professional background and personal references. (ISC) 2 offers a free online certification verification tool for employers that only takes a few seconds. Also, several vendor-neutral certification organizations, including (ISC) 2, require candidates to subscribe to a professional code of ethics and risk decertification if they are found to be in violation. Look at credit reports as an indication of financial problems that may influence misdeeds. Some of the issues to consider are a record of multiple collections, civil judgments, bad debts, charge-offs, a tax lien or repossession. Make sure you notify the applicant that he or she can dispute the information contained in the background check report if he or she deems it to be inaccurate or incomplete. (24)
26 CRAFTING AND PRESENTING AN OFFER Crafting and Presenting an Offer HR departments often fail to recognize that salary scales for information security professionals are higher than general IT practitioners, resulting in the extension of offers that are below market value and ultimately rejected. Information security is a field where conditions are constantly changing, and it is difficult to stay on top of the skill sets, profile and market value of security professionals. Be hesitant to rely on information security salary surveys by publications and industry analysts, as they are often not in line with the realities of the marketplace, offering estimates that are much lower than actual to retain high-caliber talent. These don t take into account the specialist skills in demand, different geographic regions and different organizational layers to be used to make a competitive offer. One of the more accurate salary surveys is included in the Global Information Security Workforce Study, which surveys thousands of information security professionals worldwide. It can be downloaded free-of-charge from the (ISC) 2 Website at Before making a decision on an offer, make sure the interview team: Collects and discusses evaluation criteria Understands the candidate s total current compensation and expectations Considers creative compensation alternatives Again, everyone should be aware of the hiring process time line. The more time taken to deliver the offer, the more likely the candidate will be contacted by other companies, may re-evaluate his/her current position, get promoted, or just (25)
27 CRAFTING AND PRESENTING AN OFFER plain lose interest. There is an inverse correlation between the length of time it takes to extend an offer and the number of offers accepted. If you can, be creative in your job offer by including a bonus or commission related to performance beyond the base salary. It s a fact, too, that many information security professionals are not attracted solely by salary and respond to opportunities to further their educational development, work on an innovative project, obtain professional certification, attend conferences, write and publish papers, join associations, etc. Many professionals appreciate the flexibility to network with their peers in addition to meeting the requirements of their job. Much of that networking also makes them more knowledgeable professionals. It is also wise to discuss succession plans. Discuss professional growth and give examples of how other employees have developed a more prominent role during their tenure at the organization. Also consider the organization s policy for reimbursement of certification and education fees, continuous education, etc. In the end, the hiring manager, HR and recruiter should work together on presenting and selling the offer. Presentation and messaging are extremely important in making a successful offer and retaining the desired candidate. Information security professionals generally aren t prima donnas but often receive a certain level of attention from your competitors because of their specialized skills and high demand in the marketplace. (26)
28 RETENTION Retention With the amount of competition for quality information security professionals, companies must take a more strategic and supportive approach to retention if they want to keep the new breed of evolving talent. Develop a formalized career progression for the best and brightest members of your current information security team. One of the most unique and beneficial attributes of working in an information security department is the exposure one gets to operations, processes and technologies across all operations. This exposure provides a great training scenario for building the management teams of the future. Also, defined career paths will help assure the continuing supply of capable successors for each important position within the security team. Organizations must work to satisfy the long- term career goals and need for professional challenges of its information security staff because they are in such high demand in the job market. HR professionals should also encourage information security employees to seek out opportunities in training and education. Evolving and emerging threats and attacks will continue to require security professionals to learn new skills and techniques. By cultivating home-grown talent, the HR team will be giving valued employees the tools to succeed, benefiting the organization in the long run. In addition, the reputation of having a strong security team can result in an organization s ability to hire the best candidates on the market. Also allow the security professional to network with their peers to establish an external support network consisting of people outside of their company that they can go to openly or privately for advice and support. (27)
29 RESOURCES Resources AFCEA International Alta Associates American Council for Technology (ACT) and Industry Advisory Council American National Standards Institute (ANSI) ASIS International Computer Security Institute The Computing Technology Association (CompTIA) European Network and Information Security Agency (ENISA) ECRYPT: European Network of Excellence for Cryptology EEMA The European Association for e-identity and Security The European Information Society Group (EURIM) Executive Women s Forum Information Security Forum (ISF) Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) (28)
30 RESOURCES Information Technology Association of America (ITAA) Institute for Information Security Professionals International Association of Privacy Professionals International Federation for Information Processing International High Technology Crime Investigation Association (HTCIA) International Information Systems Forensics Association (ITFSA) International Information Systems Security Certification Consortium, Inc. [(ISC) 2 ] International Security, Trust, and Privacy Alliance (ISTPA) International Standards Organization Internet Security Alliance The Jericho Forum National Academic Centers of Excellence index.shtml SANS Institute Security Industry Association (29)
31 Acknowledgements (ISC) 2 wishes to acknowledge the invaluable contributions of Joyce Brocaglia, president and CEO of Alta Associates, Inc., in the making of this guide. Founded in 1986, Alta Associates is widely respected as a leading information security recruiting firm, helping global enterprises build world-class information security departments for 23 years. For more information, please visit
32 (09/09)
Securing the Organization: Creating a Partnership Between HR and Information Security
Securing the Organization: Creating a Partnership Between HR and Information Security A White Paper from (ISC) 2 Securing infrastructure is one of the most critical issues facing business and governments
More informationCybersecurity Credentials Collaborative (C3) cybersecuritycc.org
Cybersecurity Credentials Collaborative (C3) cybersecuritycc.org October 2015 Collaboration Members Certification Matters The Cybersecurity Credentials Collaborative (C3) was formed in 2011 to provide
More informationSecurity Transcends Technology
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationSafeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals
Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals The U.S. government stands at a critical juncture in its cybersecurity efforts. As a country we face increasingly
More informationFull-Speed Ahead: The Demand for Security Certification by James R. Wade
Full-Speed Ahead: The Demand for Security Certification by James R. Wade It s no secret that technology is creating a more connected world every day. But as new technologies are released and adopted, the
More informationCertification for Information System Security Professional (CISSP)
Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by
More informationExecutive Management of Information Security
WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without
More informationApplication for CISM Certification
Application for CISM Certification 4/2015 Requirements to Become a Certified Information Security Manager become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade
More informationKevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor
IT Audit/Security Certifications Kevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor Certs Anyone? There are many certifications out there
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationThe Information Assurance Process: Charting a Path Towards Compliance
The Information Assurance Process: Charting a Path Towards Compliance A white paper on a collaborative approach to the process and activities necessary to attain compliance with information assurance standards.
More informationEarning Your Security Trustmark+
QUICK START GUIDE Earning Your Security Trustmark+ CompTIA.org www.comptia.org/communities Introduction One of the biggest challenges for solution providers is protecting their clients networks and information
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationThe Value of Information Security Certifications
The Value of Information Security Certifications Ed Zeitler, CISSP Executive Director, (ISC) 2 www.isc2.org Overview Why professional certificate for information security? About (ISC) 2 and its credentials
More informationCertification and Training
Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel
More informationInformation Security Principles and Practices
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 3: Certification Programs and the Common Body of Knowledge Certification & Information Security Industry standards,
More informationCareer Survey. 1. In which country are you based? 2. What is your job title? 3. Travel budget. 1 of 28. Response Count. answered question 88
Career Survey 1. In which country are you based? 88 answered question 88 skipped question 0 2. What is your job title? 88 answered question 88 skipped question 0 3. Travel budget not at all 21.0% 17 somewhat
More informationChief Information Officer
Security manager Job description Job title Security manager Location Wellington Group Organisation Development Business unit / team IT Solutions Grade and salary range Pay Group 1, Pay Band 6 Reports to
More informationSocial Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com
Ultimate Knowledge Institute ultimateknowledge.com Social Media Security Training and Certifications Social Media Security Professional (SMSP) Social Media Engineering & Forensics Professional (SMEFP)
More informationWhitepaper: 7 Steps to Developing a Cloud Security Plan
Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for
More informationDirector, IT Security District Office Kern Community College District JOB DESCRIPTION
Director, IT Security District Office Kern Community College District JOB DESCRIPTION Definition Reporting to the Chief Information Officer, the Director of IT Security develops and implements procedures,
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationDesign of Database Security Policy In Enterprise Systems
Design of Database Security Policy In Enterprise Systems by Krishna R Singitam Database Architect Page 1 of 10 Table of Contents 1. Abstract... 3 2. Introduction... 3 2.1. Understanding the Necessity of
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationCompetency Requirements for Executive Director Candidates
Competency Requirements for Executive Director Candidates There are nine (9) domains of competency for association executives, based on research conducted by the American Society for Association Executives
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationCISM (Certified Information Security Manager) Document version: 6.28.11
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
More informationTraining Asset or Risk?
Training Asset or Risk? As security professionals, we are accustomed to identifying assets and protecting them. We are also familiar with the process by which this is accomplished: identify our assets,
More informationTERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
More informationLaw & Ethics, Policies & Guidelines, and Security Awareness
Law & Ethics, Policies & Guidelines, and Security Awareness Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of
More informationSchool of Accounting Florida International University Strategic Plan 2012-2017
School of Accounting Florida International University Strategic Plan 2012-2017 As Florida International University implements its Worlds Ahead strategic plan, the School of Accounting (SOA) will pursue
More informationIT Security Management 100 Success Secrets
IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management
More informationGrow the business of you
Grow the business of you The credibility you expect. The flexibility you need. Your professional success starts at Keller Each year, thousands of students like you pursue master s degrees at DeVry University
More informationASAE s Job Task Analysis Strategic Level Competencies
ASAE s Job Task Analysis Strategic Level Competencies During 2013, ASAE funded an extensive, psychometrically valid study to document the competencies essential to the practice of association management
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationKEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
More informationOver 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 BILL S BIO Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit. Vice President Controls
More informationInternal Auditing: Assurance, Insight, and Objectivity
Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationHealthCare Information Security and Privacy Practitioner (HCISPP) Briefing Paper. Piloted by the Cyber Security Programme
HealthCare Information Security and Privacy Practitioner (HCISPP) Briefing Paper Piloted by the Cyber Security Programme Published August 2015 2 Copyright 2015, Health and Social Care Information Centre.
More informationI D C E V E N T P R O C E E D I N G S
I D C E V E N T P R O C E E D I N G S As i a / P a c i f i c Perspecti ve s : N a vi g a t i n g t h e D a t a c e n t e r Security I m p e r a t i ve September 2014 By Chuang Shyne-Song; Program Director,
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationHR WSQ Qualifications. Certified HR Professional Programmes
Human Resource WSQ HR WSQ Qualifications WSQ ADVANCED CERTIFICATE IN HUMAN RESOURCES 4 core + 4 Elective Units CORE UNITS Analyse and present research information (Level 3) Ensure compliance with relevant
More informationCOUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide
COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informatione-discovery Forensics Incident Response
e-discovery Forensics Incident Response NetSecurity Corporation 21351 Gentry Drive Suite 230 Dulles, VA 20166 VA DCJS # 11-5605 Phone: 703.444.9009 Toll Free: 1.866.664.6986 Web: www.netsecurity.com Email:
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationWhat Makes PMI Certifications Stand Apart?
What Makes PMI Certifications Stand Apart? Many certifications exist for managers that claim to offer practitioners and organizations a number of benefits. So, why are PMI credentials unique? PMI certifications
More informationSITUATIONAL AWARENESS MITIGATE CYBERTHREATS
Gaining the SITUATIONAL AWARENESS needed to MITIGATE CYBERTHREATS Industry Perspective EXECUTIVE SUMMARY To become more resilient against cyberthreats, agencies must improve visibility and understand events
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More informationAN INFORMATION GOVERNANCE BEST
SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN
More informationUnderstaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security
Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research
More informationSecuring the Cloud Infrastructure
EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
More informationCYBERSECURITY: ISSUES AND ISACA S RESPONSE
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services
More informationThe Path Ahead for Security Leaders
The Path Ahead for Security Leaders Executive Summary What You Will Learn If you asked security leaders five years ago what their primary focus was, you would likely get a resounding: securing our operations.
More informationQuestion: 1 Which of the following should be the FIRST step in developing an information security plan?
1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationSYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.
SYMANTEC MANAGED SECURITY SERVICES Superior information security delivered with exceptional value. A strong security posture starts with a smart business decision. In today s complex enterprise environments,
More informationServices. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure
Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation
More informationGuided HIPAA Compliance
Guided HIPAA Compliance HIPAA Solutions for Office Managers and Practitioners SecurityMetrics We protect business Since its founding in 2000, privately-held SecurityMetrics has grown from a small security
More informationKey Trends, Issues and Best Practices in Compliance 2014
Key Trends, Issues and Best Practices in Compliance 2014 What Makes This Survey Different Research conducted by independent third party Clients and non-clients 301 executive decision makers 35 qualitative
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationQualification in Internal Audit Leadership (QIAL ) Exam Syllabus
QIAL SYLLABUS MARCH 2015 Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus The QIAL assessment comprises five sections: Case study 1*: Internal Audit Leadership (3 hours and 45 minutes)
More informationSECURITY CAREERS. Defining Jobs, Compensation, Qualifications. by Jerry Brennan and Steve Walker
SECURITY CAREERS Defining Jobs, Compensation, Qualifications by Jerry Brennan and Steve Walker SECURITY CAREERS DEFINING JOBS, COMPENSATION, QUALIFICATION Table of Contents Chapter 1: Helping the Industry
More informationHR and Recruiting Stats That Make You Think. A Statistical Reference Guide for Talent Acquisition Professionals
50 HR and Recruiting Stats That Make You Think Introduction Employer branding, employee engagement, social recruiting, transparency and Millennials are among the most important trends and topics impacting
More informationMicrosoft Certification - Exploring Career Growth
Optimize Career Advantage through Skills Development Microsoft Learning Changing IT Workforce IT workforce is aging in most developed countries Tenure of IT Professionals keeps going up Global competition
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationWhat Makes PMI Certifications Stand Apart?
What Makes PMI Certifications Stand Apart? Many certifications exist for managers that claim to offer practitioners and organizations a number of benefits. So, why are PMI certifications unique? PMI certifications
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationW H I T E P A P E R C l i m a t e C h a n g e : C l o u d ' s I m p a c t o n I T O r g a n i z a t i o n s a n d S t a f f i n g
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com W H I T E P A P E R C l i m a t e C h a n g e : C l o u d ' s I m p a c t o n I T O r g a n i z a
More informationFuture. Embracing. the. New Times, New Opportunities for Health Information Managers. Summary Findings. from the HIM.
The Future of Health Information Management Summary Findings from the HIM Workforce Study Embracing the Future New Times, New Opportunities for Health Information Managers The workforce research study
More informationBrown Smith Wallace, LLC
Brown Smith Wallace, LLC Successful Software Selection Whitepaper Series How to Adhere to Payment Card Industry Data Security Standards By Ron Schmittling, CPA/CITP, QSA, CISA, CIA To learn more about
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationInformation Security and Privacy. Lynn McNulty, CISSP. Advisory Board November 2008
Information Security and Privacy Lynn McNulty, CISSP Advisory Board November 2008 Global leaders in certifying and educating information security professionals with the CISSP and related concentrations,
More informationCertified Human Resources Professional Competency Framework
Certified Human Resources Professional Competency Framework Table of Contents About the CHRP 3 Application of the Competency Framework 3 Path to Obtain the CHRP 4 Maintaining the CHRP 4 Overview of the
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationConsolidated Audit Program (CAP) A multi-compliance approach
Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationInformation Systems Security Certificate Program
Information Technologies Programs Information Systems Security Certificate Program Accelerate Your Career extension.uci.edu/infosec University of California, Irvine Extension s professional certificate
More informationUNIVERSITY OF MIAMI SCHOOL OF BUSINESS ADMINISTRATION MISSION, VISION & STRATEGIC PRIORITIES. Approved by SBA General Faculty (April 2012)
UNIVERSITY OF MIAMI SCHOOL OF BUSINESS ADMINISTRATION MISSION, VISION & STRATEGIC PRIORITIES Approved by SBA General Faculty (April 2012) Introduction In 1926, we embarked on a noble experiment the creation
More informationHOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE
HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE ISACA S CYBER SECURITY NEXUS Ivan Sanchez-Lopez Senior Manager Information Security, IT Risk & Continuity, DHL Global Forwarding ISACA Luxembourg
More informationThe IBM data governance blueprint: Leveraging best practices and proven technologies
May 2007 The IBM data governance blueprint: Leveraging best practices and proven technologies Page 2 Introduction In the past few years, dozens of high-profile incidents involving process failures and
More informationTHE SANS 2005-2007 INFORMATION SECURITY SALARY & CAREER ADVANCEMENT SURVEY
THE SANS 2005-2007 INFORMATION SECURITY SALARY & CAREER ADVANCEMENT SURVEY What factors impact compensation? Which security certifications matter? What makes security people mad? What matters for career
More informationCareer Management. Making It Work for Employees and Employers
Career Management Making It Work for Employees and Employers Stuck in neutral. That s how many employees around the world would describe their career. In fact, according to the 2014 Global Workforce Study,
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationHow To Write A National Cybersecurity Act
ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses
More informationCompliance in the Corporate World
Compliance in the Corporate World How Fax Server Technology Minimizes Compliance Risks Fax and Document Distribution Group November 2009 Abstract Maintaining regulatory compliance is a major business issue
More information