Thursday, April 10, 2008

Certifications Galore .... a listing from the top of my head

Why does it always happen that procrastinating, intermittently dedicated, taxed-for-time bloggers like myself get a rush of blogorenalin (blogging adrenalin) as proportional to the current intellectual biorhythm. Well I really do not know, and I shall surely spend some time (whenever I have more of this commodity) in researching this paradox. In the meanwhile, back to my task for the day ........ this blog.

This task is actually one which is very close to my heart and as a die-hard InfoSec person, I want to extend my reach to anyone and everyone who wants to take up this profession. Usually I will always try to make time if anyone wants to discuss their career paths and options in the quest for certification, so here I am going to try to create the mother of all lists - a list of certifications related to the Information Security domain which includes GRC (Governance, Risk and Compliance) and BCP/DR and ERM and IdM etc etc

Until I create separate sections for each of these certifications providing additional information, I am providing links to the website of the organization which conducts the exam and provides the certification. There is a disclaimer too (it is a dangerous world and disclaimers are necessary before making any claims :) )
........ this list may be the mother of all lists, but does not claim to be complete; neither do I claim that similar certification is not provided any other organization. There are a lot of organizations, each respected and recognized, offering various certifications - for example there are a number of organizations which offer certifications in Risk Management and I may have listed a couple of them. This list is in no particular order, and you will note it is not alphabetical too !!

This list will guide you to the various certifications. Check this out, then check out the salary survey. Then list your skills and your goals......... and decide what you want to do !! Research for each certification and you will find others. I have made an effort to list the most well known ones (at least these are the ones I have come across in my experience and interactions with InfoSec professionals) ........ Yes if you can contribute to this list, please do drop a comment on this page.

[1] Certified Information Security Auditor (CISA)
[2] Certified Information Security Manager (CISM)
[3] Certified Information Systems Security Professional (CISSP)
[4] Certified Internal Auditor (CIA)
[5] Certified Fraud Examiner (CFE)
[6] Certified Business Continuity Professional (CBCP)
[7] ITIL (is not a certification, but has three (?) certification levels)
- ITIL Foundation
- ITIL Practitioner
- ITIL Manager
[8] - ISO 27001 (again this is not a certification but then there are certifications for Implementation or for Lead Auditors. There are a number of institutions providing the training leading to certification as an
- ISO:27001 Implementation professional
- ISO:27001 - Lead Auditor
[9] Certified Ethical Hacker (CEH)
[10] Certified Information Privacy Professional (CIPP)
[11] Certfied Vulnerability Assessor (CVA)
[12] GIAC Certified Forensics Analyst (GCFA)
[13] SIA's Certified Security Project Manager (CSPM)
[14] Certified in the Governance of Enterprise IT™ (CGEIT™)
[15] EnCase® Certified Examiner (EnCE®)

Wednesday, December 12, 2007

Certification Considerations.....

So you are considering a professional Certification ?
Great !

Go for it.... you have the experience and the knowledge. A professional certification will give you the stamp of credibility in the industry and will establish your command over the knowledge. And you are sure to get [a] a raise; [b] or a better paying job; [c] greater respect and [d] people will listen to you.

However, tread carefully - plan ahead on what skills you want to pursue. What skill area do you want to get certified ? The reason is simple - certifications do not come cheap. And in certain countries this cost can blow a BIG hole in your pocket.

Simply put - do some due diligence so that your solution makes financial sense, or at the very least you know what you are walking in to.

Consider these factors, in fact you must investigate in depth for all the costs associated with the certification before you take the plunge.

Factor # 1 : Membership of the professional body.
You may need to be a member of the organization to sit for the certification exam. Some organizations give a member discount which will offset the amount you spend on membership. You may have to pay an initiation fee along with the membership fee, so please check it out.

Then there are annual fees and if you don't pay you cannot retain your certification.

When are you signing up ? At the end of the year ?? Check with the organization to know if your fees are the calendar year or for a year after you sign up! You can be hit pretty bad if you paid an annual fee in the last week of December which is for the calendar year !!

# 2 : Chapter Fees.
Usually the organization will have local chapters worldwide which you will have to be affiliated with. The local chapters have their own annual fees,

# 3 : Examination Fees
Exams are usually scheduled once or twice a year or may be at Prometric centers.
The fees can vary from US $ 200 to 500 or more depending on the certification you are interested in. Check the costs in case you want to drop out or defer the exam to the next schedule and also the re-exam fees. Don't expect any discount for a re-exam (!) so study well and crack it in the first attempt.

# 4 : CPE
These three letters ensure that you will continuously upgrade your knowledge of the subject and this must be demonstrated with appropriate evidence.

You will need Continuing Professional Education points (CPE's) and every certification has different demands in terms of the number of hours you have to report each year to keep your certification in good health.

# 5 : Certification Fees
Yes there is a certification fee too, which is distinct from the membership fees. This is the amount you pay for keeping your certification alive. The health has been addressed with the CPE !

# 6 : Pre-Qualification requirements
Your experience may not be considered to be sufficient to allow you to appear for the examination, and there may be a pre-qualification requirement. For example PMI requires that you get a minimum 36 PDU's before your application can be accepted to allow you to appear for the PMP certification exam.
This requires that you do a 36 hour program with a PMI accredited institution and the cost can be from $ 1000 up.

# 7 : Examination material, Education, Training costs
You will need examination reference and study materials which means purchasing some books and question banks from the organization and other online courses. Or the Body Of Knowledge (BOK) published by the organization.

Training costs are another number you have to consider and you can look at online training courses, review courses offered by the organization or private tutoring.

So you have to check the cost for your 'entry level' study materials (usually the official course materials) from the organization book store, plus the cost for training plus the cost for any additional books and reference materials.

Finally you have the intangible cost - the time you are devoting for the study leading to the exam.

# 8 : Are you qualified to be certified ?

Remember passing the examination usually does not mean that you are certified because you may have to fulfill the requirements of submitting proof of experience, education etc, and if you do not meet the criteria you have to wait for a year or whatever period before you qualify.
Which means that you may have to pay the membership fees but not be able to use the certification, and if you do not pay the fees for that period then you may lose the benefit of having passed the exam by the time you can submit the certification request.

# 9 : Do I need this ?
Yes do u need this certification ? I mean you are a network professional and you are pursuing a certification in Privacy.... so does this make sense ? Are you just doing it because your best friend is doing it, or that "everyone" is doing it. Or are you considering a job change. Else you land up with an expense for a certification you will never use. Money down the drain.

# 10 : An example
I carry the CISA certification and these are my cost factors. ( I shall update with the costs as and when I pull them out from my records).

I will be lying if I say that I knew this before I sat for the exam, but I do know now and I happily pay up since my certification has surely helped me in my profession and given a substantial boost to my income and I see my annual expense as maintenance which is what it is.

Membership of ISACA in 2004, 2006, 2007, 2008
Chapter membership (Mumbai) 2004 and 2005
Chapter membership (Toronto) 2006
CISA Exam Fees
CISA review Classes (Mumbai) Rs. 7500
CISA Review Manual
Hours spent studying for the exam
CISA Certification fees
17 hrs CPE reported 2007


Put all your costs in to a spreadsheet and know and understand your final one time and recurring costs.

Wednesday, December 5, 2007

Certifications Galore

So you want to get ahead in the InfoSec domain...... and you are already in the profession, or you want in. Either way there is a lot to do and zillions of options available.

While you go in for a new certification, remember that your work experience is of paramount importance. Most are professional certifications which means that you are working or have work ex in the specialization and are seeking to get the certification which will establish your knowledge leadership.

Here I shall try to put together as many certification / education resources I can identify, and if I have missed any, I shall welcome any such direction.

Highly recognized certifications are :
- ITIL (is not a certification, but has three (?) certification levels)
- ISO 27001 (again this is not a certification but then there are certifications for Implementation or for Lead Auditors)

There are certifications in Governance, Risk Management, Forensics, Fraud, Testing, Methodologies etc etc etc ....... practically every domain in the GRC domain.

With time this space will have links and information about the certifications, their pre-requisites and available resources.