Know more about exin unique information security program
1. Simple competence
certification !
EXIN’s unique Information Security
Certification Program
(based on ISO/IEC 27002)
Benefits and differences
By Marc Taillefer
2012.03.15
1
2. Simple competence
certification !
Objective for an Reduce risk by improving awareness
organization: & practical skills in safety.
Principle: People are the solution; processes
and technology are needed to support
people
Agenda:
• Many personal certification, which one is better?
• Different international standards
• EXIN’s Program
• “Unsecured” factors in Security: the people
2
3. Personal certifications !
Certified Information Security Manager (CISM)
awarded by ISACA
Certifications:
5 years + experience in information security including 3 years in
information security management
• Information risk management
• Managing incidents
• Corporate governance
• 200 multiple-choice questions (twice a year)
ISACA created the CISM to help foster a better fusion between
IT auditing and information security perspectives.
3
4. Personal certifications !
Certified Information Systems Security Professional (CISSP)
awarded by ICS
Accredited under ISO/IEC 17024:2003 standard
• 5 years + experience of direct full-time security work experience
in two or more of the ten (ISC)² information security domains
• OR Associate of (ISC)² designation by passing CISSP exam
• Criminal history and related background.
• 6 hours exam 250 multiple-choice questions with 70%
• Exam @ $450, last minute registration @ $100, annual fee @
$85
Based on the CIA triangle of confidentiality, integrity and
availability
4
5. Different international
standards
Information technology, security techniques
— Information security management systems
ISO 27000 Security Overview and vocabulary
ISO 27001 Requirements
ISO 27002 Code of practice for information security
management
ISO 27003 Information security management system
implementation guidance
ISO 27013 Guidelines on the integrated
implementation of ISO IEC 27001 and ISO IEC 20000-1
ISO 20000-1 Information technology -- Service management --
Part 1: Service management system requirements
5
6. Different international
standards
Governance
Information security
Information security Management system
27001
IT Service Code of practice 27002
management (control objectives)
system Guidelines on people
involvement and competence
10018, PCMMI …
Auditing Auditing Auditing
compliance compliance compliance
19001 27008:2011 27007
6
7. Different international
standards
• Competent people for implementation and third party
management
• Inform third party people, candidates, contractors
• Activities to make people aware of ...
• Adapted to their roles & responsibilities
… so they understand
… so they know who to contact for additional info
… so they know how to report incidents
• Disciplinary sanctions !! (specific process to be just and fair)
• Change of position or leaving the organization
7
8. Code of practice (27002)
NOTE: Items 1,2 and 3
are introduction items
8
9. Code of practice (27002)
6.1 Internal organization
• … management framework for
information security
• Roles and responsibilities should be
defined for the information security
function.
• Contacts should be established with
relevant authorities (e.g. law
enforcement) and special interest
groups. Information security should
be independently reviewed.
10.1 Operational procedures and
responsibilities
• IT operating responsibilities and
procedures should be documented.
• Duties should be segregated between
9
different people where relevant
10. Code of practice (27002)
Section 8: Human resources security
8.1 Prior to employment
Security responsibilities … when
recruiting permanent employees,
contractors and temporary staff
• job descriptions,
• pre-employment screening
• terms and conditions of employment
• signed agreements on security roles
and responsibilities).
During employment Management
• All be made aware, educated in
security procedure
8.3 Termination or change of employment
/ contract
10
11. Code of practice (27002)
11.3 User responsibilities
Users should be made aware of their
responsibilities towards maintaining
effective access controls
13.1 An incident reporting/alarm
procedure is required
• plus the associated response
• and escalation procedures
• employees, contractors etc. should be
informed of their incident reporting
responsibilities.
11
12. Different Exin programs
EXIN, the Examination Institute for Information Science
• global, independent IT examination
• qualification programs for
• ITSM20 based, on ISO/IEC 20000:2011
• Information Security, based on ISO/IEC 27002
• Cloud
• ITIL®,
• Green IT
• MOF
• ASL,
• BiSL
• Tmap
• Prince 2 ®
EXIN enables professionals and organizations to turn their skills
into a reputation. www.exin.com
12
13. EXIN’s Cloud program
connection with security
Cloud computing, EXIN’s exam requirements:
3.1 The candidate understands the security risks of Cloud
computing and knows mitigating measures (10%)
The candidate can:
3.1.1 Describe the essential elements of security in the
cloud (Confidentiality, Integrity and Availability)
3.1.2 Describe the standard measures for authorized use
(Authentication, Authorization and Accountability)
3.1.3 Describe the main security risks for the three types of
virtualized environments
13
14. EXIN’s ITSM20 connection
with Information security
Foundation level: … Information Security management
3.1.1 Describe the objectives and quality requirements of the
delivery processes
3.1.2 Describe the best practices of the delivery processes 2.3
Associate level:
2.3.1 Identify risks
2.3.2 Define mitigating actions 2.3.3 Monitor risks
14
15. EXIN’s security programs
Foundation target group:
• intended for everyone in the
organization who is
processing information
• entrepreneurs of small
independent businesses for
whom some basic knowledge
of information security is
necessary
• good start for new
information security
professionals.
15
16. EXIN’s security programs
ISFS Foundation exam Mastery level: 40 questions,
10% - Information and Security 60 minutes, in understanding
The Concept of 10% - Approach and Organization
Information
Security Policy and
Value of Information Security Organization
Reliability Aspects Components of the
30% - Threats and Risks Security Organization
Threat and Risk Incident Management
The Relationships 40% - Measures
between Threats, Importance of Measures
Risks and the
Physical Security
Reliability of
Information Technical Security
Organizational Measures
10% Legislation and Regulations
16
17. EXIN’s security programs
Advance target group:
Everyone involved in the
implementation, evaluation and
reporting of information security, such
as:
• Information Security Manager (ISM)
• Information Security Officer (ISO)
• Line Manager,
• Process Manager
• Project Manager.
17
18. EXIN’s security programs
ISMAS Advance exam Mastery level: 30 questions,
20% Security policy and plan 90 minutes, in analyzing
Information security
policy
10% - Standards
… plan
Application of standards
30% Organization of
ISO/27001 & 27002
information security
15% - Compliance
Design of information
security Legislation and
regulations
Function (roles)
Protection of personal
15% Risk analysis
data
• Classification of
Agreements and contracts
information &
management of capital 10% Evaluation
assets • Quick review
18 • Risk analysis method • Audit
19. Exin’s security programs
Expert level target group:
IT professionals responsible
for the partial or overall set
up and development of
structural information
security
• Chief Information Security
Officer
• Information Security
Manager
• Business Information
Security Architect
19
22. Different standards
Governance
Information security
Information security Management system
27001
IT Service Code of practice 27002
management (control objectives)
system Guidelines on people
involvement and competence
10018, PCMMI …
Auditing Auditing Auditing
compliance compliance compliance
19001 27008:2011 27007
22
23. Personal certifications !
People beyond the certification !
Understand why !
Reflect on the understanding, level by level !
Enthuse to know more, even if we are in a rapid-pace world !
Ask to inform others !
23