CISSP good intro to regulatory compliance

Though not a government-mandated compliance guideline, the PCI Data Security Standard deserves special mention as highly successful "private" regulation imposed by the major credit card brands. PCI DSS compliance has become essential for businesses that want to continue processing credit card data without risking fines and sanctions.

Many security pros -- both veterans and those who are new to the field -- often find themselves learning about the intersection of security and regulations during the compliance process itself. However, CISSP certification often aids infosec practitioners in their efforts to succeed when thrust into situations where compliance is driving the corporate information security agenda.

CISSP Common Body of Knowledge
The Certified Information Systems Security Professional, or CISSP, is offered by the International Information Systems Security Certification Consortium (ISC)², and seeks to provide an objective baseline for measuring competency. The CISSP Common Body of Knowledge (or CBK) defines the knowledge base required of CISSP candidates. The CBK consists of 10 categories that CISSP candidates are expected to be familiar with in order to pass the rigorous CISSP certification exam. The categories are:

• Access control
• Telecommunications and network security
• Information security and risk management
• Application security
• Cryptography
• Security architecture and design
• Operations security
• Business continuity and disaster recovery planning
• Legal, regulations, compliance and investigations
• Physical (environmental) security

Security regulation certainly touches on all 10 of these areas. For instance, the "Legal, regulations, compliance and investigations" category used to be called "Law, investigations and ethics" a few years ago. The change represents the most visible acknowledgment that a major aspect of security is associated with compliance to laws and regulations. Within this category, the CISSP candidate is expected to have an understanding of information security-related regulation not only in the UK, but also increasingly in other parts of the world.

The other categories have begun to cover compliance as well. For instance, the job rotation, separation of duties and responsibilities, and security incident handling are important matters in security regulations; these are covered in "Operations security". Similarly, "Physical security" covers perimeter security and equipment protection, required activities in many security regulations.

"Security architecture and design" covers security models that are used to build access control policies and models. In the era of regulations, this topic is apt to be used more often than in the past. Likewise, "Telecommunications and network security" covers the gamut of technologies and practices covering the protection of data communications. In the Internet era, this category is well exercised. The other categories in the CBK likewise cover activities required by one or more security laws.

CISSP's complementary role in regulation
The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are "softer" areas that are somewhat removed from security itself. These areas are covered by security governance and management, a part of the "Information security and risk management" category.

A CISSP experienced in governance and management will have little trouble understanding much of the security regulation in force today, particularly those regulations that are more prescriptive such as PCI. And the CISSP CBK has covered virtually all of the security technology areas, which aid the CISSP in knowing how to carry out specific regulations.

However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.

About the author
Peter H. Gregory, CISA, CISSP, is responsible for both security and compliance at a financial services organisation in Redmond, Washington. He is the author of CISSP For Dummies, Securing the Vista Environment, and a dozen other books on security and technology.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Careers and certification tips Advice from the pros: What infosec newbies need to know Compliance Regulations The 'appropriate' way to comply with Data Protection Act 1998 Information Commissioner turns up the heat on data breach culprits Email confusion could look bad in court Firms rush to hit PCI compliance, but cut elsewhere Slow take-up of PCI reveals deeper ills Software licensing presents issues, challenges for enterprises ArcSight to take on UK compliance Data loss at the MoD and NHS shows need for stricter security policies Web 2.0 and e-discovery: Risks and countermeasures Security breaches and dual standards Security Certification Training (ISC)2 targets software developers with secure accreditation Distrust of employees drives email monitoring IISP gets former Barclays executive for growth Security professional organisations should be rationalised Deloitte survey finds overconfidence, lack of planning on security CISSP opens the door but don't expect a fatter salary Salary Survey: 2008 People can't be trusted What Web security initiatives can be taken on a college campus? Getting your career in infrastructure security started RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.