CISSP certification can serve as introduction to regulatory compliance

Though not a government-mandated compliance guideline, the PCI Data Security Standard deserves special mention as highly successful "private" regulation imposed by the major credit card brands. PCI DSS compliance has become essential for businesses that want to continue processing credit card data without risking fines and sanctions.

Many security pros -- both veterans and those who are new to the field -- often find themselves learning about the intersection of security and regulations during the compliance process itself. However, CISSP certification often aids infosec practitioners in their efforts to succeed when thrust into situations where compliance is driving the corporate information security agenda.

CISSP Common Body of Knowledge
The Certified Information Systems Security Professional, or CISSP, is offered by the International Information Systems Security Certification Consortium (ISC)², and seeks to provide an objective baseline for measuring competency. The CISSP Common Body of Knowledge (or CBK) defines the knowledge base required of CISSP candidates. The CBK consists of 10 categories that CISSP candidates are expected to be familiar with in order to pass the rigorous CISSP certification exam. The categories are:

• Access control
• Telecommunications and network security
• Information security and risk management
• Application security
• Cryptography
• Security architecture and design
• Operations security
• Business continuity and disaster recovery planning
• Legal, regulations, compliance and investigations
• Physical (environmental) security

Security regulation certainly touches on all 10 of these areas. For instance, the "Legal, regulations, compliance and investigations" category used to be called "Law, investigations and ethics" a few years ago. The change represents the most visible acknowledgment that a major aspect of security is associated with compliance to laws and regulations. Within this category, the CISSP candidate is expected to have an understanding of information security-related regulation not only in the U.S., but also increasingly in other parts of the world.

For more information In this SearchSecurity.com Security School, learn the essential elements needed to obtain your CISSP certification. Learn how internal audits can hold a significant role in ensuring regulatory compliance. The IT Infrastructure Library offers compliance benefits and training options for companies required to abide by government regulations.

The other categories have begun to cover compliance as well. For instance, the job rotation, separation of duties and responsibilities, and security incident handling are important matters in security regulations; these are covered in "Operations security". Similarly, "Physical security" covers perimeter security and equipment protection, required activities in many security regulations.

"Security architecture and design" covers security models that are used to build access control policies and models. In the era of regulations, this topic is apt to be used more often than in the past. Likewise, "Telecommunications and network security" covers the gamut of technologies and practices covering the protection of data communications. In the Internet era, this category is well exercised. The other categories in the CBK likewise cover activities required by one or more security laws.

CISSP's complementary role in regulation
The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are "softer" areas that are somewhat removed from security itself. These areas are covered by security governance and management, a part of the "Information security and risk management" category.

A CISSP experienced in governance and management will have little trouble understanding much of the security regulation in force today, particularly those regulations that are more prescriptive such as HIPAA and PCI. And the CISSP CBK has covered virtually all of the security technology areas, which aid the CISSP in knowing how to carry out specific regulations.

However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.

About the author
Peter H. Gregory, CISA, CISSP, is responsible for both security and compliance at a financial services organization in Redmond, Washington. He is the author of CISSP For Dummies, Securing the Vista Environment, and a dozen other books on security and technology.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Careers, Training and Certifications,   CISSP Certification,   Identity Theft and Data Security Breaches,   Enterprise Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? CISSP Certification Some IT security certifications are overvalued, analyst says Q2 2009 data shows IT security certification pay still climbing Why doesn't the CISSP cover information assurance and DIACAP? IT security skills and certification pay Despite recession, pay climbs for top IT security certifications Information security book excerpts and reviews Security skills pay increases despite economic downturn How do I get CPE credits? Finding a security management job after an economic downturn What is the GISP certification and how does it compare to the CISSP certification? CISSP Certification Research Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Certified Information Systems Security Professional  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.