CISSP certification can serve as introduction to regulatory compliance

Though not a government-mandated compliance guideline, the PCI Data Security Standard deserves special mention as highly successful "private" regulation imposed by the major credit card brands. PCI DSS compliance has become essential for businesses that want to continue processing credit card data without risking fines and sanctions.

Many security pros -- both veterans and those who are new to the field -- often find themselves learning about the intersection of security and regulations during the compliance process itself. However, CISSP certification often aids infosec practitioners in their efforts to succeed when thrust into situations where compliance is driving the corporate information security agenda.

CISSP Common Body of Knowledge
The Certified Information Systems Security Professional, or CISSP, is offered by the International Information Systems Security Certification Consortium (ISC)², and seeks to provide an objective baseline for measuring competency. The CISSP Common Body of Knowledge (or CBK) defines the knowledge base required of CISSP candidates. The CBK consists of 10 categories that CISSP candidates are expected to be familiar with in order to pass the rigorous CISSP certification exam. The categories are:

• Access control
• Telecommunications and network security
• Information security and risk management
• Application security
• Cryptography
• Security architecture and design
• Operations security
• Business continuity and disaster recovery planning
• Legal, regulations, compliance and investigations
• Physical (environmental) security

Security regulation certainly touches on all 10 of these areas. For instance, the "Legal, regulations, compliance and investigations" category used to be called "Law, investigations and ethics" a few years ago. The change represents the most visible acknowledgment that a major aspect of security is associated with compliance to laws and regulations. Within this category, the CISSP candidate is expected to have an understanding of information security-related regulation not only in the U.S., but also increasingly in other parts of the world.

For more information In this SearchSecurity.com Security School, learn the essential elements needed to obtain your CISSP certification. Learn how internal audits can hold a significant role in ensuring regulatory compliance. The IT Infrastructure Library offers compliance benefits and training options for companies required to abide by government regulations.

The other categories have begun to cover compliance as well. For instance, the job rotation, separation of duties and responsibilities, and security incident handling are important matters in security regulations; these are covered in "Operations security". Similarly, "Physical security" covers perimeter security and equipment protection, required activities in many security regulations.

"Security architecture and design" covers security models that are used to build access control policies and models. In the era of regulations, this topic is apt to be used more often than in the past. Likewise, "Telecommunications and network security" covers the gamut of technologies and practices covering the protection of data communications. In the Internet era, this category is well exercised. The other categories in the CBK likewise cover activities required by one or more security laws.

CISSP's complementary role in regulation
The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are "softer" areas that are somewhat removed from security itself. These areas are covered by security governance and management, a part of the "Information security and risk management" category.

A CISSP experienced in governance and management will have little trouble understanding much of the security regulation in force today, particularly those regulations that are more prescriptive such as HIPAA and PCI. And the CISSP CBK has covered virtually all of the security technology areas, which aid the CISSP in knowing how to carry out specific regulations.

However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.

About the author
Peter H. Gregory, CISA, CISSP, is responsible for both security and compliance at a financial services organization in Redmond, Washington. He is the author of CISSP For Dummies, Securing the Vista Environment, and a dozen other books on security and technology.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Richard Mackey: Building a framework-based compliance program Learning the language of global compliance WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2 HIPAA privacy regulations get some teeth: Be prepared PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others Security certifications: Are they worth the trouble? How to look past information security vendor rhetoric Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures CISSP Certification Security certifications Certification still pays for CISSPs, CISMs CISSP Domain 1 quiz: Security Management Practices CISSP Domain 2 quiz: Access Control CISSP Domain 3 quiz: Cryptography CISSP Domain 6 quiz: Application System and Development CISSP Domain 5 quiz: Telecommunications and Networking CISSP Domain 4 quiz: Security Models and Architecture CISSP Domain 7 quiz: Business Continuity CISSP Domain 9 quiz: Physical Security CISSP Certification Research Data Security Breach Laws and Notification PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes PCI DSS 1.2 clarifies wireless, antivirus use Web 2.0 and e-discovery: Risks and countermeasures Data breaches caused by employee errors, process failures RSA attendees see data classification, rights management projects stumble Next version of PCI DSS due in September Hannaford breach illustrates dangerous compliance mentality Worst practices: Recognizing the biggest compliance mistakes Data Security Breach Laws and Notification Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Certified Information Systems Security Professional  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.