I have been asked on numerous occassions by different people what my feelings are regarding security certifications. I have collated the types of questions I get under the following headings and summarised my answers.
What determines the usefulness of certification schemes?
The market. Individuals would not spend money and time on seeking certification if it did not influence their pay packet. Similarly, companies can save time and reduce the risk when hiring someone by specifying a minimum certification level for prospective candidates.
Companies invest in certification schemes such as ISO 27001 to use as a marketing tool when selling to other organisations. The exception to this rule is government agencies who employ certifications to demonstrate best practise.
Are Certifications Worth It?
In the main yes as certification signifies that person or organisation has taken the time and effort to prove their expertise and experience meets a recognised level. However not all certification are created equally and with the wide range of certifications available, each one aimed at different levels and with different functions, we need to ensure that the focus is not on what pieces of paper someone has managed to get but rather how well can that person apply their knowledge and experience. The IT industry, and in particular the Infromation Security sector, are in effect unregulated industries.
What is the most appropriate way to evaluate the state of a product/person/process prior to issuing a certificate?
This depends on the item being certified. For people an exam to demonstrate knowledge and peer review to demonstrate application and understanding of that knowledge. For products and organisations it has to be independent third party analysis.
Are there links between different certification schemes?
The only links I can think of are within the ISO standards, e.g. 9000, 20000 and 27001. They all touch on security in various ways and the work done for one standard can be applied to others. Technical certifications for individuals can be interlinked as the knowledge gained in one can be used in another, albeit the person has to learn the language of the different schemes.
Are there areas where the government should mandate the use of schemes? On the other hand, are there areas in which the government should not interfere?
Other products and technology have to meet certain standards such as safety features in cars. I believe that the government should look at setting a minimum standard that security products and operating systems should meet before they can be sold. The US government demanded from vendors that they developed a secure baseline installation for them based on standards recommended by the Center for Internet Security. We should demand a similar standard for any computer systems, applications or services provided to the market.
What are the pros and cons of Common Criteria? Can we make a security “driver’s license” mandatory for IT security professionals? Should there be an accreditation of personal security certification schemes? Is it useful to require compliance with ISO 27001 for government contracts?
Yes we should have a recognised minimum standard for IT security professionals. This standard though should be non commercial and provided by a validated trusted third party. This could be similar to the US Department of Defence’s Information Assurance Workforce Improvement Program. Similar to the question above regarding the value of certifications we need to remember that a qualified professional need not necessarily mean they are particularly good at their job.
I am not so sure regarding compliance with ISO 27001 for government contracts. This could place an unfair burden on smaller companies competing against larger organisations with more resources and budget to manage a compliance project. It could be a requirement for compliance for government contracts that involves sensitive information or working in sensitive areas, e.g. providing services to law enforcement agencies. However, we would need to start by having those relevant government bodies also in compliance with the standard. I would also be concerned that compliance would be seen as being secure, the two items are not inclusive. You can be compliant with a standard but not necessarily secure as a result. Also companies could end up spending time and valuable resources on being compliant rather than being secure.