Wednesday, January 30, 2013

Guest Post: How and Why the Security+ Certification Sets the Baseline for the Information Assurance Industry

Information assurance, or IA, is the strategic management and mitigation of risk to information systems. Its domain is broader than that of information security, which focuses more on technical strategy and implementation. The CompTIA Security+ certification is ideal for IA professionals because it addresses competency in security risk as well as specific technologies.

Security+ Certifies Top IA Skills
The CompTIA Security+ is a vendor-neutral certification that tests information assurance across industries and brands. As IT has many vendors offering proprietary solutions, a certification of vendor-neutral competency tells employers that the certificate holder can work with multiple platforms. Most importantly for IA, certification demonstrates risk management skills that transcend a given technology.

The Security+ certification is designed for IT security professionals with at least two years of direct experience. Candidates are expected to have intermediate-level knowledge and practice in securing these critical areas:

- Networking
- Operations
- Threats and vulnerabilities
- Server and client applications
- Data and cryptography
- Access control and identity management

All of these concerns fall within the domain of the IA professional. As IA focuses on risk management and mitigation, it takes a holistic approach to information security. IA must consider all aspects from access control for off-site contractors to vulnerabilities in a given network protocol. While no one is an expert in everything, IA professionals need at least an intermediate knowledge of major domains in order to devise effective risk strategies. The Security+ certification sets the benchmark for this level of competency.

Security+ Certification Strengthens Operations Security
The Security+ certification includes operational security, which is the safeguarding of critical information from an organization's adversaries. Taken without context, such information often seems innocuous or fragmented. However, IA experts rate its value from the perspective of an adversary. They identify key data assets, help define the sources of threat, and look for vulnerabilities in the organization’s operational processes. An important part of this effort is to analyze the existing data flow rather than the playbook. IA professionals ask: What is really going on versus what is intended? Only then can they assess risk and develop countermeasures against threats.

By testing operational security, the Security+ certification is setting a standard for IA knowledge. The certification puts the arcane-sounding OPSEC into the tool set of any organization. Unfortunately, many businesses lag behind in operational security and in fact would be hard pressed to define it. They have risk managers and technical experts but often lack the IA combination of both. However, as more IT professionals pursue Security+ certification, the situation will continue to improve.

The Security+ certification is suitable for IT specialists in security architecture, systems administration, network engineering, and more. The common thread among candidates is the ability to think like an IA professional. This means deploying technical competency within the framework of risk management and operational strategy. As IA matures, the Security+ certification tells employers and clients who likely has the right stuff.

About the Author
Megan Horner is the Marketing Coordinator for TrainACE. TrainACE offers IT certification and cyber security training classes nationally such as the Security+ Certification, CEH and MCSA.