Getting Certified (Part II): Security Certs

Well what about security certifications? There are useful guides to certifications at and Arguably, the better internationally known certifications listed are CISSP and SCNP. One recent addition into this arena is the Certified Ethical Hacker (CEH). Their course outline provides a very good background on what you should know as a security tester. Whether the content is any good is another thing.

Also have a look at Bruce Schneiers thoughts on security certifications, along with Marcus Rankums counterpoint.

Then there are government certifications. In the UK, they apply to security companies and personnel that may work on government projects, which usually are not for public consumption. These accreditation allow cleared companies to work on these projects whilst adhering to some stringent rules. The thought process for this is that the government get an independent review of their systems from their pool of accredited testers. The Communications-Electronics Security Group (CESG) set the precedence for security of communications and data. They have a number accreditation schemes for companies. They include CESG Listed Adviser Scheme (CLAS), which focuses in the audit and policy side of security and CHECK which provides a more technical audit and healthcheck of systems. Although the latter is being phased out by Council of Registered Ethical Security Testers (CREST)
On the other side of the pond, it is a bit unclear who would be allowed to work on government projects but it appears they have agencies just for that very thing. For example, the states have National Institute of Standards and Technology (NIST) who offer services including Federal Information Processing Standard Publications. Canada have a similar agency setup in Communications Security Establishment Canada (CSEC).

Leave a comment

Your email address will not be published. Required fields are marked *