In the past five years, the inrush of regulation at the national and regional levels has significantly transformed the business of security. In the United States, laws such as the Sarbanes-Oxley Act, HIPAA, GLBA, data security breach laws like California's SB-1386, and FISMA have made the adoption of many security practices a matter of regulatory compliance, rather than merely a measure to avoid worst-case security scenarios.
Though not a government-mandated compliance guideline, the PCI Data Security Standard deserves special mention as highly successful "private" regulation imposed by the major credit card brands. PCI DSS compliance has become essential for businesses that want to continue processing credit card data without risking fines and sanctions.
Many security pros -- both veterans and those who are new to the field -- often find themselves learning about the intersection of security and regulations during the compliance process itself. However, CISSP certification often aids infosec practitioners in their efforts to succeed when thrust into situations where compliance is driving the corporate information security agenda.
CISSP Common Body of Knowledge
The Certified Information Systems Security Professional, or CISSP, is offered by the International Information Systems Security Certification Consortium (ISC)2, and seeks to provide an objective baseline for measuring competency. The CISSP Common Body of Knowledge (or CBK) defines the knowledge base required of CISSP candidates. The CBK consists of 10 categories that CISSP candidates are expected to be familiar with in order to pass the rigorous CISSP certification exam. The categories are:
- Access control
- Telecommunications and network security
- Information security and risk management
- Application security
- Security architecture and design
- Operations security
- Business continuity and disaster recovery planning
- Legal, regulations, compliance and investigations
- Physical (environmental) security
Security regulation certainly touches on all 10 of these areas. For instance, the "Legal, regulations, compliance and investigations" category used to be called "Law, investigations and ethics" a few years ago. The change represents the most visible acknowledgment that a major aspect of security is associated with compliance to laws and regulations. Within this category, the CISSP candidate is expected to have an understanding of information security-related regulation not only in the U.S., but also increasingly in other parts of the world.
The other categories have begun to cover compliance as well. For instance, the job rotation, separation of duties and responsibilities, and security incident handling are important matters in security regulations; these are covered in "Operations security". Similarly, "Physical security" covers perimeter security and equipment protection, required activities in many security regulations.
"Security architecture and design" covers security models that are used to build access control policies and models. In the era of regulations, this topic is apt to be used more often than in the past. Likewise, "Telecommunications and network security" covers the gamut of technologies and practices covering the protection of data communications. In the Internet era, this category is well exercised. The other categories in the CBK likewise cover activities required by one or more security laws.
CISSP's complementary role in regulation
The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are "softer" areas that are somewhat removed from security itself. These areas are covered by security governance and management, a part of the "Information security and risk management" category.
A CISSP experienced in governance and management will have little trouble understanding much of the security regulation in force today, particularly those regulations that are more prescriptive such as HIPAA and PCI. And the CISSP CBK has covered virtually all of the security technology areas, which aid the CISSP in knowing how to carry out specific regulations.
However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.
About the author
Peter H. Gregory, CISA, CISSP, is responsible for both security and compliance at a financial services organization in Redmond, Washington. He is the author of CISSP For Dummies, Securing the Vista Environment, and a dozen other books on security and technology.