Konkuk University Medical Center and its ... - Korea IT Times
Konkuk University Medical Center and its ... - Korea IT Times
Konkuk University Medical Center and its ... - Korea IT Times
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
How to...<br />
has to be reentered. You have to hire temps to come in <strong>and</strong> do the<br />
work, meanwhile no one has access to the data. Will this day ever<br />
end? If you had an Information Assurance (IA) or Information<br />
Security program, then user awareness training might have prevented<br />
the first guy from inserting the thumb drive into his computer.<br />
Awareness training <strong>and</strong> a good security architecture might<br />
have prevented the employee in HR form sending out unencrypted<br />
confidential data or the former employee from intercepting it.<br />
A robust back up strategy <strong>and</strong> routine vulnerability assessments<br />
for the database could have saved the inconvenience of manually<br />
updating the restored database. Did you say that auditors are<br />
coming to check on information<br />
h<strong>and</strong>ling policy compliance?<br />
Clearly you need an<br />
Information Assurance (IA)<br />
professional to establish your<br />
IA program <strong>and</strong> keep it up <strong>and</strong><br />
running. But where do you<br />
find one <strong>and</strong> then how do you<br />
know if he or she is any good?<br />
If you run a job vacancy announcement,<br />
you are likely to<br />
receive the resumes of every<br />
hacker wannabe, reformed<br />
script-kiddie <strong>and</strong> junior James<br />
Bond within the commuting<br />
area. They will try to impress<br />
you with tales of their explo<strong>its</strong><br />
in the underworld of computer<br />
hackery. Intermingled with the<br />
resumes of the these ill qualified<br />
aspiring cyber-warriors, will be a h<strong>and</strong>ful resumes from true<br />
IA professionals. But how can one tell them apart? That's where<br />
the (ISC)² comes in.<br />
The International Information Systems Security Certification<br />
Consortium, Inc., or (ISC)² , headquartered in the United States<br />
<strong>and</strong> with offices in London, Hong Kong <strong>and</strong> Tokyo, is the global,<br />
not-for-profit leader in educating <strong>and</strong> certifying information assurance<br />
professionals throughout their careers. They are recognized<br />
for Gold St<strong>and</strong>ard certifications <strong>and</strong> world class education<br />
programs. In November of 1988, “The Consortium” was formed<br />
among several professional organizations to create a global information<br />
security certification process for professionals <strong>and</strong> address<br />
the need for a st<strong>and</strong>ardized curriculum for the burgeoning profession.<br />
A series of strategy <strong>and</strong> planning meetings were held at<br />
Idaho State <strong>University</strong> <strong>and</strong> in Salt Lake City, Utah in the US.<br />
By 1992 the consortium had finalized creation of what is<br />
known as the Common Body of Knowledge, or the CBK for<br />
Information Security Professionals. The CBK refers to the ten<br />
“domains” of information assurance, which include Access<br />
Control, Application Development Security, Business<br />
Continuity <strong>and</strong> Disaster Recovery Planning, Cryptography,<br />
Information Security Governance <strong>and</strong> Risk Management, Legal,<br />
Regulations, Investigations <strong>and</strong> Compliance, Operations<br />
Security, Physical (Environmental) Security, Security<br />
Architecture <strong>and</strong> Design, <strong>and</strong> Telecommunications <strong>and</strong> Network<br />
Security. The (ISC)² has a number of certification programs<br />
where c<strong>and</strong>idates are qualified at various stages in the development<br />
of their Information Assurance careers. At the end of the<br />
bad day described above, the cert holder that you are looking for<br />
is the Certified Information Systems Security Professional, or<br />
CISSP. The (ISC)² has established<br />
criteria for becoming a<br />
c<strong>and</strong>idate for the certification,<br />
which includes completion of<br />
at least five full years of experience<br />
in information security /<br />
assurance <strong>and</strong> sponsorship by<br />
someone who is already a CIS-<br />
SP.<br />
Once accepted as a c<strong>and</strong>idate,<br />
certification requires successful<br />
completion of a 250<br />
question written test of the<br />
c<strong>and</strong>idates knowledge of the<br />
CBK, which must be completed<br />
within six hours. Most professionals<br />
prepare for approximately<br />
six months prior to taking<br />
the exam. The pass / fail<br />
rate is about 70 percent.<br />
Today, there are approximately<br />
60,000 CISSPs worldwide. Just because a person has the CIS-<br />
SP certification doesn't mean that they are an expert in all ten domains,<br />
or any of them for that matter. In fact, that is one of the<br />
knocks on the program. They say that the certification requires<br />
underst<strong>and</strong> these topics in a way in which a river might be described<br />
– a mile wide <strong>and</strong> a foot deep. In other words, in order to<br />
pass the exam a person has to have a broad knowledge of the concepts,<br />
but it does not require deep knowledge in any in order to<br />
pass. It's this writers experience that the person you select to implement<br />
your IA program should at least be an expert in one of<br />
the domains <strong>and</strong> the more the better.<br />
Obviously, there are a great many factors that one must consider<br />
when hiring an employee. The CISSP certification isn't perfect,<br />
but with all things being equal, pick the person who has those initials<br />
after their name, as opposed to the one that doesn't.<br />
Robert E. Weimer / bob@koreaittimes.com<br />
www.koreaittimes.com 95