Slashdot Mirror

You didn't answer the question: what CSO training programs exist out there? None.

Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...

Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.

-- Pete

So for someone who has been in s/w and specification development for many years would have a hard time accepting this kind of salary.

It sounds like this comes from personal experience. If you have some years in IT in general you could leverage that to getting your CISSP. the ISC2 requires 5 years experience in two of the eight domains. Since it sounds like you were a developer before you can claim experience in software development security, and another likely domain would be Identity and asset management if your applications had login requirements.

From there go sit for the CISSP (after a bit of self study if needed). Then if you pass find an ISC2 member to endorse you, or if you do not know one you can ask the ISC2 to endorse you themselves, which mainly consists of sending them a resume justifying why you claim you have 5 years of experience in two or more of the knowledge domains. While people have varying opinions on the usefulness of a CISSP it does help get your resume past the HR goons for more senior positions. Good luck.

So for someone who has been in s/w and specification development for many years would have a hard time accepting this kind of salary.

It sounds like this comes from personal experience. If you have some years in IT in general you could leverage that to getting your CISSP. the ISC2 requires 5 years experience in two of the eight domains. Since it sounds like you were a developer before you can claim experience in software development security, and another likely domain would be Identity and asset management if your applications had login requirements.

From there go sit for the CISSP (after a bit of self study if needed). Then if you pass find an ISC2 member to endorse you, or if you do not know one you can ask the ISC2 to endorse you themselves, which mainly consists of sending them a resume justifying why you claim you have 5 years of experience in two or more of the knowledge domains. While people have varying opinions on the usefulness of a CISSP it does help get your resume past the HR goons for more senior positions. Good luck.

Generalized security is mostly bullshit. It's all an inch deep over a broad area. For it to be worth a shit you need to be a specialist who understands a particular area and knows enough about it to understand how to secure it.

But as far as what bullshit security certification generates the most cash in your pocket? I'd guess CISSP.

Somewhat expensive?
Cost:
https://www.isc2.org/uploadedF... (it's a pdf so...)

In addition there's an "experience waiver".
https://www.isc2.org/credentia...

Yeah aspx, you can tell they know their security (eye ball roll)

Somewhat expensive?
Cost:
https://www.isc2.org/uploadedF... (it's a pdf so...)

In addition there's an "experience waiver".
https://www.isc2.org/credentia...

Yeah aspx, you can tell they know their security (eye ball roll)

Security is its own specialty and is generally a subset of a broad education in IT proper, not software development. Very few schools would teach you even the basics. CS just isn't security on its own. If you really want to learn something CS specific take this (CSSLP - Certified Secure Software Lifecycle Professional), it will make you more knowledgeable in secure coding than 95% of all programmers regardless of education or experience. It is also quite a bit harder than anything a recent CS grad would have encountered, that is why ITSec is so much fun.

Well, CISSP is a little heavy for someone applying for a Level 1 IA personnel (PC technician or whatever).

CISSP requires 5 years of experience before you sit the exam, and a reference from an isc2 member.

Security+ is probably more of an option for low-level personnel, though it's more advanced material than the A+.

Get your CISSP cert https://www.isc2.org/CISSP/Default.aspx

Not all certs are meaningless. Sure, most people who can study a book can pass a certification test. Some of course are harder then others. That being said, they do have meaning.

They show that some people are willing to put in the effort, time and money to pass a certification. Also, some certifications are required for certain positions. The CISSP for example. Go see https://www.isc2.org/dod-fact-sheet.aspx#whatis which explains what some of DOD Directive 8570.1 is.

Me, when I hire, I do require a CISSP, not just because I like the piece of paper (trust me, I spent years actively avoiding getting my own, I think it is a money making racket in some cases), but it is required by many of the contracts I consult on.

CISSP has a Code of Ethics:

https://www.isc2.org/ethics-complaint-procedures.aspx
https://www.isc2.org/ContactUs/default.aspx

CISSP has a Code of Ethics:

https://www.isc2.org/ethics-complaint-procedures.aspx
https://www.isc2.org/ContactUs/default.aspx

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

Because we follow a Code of Ethics as any professional would, unlike yourself obviously seeing as the concepts involved appear foreign to you.

Why do articles even call them "security researchers"?

Because we do research in the field of security?

And what is the official function of a security researcher?

My job description says "....you will be identifying and locating security vulnerabilities, threats and risks in many different security contexts in live and simulated environments... you will be proficient in the current trends relating to security issues such as current and emerging Advanced Persistent Threats, current and emerging technologies, methodologies and counter-measures... you will follow a code of ethics in regards to your conduct within the company and without... "

Example Code of Ethics
(ISC)2 Code of Ethics

If the universities fail to produce enough security experts, ISC2 is happy to convert your tech support guy into a CISSP for the low rate of $600, and $200 a year thereafter! If you order now, you can also get a CAP certification along with a free toaster.

There is no quick fix for computer security.

It takes time to learn about security issues.
It takes time to practice solving each issue.
It takes practice to fight against poorly written code and poorly managed servers.
It takes diligence to ensure your partners and employees don't screw you too. Multi-authenticated processes are probably the best check where no single person has access to the servers, code, database or data.

It takes something I don't have to convince users, accountants and CEOs that they need to take this effort seriously. A reputation burned can never be regained, just ask Monster.com.

Anyone who claims a firewall solves it is wrong.
Anyone who claims server code solves it is wrong.

True security is inconvenient. The trade off is usability.
A starting point: http://www.isc2.org/

Ethics is an interesting concept - first thing that may come a person's mind :

"good and bad"
"wrong or right"
"black and white"

Personally, when one finds themselves in IT related predicaments, I'm guessing it's not that usual to land in a black or white situation, but one of a million shades of gray.

A few more:

"the way one lives"
"actions that land you on the right (good?) side of the fence"
"oath"
"creed"
etc . . .

What is a creed? One definition in an online dictionary defines it as ( http://dictionary.reference.com/browse/creed ) : " . . .any system or codification of belief or of opinion. . ."

eek . . . the entertainment industry (I'm guessing a person can come up with centuries or more worth of examples there) would have us believe in "good" creeds or "bad" creeds - religions, knights, assassins and more.

One might also ask - will your ethics lead you to copy chunks of the comments to the slashdot article above? Ethics in research and writing papers - that's a fought over issue as well. (people often hate to look in this mirror :)

Several professional groups have published "ethics" . . .

American Chemical Society ( http://pubs.acs.org/meetingpreprints/ethics.html )
American Institute of Aeronautics and Astronautics ( http://www.aiaa.org/content.cfm?pageid=198 )
American Institute of Architects ( http://www.aia.org/about_ethics )
American Institute of Chemical Engineers ( http://www.aiche.org/About/Code.aspx )
American Society of Landscape Architects ( http://www.asla.org/about/codepro.htm )
Instutute of Electronics and Electrical Engineers ( http://www.ieee.org/portal/pages/iportals/aboutus/ethics/code.html )

To pick a few. Look kind of like science/fantasy fans might see as guild rules :)

IT is no different.

People who strive for SANS/GIAC certification agree to their ethics as part of completing the certification process. ( http://www.giac.org/overview/ethics.php )

SAGE, LOPSA & USNIX share the same code of ethics - http://lopsa.org/CodeOfEthics

ACM - http://www.acm.org/about/se-code

CISA, CISM, CGEIT - ( http://www.isaca.org/Template.cfm?Section=Code_of_Professional_Ethics&Template=/ContentManagement/ContentDisplay.cfm&ContentID=20454
)

SSCP, CAP & CISSP (certification) ethics - ( https://www.isc2.org/cgi-bin/content.cgi?category=12 )

I'm sure there are plenty more.

I'm guessing there are very few if any CS or IT related courses that don't include some kind of ethics class or section.

Personally - when I was growing up - with a lot of computer enthusiasts in the neighborhood - some slided one way or the other (ethics wise) and some stood fairly firmly on one side or the other (usually the "old guys").

I've been in the professional IT industry for several years - and doing semi-professional IT stuff on and off years before that. Seeing I'm still there - I hope I'm on the an acceptable side of the fence :)

I've been involved in a few ethics dust-ups over the years . . . never got a horrible

There is an attempt to form an "official body" to develop guidelines and a professional approach to IT Security: It's the ISC^2 which certifies CISSPs. They have a code of ethics as follows:

Code of Ethics Preamble:

        * Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
        * Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

        * Protect society, the commonwealth, and the infrastructure.
        * Act honorably, honestly, justly, responsibly, and legally.
        * Provide diligent and competent service to principals.
        * Advance and protect the profession.

https://www.isc2.org/cgi-bin/content.cgi?category=12

I think this is a good basic set of ethical rules to apply to IT Security work. IMHO, it's a step forwards to try and move the perception and reality of IT Security towards a "profession" rather than a "job".

We have a choice:

1) IT people, security or otherwise, can get together and form an "official body" (whether it is the ISC^2 or something else) that will provide guidelines and standards for qualification, ethical behaviour and self-governance. That can raise IT to the level of a "profession" in the eyes of laymen and business.

2) IT people can remain without a governing body, and we can each deal with the world from our own point of view. Our ethics, capabilities and reputations will be our own to develop and maintain.

I suspect that option 1) will result in a loss of personal freedom, as we will need to "conform" to the standards of the guild. However, it will result in IT people being treated as "professionals" by business and government, and we will be self-governing. Option 2) results in more individual freedom as we can all define our own careers, goals and ethics, but we will probably always be treated by business and laymen as "skilled craftsmen" at best. We may be more likely to be subject to government regulation when the people decide that "something must be done" about those "scary hackers".

It's a tradeoff, of course.

Just my .02$

IEEE

ISC2, the organization that implements the CISSP certification

et al.

I am in the fast growing field of Information Assurance (aka computer/system security). Every time there's a security/data breach, my field gets more visibility and more companies develop positions in IA. It is definitely not something that will be outsourced overseas either.

Some people in this field have a lot of OJT in a lot of areas (sounds like you) and others have gotten degrees with or without additional experience. I am currently finishing a MS in Information Assurance from Iowa State University via distance. Among my classmates who went to work in private industry, the lowest starting salary was 60K - for 23YOs without experience. Some chose to work for "three-letter government agencies" and after a few years, their experience plus high level security clearance will practically guarantee a quantum leap in salary in private industry.

I have heard that people who go on to get the ISC2 CISSP certification (requires 4 years IA OJT or 3 years w/IA degree from certain universities) have an average salary of 100K.

Some specialize in network security but others have chosen forensics, project management (at MS), applications development, database security, certification and accredidation teams, PKI administration, etc.

I chose the specialization of Information Assurance oversight. I use my broad knowledge of computers/systems but I do no systems/network administration or even have an account on the systems I oversee. Plus, because I had a broader experience/qualifications than my classmates, I started at a lot higher salary also (my net is more than my peers' gross).

(Note and disclaimer: I am not a security pro. I am a system administrator, and hold an RHCE. I also have a college degree, although I took a good long time to finish it up.)

The CISSP is pretty much considered the gold standard of security generalist certifications. CISSPs rarely hurt for jobs for long.

If you're interested in something Linux related, you may want to look at Red Hat's Certified Security Specialist program. To get it, you need to complete the RHCE first (which looks good on a resume in and of itself), followed by an additional three exams covering network security, distributed authentication, and SELinux. Each exam is offered by itself, or on day five following a 4-day intensive course. Not exactly for the faint of heart, though, so if you're focusing on network level security without a lot of system administration, you'll probably want to give it a miss.

Since you're talking about career choices, you might want to approach the topic from the broader sense - not just Network Security but Information Security.

InfoSec is a broad, fascinating field. And as with the field of medicine in the early 1800's, everyone is an expert, but no-one really knows enough.

There seem to be six main "practitioner" fields, right now:

          1) Documentation (certification and compliance)
          2) Network / Systems Administration
          3) Legal and Physical Protection
          4) Management of all the above
          5) Countermeasure Device Development and
          6) Training.

By "Countermeasure Device Development" here I mean such things as writing / building programs (or appliances) to simply "improve the situation". This currently includes developing such things as Firewalls, Intrusion Detection Systems, Vulnerability Analysis systems, Systems Hardening software, etc. That field is open-ended.

At first glance, this sounds like what you're thinking about. As to programming skills - don't worry. If you love a thing enough you'll do it a lot. If you love a thing a lot and do it a lot you'll get quite good at it (One suggestion, though - the best way to debug code? Don't put bugs in when you write the code in the first place - makes debugging infinitely easier).

If writing such software is what you're thinking about - talk with folks who have already done it. Find a way to talk with Marty Roesch (who wrote Snort), Renaud Derraison (who wrote Nessus), Ron Gula (who wrote the Dragon firewall) - you get the picture. People capable of writing such devices are in a very small, select group - and they're very good people.

As other people here have said, take a look at the ten areas of knowledge that the CISSP certification considers (Certified Information Systems Security Professional - go to http://www.isc2.org./ That will give you a broad overview of the technical side of the field.

Do also look at the GIAC (Global Information Assurance Certification) program that SANS encourages (http://www.sans.org./ As I understand it, both the CISSP and the GIAC certs each have both breadth and depth, but the CISSP is primarily interested in breadth with a reduced depth, whereas the GIAC selects a narrower subset and drills more deeply into that.

To thrive in the field - to even enjoy the field - you'll need both breadth and depth.

And speaking of breadth, do also read Kevin Mitnick's book "The Art of Deception." This is about the part of InfoSec that's the toughest to solve computationally - the human element. In my opinion his solutions listed in that book to the problems of social engineering don't go deep enough, but _nobody_ understands social engineering as well as he does.

In fact, speaking of the human element, do also take a look at the CPP (Certified Protection Professional) certification from ASIS International (http://www.asisonline.org./ This certification deals not only with how to use computers to find the bad guys, but what to do once you've found them. Interesting.

InfoSec - it can be frustrating; it can be fun. Enjoy!

This is what I remember from my CISSP (http://www.isc2.org/ book:
Annual Rate of Occurence x Single Loss Expectancy = Annual Loss Expectancy

Obviously dial-up will have a smaller ARO because you won't be permantly online and can't be "attacked" when you are offline (not counting old-school boot-floppy viruses). I guess having less bandwith would have some minor effect on ARO as well.

So yes, dial-up reduces the change of certain attacks. Altough email viruses are obviously not effected by it. It just takes longer before you have the virus downloaded :D

My CISSP...while not a good indication of technical skill, still seems to provide the ooohs and aaahs necessary from management and customers to be worthwhile. Although I have met plenty of CISSPs who wouldn't know any of the 10 domains from a hole in the ground...it seems to be the "cert du jour" to have. My $0.02 ...from the real world.

Security Transcends Technology.

I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.

The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".

While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.

My employer uses it as bragging rights to prospective customers (i.e., "75% of our engineers have a CISSP"). So it definitely isn't meaningless in that context.

I haven't yet seen any direct benefits from having it, but then again, I haven't been looking for another job.

The University at which I teach has many campuses on US Military bases.

I know of hundreds of officers and enlisted men who have improved their career prospects through further graduate level education.

As a CISSP I heard from one of the instructors that they do a lot of military and spook work with the NSA.

The University at which I teach has many campuses on US Military bases.

I know of hundreds of officers and enlisted men who have improved their career prospects through further graduate level education.

As a CISSP I heard from one of the instructors that they do a lot of military and spook work with the NSA.

I think the problem is that the most common certification (and security job) is a checkpoint firewall admin. And the number of checkpoint certified people are growing, as more people try to jump across to security from general systems administration.

As a result, its now a buyers market for recruiters and employers. Certification is the sole differentiator (university degrees aren't considered that important here in Australia in the security market). For this reason alone I'm considering getting a CISSP certification, solely to differentiate my resume from all the others.

The market has improved, but only slightly.

That still doesn't justify subpeonaing the logfiles, though ;-)

The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.

Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)

(ISC^2 can be found here)

-PM

Why not post the ethical code from a viable organization, like ACM, ISACA, or ISC2?

I have got a couple of job offers atleast partially because of my CISSP certificate (Certified Information Systems Security Professional). But then again, you are not supposed to get this certificate without an existing job-record, so it might be not interesting for you - but checkout the url.

I have heard also some other people saying that it is a good bonus - and it is actually a requirement for some positions. And it does not harm you to have that in your pocket even though your work is not stricly related to information security. Security is (or should be) still a crucial piece in any software.

But personally, I don't believe a certificate is a shortcut for getting a job. It might work as an aggregate after you got your first job. Instead, I believe the solution is hard work - have a CD/floppy or whatever loaded with software made by you as hobby with you when you go to a job interview. I have raised thumbs up many times because of the candidate's participation in some OSS project or similar.

Physical security is just as important as network security. If the admin of these servers and computers had safegaurded their physical security there wouldn't have been a problem. Hackers are just one threat...vandals must also be considered. That is why physical security is one of the 10 sections covered in the CISSP certification exam (the premeire information security certification).

First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.

Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.

Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.

Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.

The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.

The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.

The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.

The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.

This article missed all the certs in the security field.

CISSP

CISA

SANS GIAC

In general, CISSP and CISA are more heavy on theory and SANS GIAC are more on practical knowledge (hands-on). Notice that GIAC actually offers many different certs in different area.

They are all hard to get. For example, CISSP requires a 6 hours exams (which isn't easy at all). GIAC requires a practical assignment (to show hands-on knownledge - require real world experience) as well as one or two 2 hours exam.

The "Certified Information Systems Security Professional" ® (CISSP) designation is a recently developed international designation for people involved in information security work. It is handled by the non-profit organization called "(ISC)2", the "International Information Systems Security Certification Consortium, Inc." They administer, test, and have a trademark on CISSP®.

The first CISSP designations were conferred in 1994, and its numbers are increase rapidly.

With certification of computer professionals becoming more important, and the incursion of the Engineering field into computer-related work areas, it's a good idea to consider getting a formal designation.

The ISSA and CIPS organizations have also been very supportive in promoting professional certification among their members. I've discovered that certification makes a difference in getting consulting contracts, and provides a higher level of trust, ethics, and expected professionalism in client relations. Recently, an incresing number of government RFP's for INFOSEC-related services have requested that consultants preferably have CISSP accreditation.

Applicants must subscribe to a formal code of ethics, and must have at least three years of direct work experience in one or more of the ten information security domains of the information systems security Common Body of Knowledge, in order to sit for the examination.

The ten domain areas are:

• Access Control;
  
• Communications Security;
  
• Risk Management & Business Continuity Planning;
  
• Policy, Standards, and Organization;
  
• Computer Architecture & Systems Security;
  
• Law, Investigation, & Ethics;
  
• Application Program Security;
  
• Cryptography;
  
• Computer Operations Security; and
  
• Physical Security.

The exam questions are multiple choice, and are oriented towards knowledge gathered by experience. Someone who just read some text books would have a very hard time passing the exam. Exam preparation training seminars, and a study guide with sample questions are available from (ISC)2.

For more details, see (ISC)2's new WWW site at: http://www.isc2.org/

Regards,
-wjc.

This is one of the topics covered in the CISSP exam, I think the CISA also has it. Methods for disaster recovery, which are often ignored by many companies. Often I wonder how much a company has prepared for a disaster, via way of anything imaginable, hurricanes, fires, break-ins, etc.

Personally I think companies grow too fast and focus on growing, growing, growing, rarely stopping to take the time to implement measures against disaster recovery.

One of the things we do @ my place is once every other month we have a sit in with beers, pizza, etc., and focus on security via way of games. Why do you need a safe password is based on a guess your co-workers info to see how much we can gather by knowing them to see if we could guess their pw's, we also have a twist on Jeopardy where we use the names obtained from Attrition.org, and make a question about the company, so we could say "yes this company was owned this/last month" in order to make our workers aware of the risks involved on the `net'.

Its better than ramming security down their throats and constantly lecturing people. We also have little twists on dealing with all sorts of issues, voicemail management to avoid having pw's cracked, social engineering games, and makeshift scenarios where someone comes in to social engineer their way into information.

keep us on our toes ;) ... For those with higher ranking positions I suggest you go out and get the "Information Management Handbook -- Tipton/Krauss" which has tons of informative information regarding safeguarding data, disaster recovery techniques, etc. Its one of the best books I ever bought.

I'm a CISSP and I have been bound to an ethical agreement that I cannot perform any illegal or shady activities in the computer industry. My concern is, that Microsoft and other companies seem to be bound by no such agreements either by their own internal policies or by their customers. Isn't it about time that Microsoft was made to be responsible for their security?? Shouldn't customers demain some kind of responsibility from Microsoft and others?
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

Software and Operating system evaluation is a very complex subject, and by no means is it ever black and white. There are many different ideologies that pervade the field. The international security community is embracing a new system know as Common Criteria(CC). The concept is that you define a set of objectives, and a CC testing facility checks to make sure that your software/OS/Hardware meets those standards. This is much more flexible than the TCSEC(Orange Book) evaluations. This also adds layers of complexity. Which CC eval spec do you need/want, who defines these specs, and how do you get your software tested. Well, the International Information Systems Security Certification Consortium (ISC)^2 for short has many resources for you to find CC specs and CC testing facilities. They also provide a comprehensive training and certification program for people interested in learning about information security. Web Site. The cert is well accepted, but don't think it's going to be a Microsoft MCP exam easy lick - 6 Hours, 250 questions. Hope this is helpful.
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

There was a recent post on regarding security courses. The poster was kind enough to reply back to the list with a list of responses to his question. I've included some of that list below.. my hands hurt from typing all day, so I don't feel like typing out the rest. Maybe I will tomorrow..

http://www.isc2.org/
http://www.brainbench.com/
http://www.robertgraham.com/
http://www.r00tabega.com/
http://www.sans.org/
http://www.csc.com/
http://www.ey.com
http://www.securityfocus.com/
http://astalavista.box.sk/
http://neworder.box.sk/
http://blacksun.box.sk/tutorials.html
http://www.prosofttraining.com/

Don Head
Linux Mentor