SearchSecurity.com guide to information security certifications

BROWSE BY TAG Information Security Career Advisor,   CISSP Certification,   Information Security Careers, Training and Certifications,   Security Industry Certifications,   VIEW ALL TAGS

RELATED CONTENT Information Security Career Advisor Stay or jump ship? How to be happy with your infosec job Entering 2010: The economy and the state of information security Straight from the inbox: Your infosec career questions answered Creating a personal brand in information security How to prepare for an information security job interview Top social networking sites to boost your information security career An introduction to Information Security Career Advisor How to prepare for a layoff or 'career incident' Guide to vendor-specific information security certifications The vendor-neutral information security certification landscape CISSP Certification Information security book excerpts and reviews Some IT security certifications are overvalued, analyst says Q2 2009 data shows IT security certification pay still climbing Why doesn't the CISSP cover information assurance and DIACAP? IT security skills and certification pay Despite recession, pay climbs for top IT security certifications Security skills pay increases despite economic downturn How do I get CPE credits? Finding a security management job after an economic downturn What is the GISP certification and how does it compare to the CISSP certification? CISSP Certification Research Security Industry Certifications Compliance strategy: How to become an internal IT auditor Straight from the inbox: Your infosec career questions answered Despite recession, information security certification pay continues to climb Creating a personal brand in information security Some IT security certifications are overvalued, analyst says Q2 2009 data shows IT security certification pay still climbing An introduction to Information Security Career Advisor Security jobs survey finds fewer budget cuts, lower security salaries IT security skills and certification pay Despite recession, pay climbs for top IT security certifications

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Certified Information Systems Security Professional  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

cence of the platform (Windows Server 2000), lack of information available (Cisco IPS) or lack of substantial security content (NCTE and NCDE).

Of course, it's been a year since we last revisited this material, so it's not too surprising that there's been a lot of change. Although the overall numbers for credentials have dropped by a net of 50 (11 vendor-neutral, 5 Brainbench exams, 23 GIAC specialist items and 11 vendor-specific certifications), there are still many options available for interested IT professionals to ponder.

In fact, the sheer number of credentials can make navigating the security certification landscape a dizzying experience. Simply identifying the vast array of offerings can be time consuming and overwhelming -- never mind determining which certification best fits your situation. This SearchSecurity.com Guide to Infosec Certifications provides an overview of the myriad options, whether you're just embarking on a journey up the information security career ladder or wish to hone your skills in a specialized area. After you have perused the options available to you, visit our Security School for resources to help you prepare for the CISSP exam and expand your knowledge of information security practices. If you have feedback on how we can improve this Guide to Infosec Certifications, please let us know.

TABLE OF CONTENTS
  [IMAGE] General security -- Basic
  [IMAGE] General security -- Intermediate
  [IMAGE] General security -- Advanced
  [IMAGE] Forensics/antihacking -- Basic
  [IMAGE] Forensics/antihacking -- Intermediate
  [IMAGE] Forensics/antihacking -- Advanced
  [IMAGE] Specialized
  [IMAGE] Additional resources

[IMAGE]  General security -- Basic[IMAGE] Return to Table of Contents

• GIAC -- Global Information Assurance Certification Program
  This program seeks to identify individuals who can demonstrate knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well known for its timely, focused and useful security information and certification program. A shining star on this landscape, the GIAC program aims at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. Available entry-level certifications include the following:
  
  • GIAC Certified ISO-17799 Specialist (G7799)
  • GIAC Information Security Fundamentals (GISF)
  • GIAC Information Security Professional (GISP)
  • GIAC IT Security Audit Essentials (GSAE)
  • GIAC Operations Essentials Certification (GOEC)
  • GIAC Security Essentials Certification (GSEC)
  Source: Global Information Assurance Certification
  
  
• Security Certified Network Specialist (SCNS)
  This entry-level security certification focuses on tactical perimeter defense -- firewalls, intrusion detection and router security. The SCNS is the starting point for individuals who want to attain the Security Certified Network Professional and Security Certified Network Architect certifications. (Please note that the SCNS and a revised version of the SCNP will be available some time during the second quarter of 2007.)
  Source: Security Certified Program
  
  
• Security+
  This security certification focuses on important security fundamentals related to security concepts and theory, as well as best operational practices. In addition to functioning as a standalone exam for CompTIA, Microsoft accepts the Security+ as an alternative to one of the specialization exams for the MCSA and MCSE Security specializations, and Symantec accepts Security+ as part of the requirements for the Symantec Certified Technology Architect credential.
  Source: CompTIA Security+ Certification Overview
  
  
• SSCP -- Systems Security Certified Practitioner
  The entry-level precursor to the ISC²'s CISSP, the SSCP exam covers seven of the 10 domains in the CISSP Common Body of Knowledge. The exam focuses more on operational and administrative issues relevant to information security and less on information policy design, risk assessment details and other business analysis skills that more germane to a senior IT security professional (and less so to a day-to-day security administrator, which is where the SSCP is really focused).
  Source: (ISC)²
  
  
• Wireless#
  This entry-level certification recognizes individuals who have an essential understanding of leading wireless technologies such as Wi-Fi, Bluetooth, WiMAX, ZigBee, Infrared, RFID and VoWLAN. It also covers basic WLAN security issues and best related practices. To obtain this credential, candidates must pass one exam.
  Source: Planet3 Wireless
  
  

[IMAGE]   General security -- Intermediate [IMAGE] Return to Table of Contents

• BISA -- Brainbench Information Security Administrator
  This Brainbench certification tests knowledge of networking and Internet security, including authorization, authentication, firewalls, encryption, disaster recovery and more.
  Source: Brainbench
  
  
• CAP – Certification and Accreditation Professional
  The CAP aims to identify individuals who can assess and manage the risks that security threats can pose within an organization, particularly in the government and enterprise sectors. This is a credential that deals with processes and practices, and works in tandem with emerging compliance requirements (Sarbanes-Oxley, HIPAA, and so forth) as well as emerging best industry governance standards (ITIL).
  Source: ISC²
  
  
• CWSP -- Certified Wireless Security Professional
  This certification recognizes individuals who can design, implement and manage wireless LAN security. To obtain this credential, candidates must pass two exams.
  Source: Planet3 Wireless
  
  
• GIAC -- Global Information Assurance Certification Program
  This cert program seeks to identify individuals who can demonstrate knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well known for its timely, focused and useful security information and certification program. A shining star on this landscape, the GIAC program aims at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. Available intermediate certifications include the following:
  • GIAC Assessing Wireless Networks (GAWN)
  • GIAC Certified Firewall Analyst (GCFW)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified Incident Manager (GCIM)
  • GIAC Certified Security Consultant (GCSC)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Windows Security Administrator (GCWN)
  • GIAC Certified UNIX Security Administrator (GCUX)
  • GIAC Legal Issues (GLEG)
  • GIAC Securing Oracle Certification (GSOC)
  • GIAC Security Leadership (GSLC)
  • GIAC Systems and Network Auditor (GSNA)
  Source: Global Information Assurance Certification
  
  
• SCNP -- Security Certified Network Professional
  This mid-level security certification focuses on strategic infrastructure security, including packet structure analysis, security policies, risk analysis, ethical hacking techniques, Internet security, cryptography, and hardening Linux and Windows systems. Individuals who attain this certification will be able to work as full-time IT security professionals with an operations focus. As of Q2 2007, the SCNS (described in the section on entry level certifications in this guide) is required as a pre-requisite for those pursuing this credential.
  Source: Security Certified Program
  
  
• SCNA -- Security Certified Network Architect
  This is a mid- to senior-level security certification that focuses on concepts, planning and implementation of enterprise security topics, such as Private Key Infrastructure, biometric authentication and identification systems, digital certificates, cryptography and more. Individuals who attain this certification will be able to implement these technologies within organizations or as consultants to such organizations.
  Source: Security Certified Program

[IMAGE]  General security -- Advanced[IMAGE] Return to Table of Contents

• CERI-ACSS -- Advanced Computer System Security
  The CERI-ACSS seeks to identify law enforcement officials with advanced computer crime investigation experience and training. Requirements include two years of computer investigation/debugging, three years of Microsoft platform analysis, one year of non-Microsoft platform analysis, 40 hours of approved training, a written exam and successful completion of hands-on exercises. (Note: because of its "double coverage" this item also appears in the Forensics/antihacking – Advanced section as well.)
  Source: Cyber Enforcement Resources Inc.
  
  
• CISM -- Certified Information Security Manager
  The CISM demonstrates knowledge of information security for IT professionals responsible for handling security matters, issues and technologies. This cert is of primary interest to IT professionals responsible for managing IT systems, networks, policies, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.
  Source: Information Systems Audit and Control Association
  
  
• CISSP -- Certified Information Systems Security Professional
  The CISSP demonstrates knowledge of network and system security principles, safeguards and practices. It is of primary interest to full-time IT security professionals who work in internal security positions or who consult with third parties on security matters. CISSPs are capable of analyzing security requirements, auditing security practices and procedures, designing and implementing security policies, and managing and maintaining an ongoing and effective security infrastructure. CISSP candidates must have four years of experience (or a college degree plus three years of experience; a Master's Degree in Information Security counts toward one year of experience).
  Source: (ISC)²
  
  
• CPTS -- Certified Pen Testing Specialist
  An offering from Iowa-based training company, Mile2, this credential stresses currency on the latest exploits, vulnerabilities and system penetration techniques. It also focuses on business skills, identification of protection opportunities, testing justifications and optimization of security controls to meet business needs and control risks and exposures. The credential is structured around a five-day course that's backed up by the CPTS or Certified Ethical Hacker exam, both delivered by Prometric.
  Source: Mile2
  
  
• CPP -- Certified Protection Professional
  The CPP demonstrates a thorough understanding of physical, human and information security principles and practices. The most senior and prestigious IT security professional certification covered in this article, the CPP requires extensive on-the-job experience (nine years or seven years with a college degree), as well as a profound knowledge of technical and procedural security topics and technologies. Only those who have worked with and around security for some time are able to qualify for this credential.
  Source: American Society for Industrial Security (ASIS)
  
  
• GIAC -- Global Information Assurance Certification Program
  This cert program seeks to identify individuals who can demonstrate knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well known for its timely, focused, and useful security information and certification program. A shining star on this landscape, the GIAC program aims at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. The GIAC Security Engineer (GSE) track is the most senior-level certification in that program. Candidates must complete three intermediate-level GIAC certifications (GSEC, GCIA and GCIH), earning GIAC Gold in at least two of them, and pass two proctored exams to qualify for this certification. There's also the GIAC .NET Certification (GNET), which we've decided to upgrade to an advanced level because of the extensive programming knowledge and experience required to earn this credential.
  GNET Source: Global Information Assurance Certification
  
  GSE Source: Global Information Assurance Certification
  
  
• ISSAP -- Information Systems Security Architecture Professional
  The ISSAP permits CISSPs to concentrate further in information security architecture and stresses the following elements of the CBK:
  • Access control systems and methodologies
  • Telecommunications and network security
  • Cryptography
  • Requirements analysis and security standards, guidelines and criteria
  • Technology-related business continuity and disaster recovery planning (BCP and DRP)
  • Physical security integration
  Source: (ISC)²
  
  
• ISSEP -- Information Systems Security Engineering Professional
  The ISSEP permits CISSPs who work in areas related to national security to concentrate further in security engineering, in cooperation with the NSA. The ISSEP stresses the following elements of the CBK:
  • Systems security engineering
  • Certification and accreditation
  • Technical management
  • U.S. government information assurance regulations
  
  Source: (ISC)²
  
  
• ISSMP -- Information Systems Security Management Professional
  The ISSMP permits CISSPs to concentrate further in security management areas and stresses the following elements of the CBK:
  • Enterprise security management practices
  • Enterprise-wide system development security
  • Overseeing compliance of operations security
  • Understanding BCP, DRP and continuity of operations planning (COOP)
  • Law, investigations, forensics and ethics
  Source: (ISC)²
  
  
• PSP -- Physical Security Professional
  Another high-level security certification from ASIS, this program focuses on matters relevant to maintaining security and integrity of the premises, and access controls over the devices and components of an IT infrastructure. Key topics covered include physical security assessment, and selection and implementation of appropriate integrated physical security measures. Requirements include five years of experience in physical security, a high school diploma (or GED) and a clean criminal record.
  Source: ASIS International: Physical Security Professional



• QIAP -- Qualified Information Assurance Professional
  Security University's QIAP certification combines coverage of key information security topics, tools and technologies with a hands-on, lab-oriented learning and testing program. To obtain QIAP certification, security professionals must complete three courses on topics such as:
  • Access, authentication and Public Key Infrastructure
  • Network security policy and security-oriented architect
  • Certification and accreditation
  Students must also take and pass three exams, one per course.
  Source: Security University
  
  
• QISP -- Qualified Information Security Professional
  Security University's QISP certification combines coverage of key information security topics, tools and technologies with a hands-on, lab-oriented learning and testing program. SU offers QISP certification with four concentrations: analyst/penetration tester, Security hacker/defender, edge protection and forensics. To obtain QISP certification security professionals must complete five courses, depending on their concentration. Students must also take and pass a demanding exam.
  Source: Security University
  
  
• QSSE -- Qualified Software Security Expert
  Security University's QSSE certification combines coverage of key software security topics, tools and technologies with a hands-on, lab-oriented learning and testing program. To obtain QSSE certification, security professionals must complete a software security bootcamp and six courses on topics such as:
  • Penetration testing
  • Breaking and fixing Web applications
  • Breaking and fixing software
  • Secure software programming
  • Software security ethical hacking Reverse engineering
  
  Source: Security University
  
  

[IMAGE]   Forensics/antihacking -- Basic [IMAGE] Return to Table of Contents

• BCF -- Computer Forensics (U.S.)
  The Computer Forensics (U.S.) certification is designed for experienced individuals who can analyze and collect evidence, recognize data types, follow proper examination procedures and initial analysis, use forensic tools, prepare for an investigation, and report findings.
  Source: Brainbench
  
  
• CCCI -- Certified Computer Crime Investigator (Basic)
  The CCCI is one of four computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include two years of experience (or a college degree, plus one year of experience), 18 months of investigative experience, 40 hours of computer crimes training and documented experience from at least 10 investigated cases.
  Source: High Tech Crime Network certifications
  
  
• CCFT -- Certified Computer Forensic Technician (Basic)
  The CCFT is one of four computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include three years of experience (or a college degree, plus one year of experience), 18 months of forensics experience, 40 hours of computer forensics training and documented experience from at least 10 investigated cases.
  Source: High Tech Crime Network certifications
  
  
• CEECS -- Certified Electronic Evidence Collection Specialist Certification
  The CEECS identifies individuals who successfully complete the CEECS certification course. No prerequisites are required to attend the course, which covers the basics of evidence collection in addition to highly technical terminology, theories and techniques.
  Source: International Association of Computer Investigative Specialists
  
  
• CERI-CFE -- Computer Forensic Examination
  The CERI-CFE seeks to identify law enforcement officials with basic computer crime investigation experience and training. Requirements include two years of computer investigation/debugging, one year of Microsoft platform analysis, six months of non-Microsoft platform analysis, 40 hours of approved training, a written exam and successful completion of hands-on exercises.
  Source: Cyber Enforcement Resources Inc.
  
  
• NSA -- EC-Council Network Security Administrator
  The NSA identifies individuals who can evaluate internal and external security threats against a network, and develop and implement security policies. One exam is required.
  Source: EC-Council

[IMAGE]   Forensics/antihacking -- Intermediate [IMAGE] Return to Table of Contents

• CCE -- Certified Computer Examiner
  The CCE, by the International Society of Forensic Computer Examiners, seeks to identify individuals with no criminal record who have appropriate computer forensics training or experience, including evidence gathering, handling and storage. In addition, candidates must pass an online examination and successfully perform a hands-on examination on three test media.
  Source: International Society of Forensic Computer Examiners
  
  
• CEH -- Certified Ethical Hacker
  The CEH identifies security professionals capable of finding and detecting weaknesses and vulnerabilities in computer systems and networks by using the same tools and applying the same knowledge as a malicious hacker. Candidates must pass a single exam and prove knowledge of tools used both by hackers and security professionals.
  Source: EC-Council
  
  
• CFCE -- Computer Forensic Computer Examiner
  The International Association of Computer Investigative Specialists (IACIS) offers this credential to law enforcement and private industry personnel alike. Candidates must have broad knowledge, training or experience in computer forensics, including forensic procedures and standards, as well as ethical, legal and privacy issues. Certification includes both hands-on performance-based testing as well as a written exam.
  Source: International Association of Computer Investigative Specialists
  
  
• CHFI -- Computer Hacking Forensic Investigator
  The CHFI is geared toward personnel in law enforcement, defense, military, information technology, law, banking and insurance, among others. To obtain CHFI certification, a candidate needs to successfully complete one exam.
  Source: EC-Council
  
  
• CNDA -- Certified Network Defense Architect
  The CNDA is geared toward IT personnel who act as penetration testers or legitimate hackers to test the strength and integrity of a network's defense. To obtain CNDA certification, a candidate needs to successfully complete one exam.
  Source: EC-Council
  
  
• CSFA -- CyberSecurity Forensic Analyst
  The CSFA aims to identify individuals who are interested in information technology security issues, especially at the hardware level. Prerequisites include attendance of the CyberSecurity Institute's Computer Forensics Core Competencies course or at least one of the following certifications:
  • AccessData Certified Examiner (ACE)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Computer Examiner (CCE)
  • Computer Hacking Forensic Investigator (CHFI)
  • EnCase Certified Examiner (EnCE)
  • GIAC Certified Forensics Analyst (GCFA)
  In addition, candidates should have at least 18 months of experience performing forensic analysis of Windows FAT and NTFS file systems and writing forensic analysis reports. Candidates must have no criminal record.
  Source: CyberSecurity Institute
  
  
• ECSA -- EC-Council Certified Security Analyst
  The ECSA identifies security professionals capable of using advanced methodologies, tools and techniques to analyze and interpret security tests. Candidates must pass a single exam to achieve certification. The EC-Council recommends that candidates take a five-day training course to prepare for the exam.
  Source: EC-Council
  
  
• GIAC -- Global Information Assurance Certification Program
  This cert program seeks to identify individuals who can demonstrate knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well known for its timely, focused, and useful security information and certification program. A shining star on this landscape, the GIAC program aims at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. The program includes one mid-level forensics certification -- GIAC Certified Forensics Analyst (GCFA).
  Source: Global Information Assurance Certification

[IMAGE]  Forensics/antihacking -- Advanced[IMAGE] Return to Table of Contents

• CCCI -- Certified Computer Crime Investigator (Advanced)
  The CCCI is one of four computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Advanced requirements entail three years of experience (or a college degree, plus two years of experience), four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases, with involvement in over 60 cases overall.
  Source: High Tech Crime Network certifications
  
  
• CCFT -- Certified Computer Forensic Technician (Advanced)
  The CCFT is one of four computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include three years of experience (or a college degree, plus one year of experience), 18 months of forensics experience, 40 hours of computer forensics training and documented experience from at least 10 investigated cases. Advanced requirements entail three years of experience (or a college degree, plus two years of experience), four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases with involvement in over 60 cases overall.
  Source: High Tech Crime Network certifications
  
  
• CERI-ACFE -- Advanced Computer Forensic Examination
  The CERI-ACFE seeks to identify law enforcement officials with advanced computer crime investigation experience and training. Requirements include two years of computer investigation/debugging, four years of Microsoft platform analysis, two years of non-Microsoft platform analysis, 80 hours of approved training, a written exam and successful completion of hands-on exercises.
  Source: Cyber Enforcement Resources Inc.
  
  
• CERI-ACSS -- Advanced Computer System Security
  The CERI-ACSS seeks to identify law enforcement officials with advanced computer crime investigation experience and training. Requirements include two years of computer investigation/debugging, three years of Microsoft platform analysis, one year of non-Microsoft platform analysis, 40 hours of approved training, a written exam and successful completion of hands-on exercises. (Note: because of double coverage, this item is also listed under the General Security – Advanced section as well.)
  Source: Cyber Enforcement Resources Inc.
  
  
• CPTE -- Certified Pen Testing Expert
  This credential stresses currency on the latest exploits, vulnerabilities and system penetration techniques. It also focuses on business skills, identification of protection opportunities, testing justifications and optimization of security controls to meet business needs and control risks and exposures. The CPTE covers many of the same topics as the lower level CPTS certification but in much more depth and breadth. The CPTE credential is structured around a five-day course that's backed up by the CPTE exam.
  Source: Mile2
  
  
• LPT -- Licensed Penetration Tester
  The LPT identifies security professionals who can thoroughly analyze the security of a network and recommend appropriate corrective measures. An LPT must adhere to a strict code of ethics, best practices and appropriate compliance requirements while performing penetration tests. Prerequisites include EC-Council's CEH and ECSA certifications, and candidates must submit an LPT application, endorsement by a sponsoring agency, proof of a clean background check, detailed resume and an agreement to abide by a code of ethics. In addition, candidates must attend a three-day LPT training program through an EC-Council accredited training center.
  Source: EC-Council
  
  
• PCI -- Professional Certified Investigator
  This is a high-level certification from the American Society for Industrial Security (ASIS is also home to the CPP and PSP certifications) for those who specialize in investigating potential cybercrimes. Thus, in addition to technical skills, this certification concentrates on testing individuals' knowledge of legal and evidentiary matters required to present investigations in a court of law, including case management, evidence collection and case presentation. This cert requires five years of investigation experience, with at least two years in case management (a bachelor's degree or higher counts for up to two years of such experience) and a clean legal record for candidates.
  Source: ASIS International

[IMAGE]  Specialized[IMAGE] Return to Table of Contents

• CCSA -- Certification in Control Self-Assessment
  The CCSA demonstrates knowledge of internal control self-assessment procedures, primarily aimed at financial and records controls. This cert is of primary interest to those professionals who must evaluate IT infrastructures for possible threats to financial integrity, legal requirements for confidentiality and regulatory requirements for privacy.
  Source: Institute of Internal Auditors
  
  
• CFE -- Certified Fraud Examiner
  The CFE demonstrates ability to detect financial fraud and other white-collar crimes. This cert is of primary interest to full-time security professionals in law, law enforcement or those who work in organization with legal mandates to audit for possible fraudulent or illegal transactions and activities (such as banking, securities trading or classified operations).
  Source: Association of Certified Fraud Examiners
  
  
• CFSA -- Certified Financial Services Auditor
  The CFSA identifies professional auditors with thorough knowledge of auditing principles and practices in the banking, insurance and securities financial services industries. Candidates must have a four-year degree or a two-year degree with three years of experience in a financial services environment, submit a character reference and show proof of at least two years of appropriate auditing experience. To obtain this certification, candidates must pass one exam.
  Source: The Institute of Internal Auditors
  
  
• CGAP -- Certified Government Auditing Professional
  The CGAP identifies public-sector internal auditors who focus on fund accounting, grants, legislative oversight and confidentiality rights, among other facets of internal auditing. Candidates must have an appropriate four-year degree or a two-year degree with five years of experience in a public-sector environment, submit a character reference and show proof of at least two years of direct government auditing experience. To obtain this certification, candidates must pass one exam.
  Source: The Institute of Internal Auditors
  
  
• CIA -- Certified Internal Auditor
  The CIA cert demonstrates knowledge of professional financial auditing practices. The cert is of primary interest to financial professionals responsible for auditing IT practices and procedures, as well as standard accounting practices and procedures to insure the integrity and correctness of financial records, transaction logs and other records relevant to commercial activities.
  Source: Institute of Internal Auditors
  
  
• CISA -- Certified Information Systems Auditor
  The CISA demonstrates knowledge of IS auditing for control and security purposes. This cert is of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.
  Source: Information Systems Audit and Control Association
  
  
• ECSP -- EC-Council Certified Secure Programmer
  The ECSP identifies programmers who can design and build relatively bug-free, stable Windows- and Web-based applications with the .NET/Java Framework, greatly reducing exploitation by hackers and the incorporation of malicious code. Candidates must attend a Writing Secure Code training course and pass a single exam.
  Source: EC-Council
  
  
• Security5
  Security5 certification identifies non-IT office workers and home users who understand Internet security terminology, know how to use defense programs such as antivirus and antispyware applications, can implement basic operating system security and follow safe Web and e-mail practices. Candidates must attend a two-day course and pass one exam.
  Source: EC-Council

[IMAGE]  Additional resources[IMAGE] Return to Table of Contents

• Analysis of the security certification landscape
  Ed Tittel and Kim Lindros offer their insight on the state of the security certification landscape, including a certification plan that individuals can start at any point, depending on current knowledge, skills and experience.
  
  
• Security School: Training for CISSP certification
  SearchSecurity.com partners with Shon Harris, CISSP and author of CISSP All-in-One Exam Guide, to bring you a series of webcasts and additional study materials on each of the ten domains of the Common Body of Knowledge.
  
  
• Credentials: To be or not to be certified
  It's a good idea to revisit your career and education goals at least once a year.
  
  
• Does job security for security technology jobs exist?
  One key to job security in the infosec field is maintaining your education.
  
  
• Guide to vendor-specific security certs
  Ed Tittel and Kim Lindros provide an overview of vendor-specific security certifications.

About the authors
Ed Tittel is a full-time freelance writer, trainer and consultant who's written more than 140 books including his latest Guide to TCP/IP third edition with lead author Laura Chappell. Ed has been active in the computing industry for more than 20 years as a software developer, manager, writer and trainer.

Kim Lindros has more than 20 years of experience in the computer industry, from technical support specialist to network administrator to book and course content manager. She has edited and developed more than 300 IT-related books and online courses, and co-authored two certification books and numerous online articles with Ed. Kim runs Gracie Editorial, a content development company.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.