1

LEARN
Learning Packet 1
ING
PACKE Organizations Providing Resources for Professionals

1.0 Learning Outcome

After completing this module, you will be able to:

a. Provides pointers to organizations with resources for information

assurance professionals.
b. Learn the code of ethics that information assurance professionals
should observe.

1.1 Introduction
Because of the eclectic nature of information assurance, you must have some
basic structure to guide you. The first step in this process is to define certification and
professionalism. They are quickly becoming recognized as critical factors in the success
of a corporation as well as a government agency.
Indeed, information assurance and security are often cited as core competencies
in industry and government redesign. Prahalad and Hamel referred to corporate core
competencies as the roots of competitiveness.
Professional certification is a procedure to identify individuals who have a
common education and experience, who demonstrate some quantifiable level of
knowledge and skills, and who subscribe to a code of professional ethics.
As organizations become more reliant on information systems, information
assurance professionals are challenged to put forth formidable efforts to secure
information systems against myriad threats. A security professional should be
equipped with knowledge in all areas of information assurance and should observe the
highest code of professional ethics to assist an organization in protecting information.
Organizations and institutions exist to train and equip security professionals by
providing information, security-related information, guidelines, best practices,
frameworks, and certification. This chapter presents the background and functions of
some of these organizations. In addition, the chapter explores the codes of ethics
promoted by organizations for security professionals.

Organizations Providing Resources for Professionals

This section outlines some of the well-known organizations providing
professional certifications. Individuals should consider the relevancy to their job
requirements and industry recognition before attaining a professional certification.
There are four characteristics of a professional certification standard.
• Agreement on certification criteria specific to ethics, education, and experience and a
course of study that meets a prescribed set of standards. This is done by establishing a
common body of knowledge that is agreed upon by recognized leaders in the
information security field.
 2
LEARN
Learning Packet 1
ING
PACKE • Creation and validation of a testing program that should be professionally supervised
by individuals skilled in test development (ISO 17024).
• Definition of an acceptable level of work experience to qualify an individual for
certification.
• Examination to demonstrate some quantifiable level of knowledge. Mastery of the
common body of knowledge is one indication of competency in this field, while
performance testing is another indicator.
Organizations should understand different certification bodies and the drivers of
their mission.

1.2 Topics/Discussion

(ISC)2 International Information System Security Certification

Consortium
The International Information System Security Certification Consortium (ISC)2 is
a nonprofit, vendor-neutral organization known for its guidance of best practices in the
areas of information assurance. Established in 1989, (ISC)2 provides certification for
more than 120,000 professionals. Such certification programs include Certified
Information System Security Professionals (CISSP), Systems Security Certified
Professional (SSCP), Certified Authorization Professional (CAP), Certified Cyber
Forensics Professional (CCFP), HealthCare Information Security and Privacy
Practitioner (HCISPP), and Certified Secure Software Lifecycle Professional (CSSLP).
For those who have several years’ working experience in information assurance or
networking and intend to develop a career in this field, CISSP would be the
recommended certification to pursue. (ISC)2, with more than 120,000 members, is the
largest and most senior computer security certifying organization that provides a
comprehensive overview of information assurance–related knowledge.

 Computing Technology Industry Association

The Computing Technology Industry Association (CompTIA) is a nonprofit
trade association that provides a broad spectrum of professional certifications
including A+, Network+, and Security+. Additionally, CompTIA provides
Cloud+ for implementing secure clouds, Mobile App Security+ for secure mobile
deployments, and Social Media Security Chapter 5 Organizations Providing
Resources for Professionals 51 Part I Professional for secure social media use.
CompTIA’s certifications are vendor neutral, and proceeds are directly
reinvested into programs. CompTIA has been offering a wide range of
certifications for more than 20 years in the United States, Indian, Japan, South
Africa, and the United Kingdom.

 Information System Audit and Control Association

Since 1967, the Information System Audit and Control Association (ISACA)
has been involved in the research and expansion of knowledge in information
technology governance. Security and audit experts globally know it for the
 3
LEARN
Learning Packet 1
ING
PACKE Certified Information Systems Auditor (CISA) and Certified Information Security
Manager (CISM) professional certifications. CISA is generally recommended for
information security auditors, whereas CISM is recommended for those who are
involved in managerial-related information security tasks. In addition, ISACA
publishes the Control Objectives for Information and Related Technology
(COBIT) standard, which provides management and business process owners
with an IT governance model that helps in delivering value from IT and
understanding and managing the risks associated with IT.

 Information System Security Association

As a nonprofit organization, the Information System Security Association
(ISSA) since 1984 has been organizing and facilitating various information
system security initiatives. An example would be conducting forums and
knowledge-sharing programs on the information system security environment.
These efforts contribute to enhancing the knowledge and skills of practitioners.
ISSA’s main function is to ensure the confidentiality, integrity, and availability of
information resources by promoting good management practices.

 SANS Institute
The SysAdmin, Audit, Network and Security (SANS) Institute was
established as a privately held training organization involved in cooperative
research in 1989. The organization conducts certifications in specialized areas
such as forensic analysis, incident handling, and security audits along with the
Global Information Assurance Certificate (GIAC). The institute is involved in
delivering and maintaining one of the largest collections of research documents
on information security. The SANS Institute provides various free resources on
information security–related news, vulnerabilities, alerts, and warnings. There
are various tracks and certification programs provided by SANS Institute. They
are recommended for highly technical professionals who deal with
implementing and operating technology.

 Disaster Recovery Institute, International

Established in 1988, the Disaster Recovery Institute, International (DRII)
focuses on gathering and building contingency planning and risk management
knowledge. Educational programs managed by DRII are in the areas of business
continuity planning and management. Published standards and industry best
practices by DRII are to promote knowledge sharing and act as a common
knowledge reference for the business continuity planning/disaster recovery
industry.

 Business Continuity Institute

The Business Continuity Institute (BCI) was founded in 1994 with the
ambition of ensuring that the provision and maintenance of business continuity
planning and services are of the highest quality. Business continuity practitioners
 4
LEARN
Learning Packet 1
ING
PACKE often refer to BCI for guidance on maintaining high professional competency
standards and commercial ethics.

Deciding Among Certifications

Some of the decision criteria that inform an analysis of the value of a certification
include the following:
• How long has the certification been in existence?
• Does the certification organization’s process conform to established standards?
• How many people hold the certification?
• How widely respected is the certification?
• Does the certification span industry boundaries? • What is the probability that five
or ten years from now the certification will still be useful?
• Does the certification span geographic boundaries? Answers to each of these
questions provide insight into the value of a certification to both the potential
employee and the employer.

 Codes of Ethics
Different individuals may have different perceptions of ethics. You may have
heard of the term ethical hacker.
What makes the action of a hacker legitimate and ethical? The action
would be legitimate and ethical if consent of the owner is obtained prior to
performing an assessment of system security. The consent necessary for ethical
hacking is simply the application of one code of ethics among those found in
professional security organizations.
Even if an action is not ethical, it may still be legal. Organizations should
develop guidelines on computer or business ethics and disseminate this
information to their employees through awareness or training sessions.
These ethical guidelines show stakeholders and employees that
management is sincere in developing and supporting an ethical environment
within the organization. This will limit the occurrence of unethical conduct
within the organization eventually.
Certifying organizations may require their certified security professionals
to comply fully with their code of ethics. By reference to these guidelines,
organizations and the information assurance community can establish ethical
guidelines to conform to local custom and in accordance with national laws and
regulations in this area.
Table 5-1 summarizes the codes of ethics from organizations such as
(ISC)2, SANS Institute, ISACA, ISSA, BCI, and Computer Ethics Institute (CEI).
 5
LEARN
Learning Packet 1
ING
PACKE

1.3 References
Information Assurance Handbook (DR. Corey Schou & Steven Hernandez)

1.4 Acknowledgment
The images, tables, figures and information contained in this module were taken
from the references cited above.