Given the events of 911 and the ongoing threats to our way of life being thwarted every day, the Information Assurance part of physical security cannot be over emphasized in either the public or public sectors of our society. Policies need to be set and practices need to be developed to protect technology networks, systems and databases. The gap that historically existed between security theory and practice can and must be closed, and one important way that Information Security professionals will be able to meet this challenge is through a lifetime commitment to professional development and re-development that incorporates the latest best practices.
The impact of this field is enormous and its areas of responsibility increasingly complex, depending upon an individual’s career environment.
Properly educated Information Security (IS) professionals must be able to examine realistic examples of the crucial links between security theory and the day to day security challenges of physical and IT environments. They must be able to ascertain the fundamentals of security which include the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanism, and how attackers can subvert these tools- as well as how to defend against attackers.
On an organizational level, these professionals must be prepared to manage the security functions that include but are not limited to access control and site security, incident and disaster response, TCP/IP and how hackers use it to attack organizations, attack methods, attack prevention systems (firewalls and host security), application security, elements of cryptography and cryptographic systems.
They must also become, as they need to be, experts in Cyber Forensics, fully trained in evaluating a comprehensive, highly usable, and clearly organized approach to the issues, tools, and control techniques needed to successfully investigate illegal activities perpetuated through the use of information technology. They must be current in the various tools and techniques designed to maintain control over an organization, able to identify, gather, document and preserve evidence of electronic tampering and misuse.
In addition, they must be fluent in the fundamentals of Systems Certification and Accreditation. The certification and accreditation processes, which include certification and accreditation project planning, system inventory, system security plans, risk assessment, security procedures, certification testing, documentation of accreditation decisions, and coordination of security for interconnected systems, are essential to the application of best practices in the system certification and accreditation processes.
Then there’s the area of critical infrastructure protection, information warfare, and cyber terrorism. Being able to analyze cyber terrorism, which is an emerging new mode of information warfare underscoring the perpetrators’ deliberate exploitation of civilian and military systems’ inherent vulnerabilities, thereby affecting national and global security,
The need for increasing expertise in Computer Network Auditing is equally strong. Today’s IS professionals must be able to analyze the foundation of Information Technology (IT) audit and control, evaluate IT governance and control of new and existing systems, illustrate risks and controls of application system life cycle, analyze auditing of standalone to global IT operations; assess legal environment and key IT security and privacy.
They must also be expert in managing the information security of outsourced computer systems. They must be able to evaluate the risks related to information technology outsourcing, understand how to recognize, examine, minimize, and manage these risks, while managing the cost-benefit analysis of the systems implemented. There are many complex and confusing issues that organizations need to identify, quantify and analyze to make the right outsourcing decisions while ensuring that security matters have been fully addressed and accounted for. Trained professionals are able to successfully analyze the tangible and intangible costs and benefits associated with outsourcing information technologies and Information Security functions which will in turn assist in making business and technical decision as they relate to outsourcing.
Then there’s the issue of information assurance from a legal and ethical perspective. Today’s physical security professionals and IT professionals are faced with ethical decisions regarding IT security, common types of computer security attacks, privacy protection, the impact of IT on the quality of life, freedom of expression, intellectual property and employer and employees issues including the key ethical issues associated with the use of contingent works.
Finally, there’s the need for expertise in disaster recovery and contingency planning for the security professionals. The disasters that occurred on 9/11 brought organizations disaster recovery strategy into the spotlight beyond imagination where disaster recovery strategy formerly viewed as a “nice to have” to “mandatory” requirement. Today’s professionals must be trained and able to develop effective disaster prevention and recovery capabilities for their organizations. They must be able to demonstrate an understanding of the principles of disaster recovery planning for physical security consideration, host applications, and network security measures on a practical level every single day.
Career Opportunities in Information Security
Jobs in the security information profession are proliferating, and this field now employs people around the world in dozens of new careers. In an interview in August 2009, David Foote, one of the nation’s leading industry analysts, said, “The economy has been down, but job opportunities are up for information security professionals with the right skills.”There are many jobs available in the information security field, with new ones being created every day. Here are some examples:
• “Network Security Specialist: configures routers, firewalls and intrusion detection systems
• Ethical Hackers (Penetration tester): assesses a system's potential vulnerabilities, known and/or software flaws, or operational weaknesses
• Incident Handlers: familiar with attack methodology and incident response, performs analysis and response tasks for various sample incidents
• Forensics Analyst: focuses on the rigorous, scientific and thorough forensic analysis of computing systems for evidence and impact of system compromise and digital support of legal, HR, and ethics investigations”
• Information Assurance Analyst: ensures compliance with information assurance program. Maintains and improves the IT program.
• Integrity and Risk Manager: creates, builds and operates the company’s main IT system. Implements effective incident response and information security solutions.
• Entry-Level IT Security Consultant: performs security consulting, testing and evaluation of software and hardware products.
• Information Security Crime Investigator/Forensics Expert: identifies systems/networks that have been compromised and investigates clues and traces left by complicated attacks.
• Ethical Hackers (Penetration tester): assesses a system's potential vulnerabilities, known and/or software flaws, or operational weaknesses
• Incident Handlers: familiar with attack methodology and incident response, performs analysis and response tasks for various sample incidents
• Forensics Analyst: focuses on the rigorous, scientific and thorough forensic analysis of computing systems for evidence and impact of system compromise and digital support of legal, HR, and ethics investigations”
• Information Assurance Analyst: ensures compliance with information assurance program. Maintains and improves the IT program.
• Integrity and Risk Manager: creates, builds and operates the company’s main IT system. Implements effective incident response and information security solutions.
• Entry-Level IT Security Consultant: performs security consulting, testing and evaluation of software and hardware products.
• Information Security Crime Investigator/Forensics Expert: identifies systems/networks that have been compromised and investigates clues and traces left by complicated attacks.
Educating the Security Professional
The Northcentral University School of Business leadership team in Prescott Valley, Ariz. has worked to ensure that graduates who complete the information security specializations have the latest information to develop policies and practices to protect the technology networks, systems and databases they manage.Northcentral University obtained the highest national level certification by the Committee on National Security Systems (CNSS) for its courses in the School of Business and Technology Management (SoBTM) Computer Information Security (CIS), Management of Information Security (MIS), and Applied Computer Science (ACS). The CNSS is a federal government entity under the U.S. Department of Defense that provides procedures and guidance for the protection of national security systems. This office certified Northcentral’s programs as meeting the 4011 training standard for information security professionals in the federal government.
With this new certification, each Northcentral student who completes the CIS, MIS, and Applied Computer Science specializations will receive a CNSS 4011 certificate attesting completion of a CNSS quality specialization.
Northcentral University offers seven degree programs with CNSS Certification, including examining crucial links between security theory and the day-to-day security challenges of IT environments; techniques and mechanisms designed to thwart security threats as well as known methods for exploiting vulnerabilities; collecting, examining, and preserving evidence of computer/information crimes; and the aspects of information warfare, underscoring the perpetrators' deliberate exploitation of civilian and military systems' inherent vulnerabilities, thereby affecting national and global security. Classes are also taught about ethics and how it affect IT professionals and users regarding common types of computer security attacks, privacy protection, the impact of IT on the quality of life, freedom of expression, intellectual property and employer and employees issues.
The more data we produce, the more difficult it becomes to protect it. As cyber crime grows and poses a real and dangerous threat, work in the information security field has flourished. Even during this great financial crisis, when jobs are being discarded around the globe, information security professionals have avoided the hit and are still in demand.