English | Sobre nós | Eventos | Downloads

 

Comunidade Portuguesa de Segurança da Informação
Information Security Community Portugal




“BattleGround Internet”: Careers in Information Security

It is hard to demarcate and define boundaries on the Internet. There is ambiguity regarding where exactly you can put a signpost and ask the intruder to stop trespassing into corporate and government cyber-spaces. There is confusion regarding jurisdiction, which applies to attackers who trespass and enter private networks. These are the hard-to-figure-out questions posed to Governments and businesses around the world that are exposed to threats. The need of the hour is qualified experts who can simplify Information Security Management for governments and Businesses.

Information Security
“Once we know our weaknesses, they cease to do us any harm.”
-- G.C. LICHTENBERG (1742–1799) GERMAN PHYSICIST, PHILOSOPHER

Understanding weaknesses associated with your business critical information and business critical assets is one of the key factors to survival in an intensely competitive market place. For example, analyzing from a Government’s perspective, ensuring that the computer systems which controls major electrical supply grids, nuclear installations, airline systems and Important financial institutions such as the stock market/ banks is critical to protect the lives of the citizens and ensure the economic viability of the country.

From a business perspective, protecting trade secrets, keeping expansion plans safe from the competitor and keeping intellectual property, employee and financial records safe from prying hands is extremely important to ensure the confidence of the customers, share-holders and business partners, and to ultimately ensure success in the market place.

Information Security Management Systems (ISMS)
The most important step is the realization that securing critical Information is not a technical solution comprising firewalls, anti-viruses and intrusion detection systems. Rather these technical components fall under a broad umbrella termed as “Information Security Management Systems” (ISMS). A firm with a well- defined Information Security Management System essentially has a structured process which involves identification of critical information and assets, periodic risk analysis to find the vulnerabilities and threats to these assets and finally cost-effective controls such as firewalls, IDS’s, user training, physical security measures etc. to protect these assets. This entire process is frequently repeated to ensure that the protection process is continuous and updated.

A Qualified Information Security expert can successfully design and deploy Information Security Management Systems for an organization.



Need of the Hour: The Armored Warriors (Information Security Experts)
Standards, Regulations, Laws, Configuring and deploying firewalls, IDS’s and Anti-Virus systems, all these are quite overwhelming for the traditional IT Management. This has given rise to a high demand for qualified Information Security Experts who can take-over the process of establishing and certifying a high-standard Information Security Management Systems in an organization.

Information Security Experts are normally classified into two-categories viz. Process Experts and Technical Experts.


Process Experts
These are the professionals who can interpret standards, conduct risk analysis and vulnerability assessments, interview users and senior management, develop policies, project Information Security as an investment rather than expenditure, train management and users and ultimately design and put an Information Security Management System in place. You can even coin the term “Risk Management Experts” for this tribe.

Some of the most sought after qualifications for process experts today are CISA (Certified Information Systems Auditor), BS7799/ISO 27001 I/LA (Implementer/Lead Auditor) and CISSP (Certified Information Systems Security Professional). These Qualifications are essentially certifications, which an IT professional with a pre-requisite amount of experience (4 years in an Information Security domain) can acquire by passing a written exam. Though it may sound simple a CISA or CISSP exam is exhaustive with a vast syllabus, difficult portions to master and a considerable financial investment. Moreover to get the certification, after passing the exam, the candidate has to get his certification request endorsed by a person of good standing to get the credentials. On a positive side these qualifications are highly respected in the industry with a high ROI (Return of Investment) factor for the qualifying professional.

Technical Experts
Technical experts are the knights in shining armor who build defenses around your critical computer systems. They are instrumental in deploying firewalls, Intrusion Detection Systems, Encryption Systems, Anti-Virus Suites, User Identity Management systems etc which wards-off attackers, worms and viruses. In short they face up-to to evil hackers and fight the battle to protect critical information stored in computers.

Starting off as a Technical Expert is the best way to launch a career in Information Security. Some of the most sought after qualifications/certifications in the technical area of Information Security are Check Point and CompTIA Certifications. These certifications demonstrate mastery in understanding and deploying network defenses.

International Standards and Regulations
It is heartening to note that progressive countries have taken initiative and realized the importance of protecting critical Information by formulating Standards and Regulations in Information Security. In essence these standards talk about a well-defined Information Security Management System.

Prominent amongst these standards is BS7799 Information Security Management System, which has been adopted by ISO as Standard 17799. Today more than 45 firms in India, including the big-wigs and more than 750 firms world-wide are BS7799 Certified. The other important standards are HIPAA (Health Insurance Portability Accountability Act) for protection of Individuals’ Private Health Information, GLBA (Gramm-Leach-Bliley Act) that deals with Financial Privacy, Data Protection Act and Sarbanes Oxley Act.

Information Security Experts today can specialize in International Standards by attending training and achieving certifications such as BS7799 Lead Auditor/Lead Implementer, HIPAA Certified Professionals etc.

What is even more encouraging to note is that the private enterprises have realized the importance of compliance to these above-mentioned standards. Smart and enterprising businesses even flaunt their compliance to these standards as a business tools to attract customers stay ahead of the competition.

Growing Market for Information Security Services in India
Riding on the outsourcing wave, the top-level IT Service Providers in India have launched Managed Security Services aiming at the overseas market. Professionals deployed by firms in India manage Security for clients in U.S.A and U.K, help them to comply with standards like BS7799, HIPAA, Sarbanes Oxley etc. Another new dimension in Information Security is the advent of Remotely Managed Security Services whereby a firm engages a Service Provider to remotely monitor and Manage it’s firewalls, IDS’s etc, from a Security Operations Center. The indirect benefit has been the growing demand for Information Security Professionals.

Closing Note
A firewall is only as good as it’s administrator”, meaning, Information Security is not a technical solution but a well-defined and continuously practiced Human-Involved Process.

Text by Anup Narayanan, is a member of the ISMS PT Community. He is the Managing Director and Senior Consultant of Athena Consulting, an Information Security Consultant with clientele based in India and USA. He can be reached at anup@juvenaconsulting.com . His firm is in the process of being reconstituted as Juvena Consulting Pvt. Ltd.

Labels:

Data 12.10.05

<< Início