Certification programs in computer security have been provided by government agencies, professional organizations, and private corporations. By examining the certification requirements set by these certification bodies, I hope to identify common themes, which will provide useful insights into the design of computer security curriculum. The identified certification programs include the Certified Information Systems Auditor (CISA) program, the Certified Information Systems Security Professional (CISSP) program, the SNAP program,and the SAGE program.
The Certified Information Systems Auditor (CISA(r)) program was established in 1978 by the Information Systems Audit and Control Association (ISACA). The CISA certification focuses on five domain areas: Information Systems Audit Standards and Practices and Information Systems Security and Control Practices (8%); Information Systems Organization and Management (15%); Information Systems Process (22%); Information Systems Integrity,Confidentiality, and Availability (29%); and Information Systems Development, Acquisition, and Maintenance (26%).
The Certified Information Systems Security Professional (CISSP) program was created by the International Information Systems Security Certification Consortium (ISC), which is supported by Computer Security Institute (CSI), Information Systems Security Association(ISSA), Canadian Information Processing Society (CIPS), and other industry presences(Power 1997). CISSP certification requires the participants to pass the CISSP exam, which consists of questions covering 10 test domains: Access Control Systems & Methodology; Computer Operations Security; Cryptography; Application & Systems Development; Business Continuity & Disaster Recovery Planning; Telecommunications & Network Security; Security Architecture &Models; Physical Security; Security Management Practices; Law, Investigations& Ethics.
The SNAP9 program administered by GIAC of the SANS Institute is designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. The GIAC program consists of a Level One Module covering the basics of information security followed by advanced and targeted Level Two Subject Area Modules. The Level One module consists of 18 elements: Information Assurance Foundations; IP Concepts; IP Behavior; Internet Threat; Computer Security Policies.