ConvoCourses

Cyber Security Compliance and IT Jobs

CAP

WEBINAR: GSA, DHS, NIST on personal mobile security, THU 11/10 (CPEs)

by Leave a Comment

Securing and managing agency mobile apps.
WEBINAR, THU 11/10, Complimentary, CPEs

This important video webinar will explore how mobile apps
rapidly expand in agency networks and how agency experts
limit security risks while they manage mobile Web devices
to drive agency productivity and mission achievement.

REGISTRATION AND INFO
https://goto.webcasts.com/starthere.jsp?ei=1123951&sti=emc

ALTERNATE REGISTRATION LINK:  www.FedInsider.com

WEBINAR TOPIC
The Framework for Mobile Security in Government

DATE: THU 11/10
TIME: 2:00 PM ET / 11:00 AM PT
DURATION: 1 hour
CPE: 1 CPE from the George Washington University,
Center for Excellence in Public Leadership
COST: Complimentary

SPEAKERS
– JON JOHNSON, Enterprise Mobility Team Manager, GSA

– VINCENT SRITAPAN, Program Manager, Cyber Security
Division, DHS Science and Technology (S&T) Directorate

– JOSHUA FRANKLIN, Information Security Engineer, NIST

– JOHNNY OVERCAST, Director of Government Sales, Samsung
Electronics America

– TOM TEMIN, Host and Managing Editor, The Federal Drive,
Federal News Radio 1500 AM

PRESENTED BY: WTOP, Federal News Radio, FedInsider News,
and The George Washington University Center for
Excellence in Public Leadership

*** OTHER GOVT-INDUSTRY CPE CREDIT EVENTS IN THE SERIES ***
Visit www.fedinsider.com

CART services provided for captioning for all webinars.

Looking forward to meeting you online!

Peg Hosky, President

Email: peg@hosky.com
Phone: 202-237-0300
www.FedInsider.com
LinkedIn: www.linkedin.com/in/peghosky
Twitter:  @peghosky

FedInsider News
3811 Massachusetts Avenue NW
Washington DC 20016
F10-171912

RMF Training Paths

by Leave a Comment

ISC_2-logo-certification
ISC_2-logo-certification

I talked a little about IT RMF Certifications in previous articles.  One of my previous co-workers asked me more about Risk Management Framework Training paths and I just wanted to add more on this subject.  From my experience, the best common body of knowledge for training in the RMF space is the ISC2 CAP:

  • Risk Management Framework (RMF)
  • Categorization of Information Systems
  • Selection of Security Controls
  • Security Control Implementation
  • Security Control Assessment
  • Information System Authorization
  • Monitoring of Security Controls

Based on www.isc2.org the ideal candidate will have the following:

  • IT Security experience
  • Information Assurance experience
  • Information Risk Management experience
  • Certification
  • Systems Administration
  • One – two years of general technical experience
  • Two years of general systems experience
  • One – two years of database/systems development/network experience
  • Information Security Policy
  • Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms
  • Strong familiarity with NIST documentation

A higher of NIST RMF study goes beyond the Certified Information System Security Professional (CISSP).  This body of knowledge is a concentration of the CISSP called Information System Security Engineering Professional (ISSEP).  There are (4) domains for the ISSEP:

  • Systems Security Engineering
  • Certification and Accreditation (C&A) / Risk Management Framework (RMF)
  • Technical Management
  • U.S. Government Information Assurance Related Policies and Issuances

The ISSEP includes everything from CAP but also includes other policies, issuances and processes that you find within the government.

The CAP and ISSEP both have the best path to understand and master the RMF.

 

RMF Training
RMF Training

 

 

information technology risk management certifications

by Leave a Comment

The most respected information technology risk management certifications accepted for risk management / IA / computer security positions are the ISC2 CISSP, CISA, CISM, CAP and CISSP-ISSEP.

I will give a quick, down and dirty look at these certification from the perspective of someone in the industry.  This is my personal opinion based on my experience.  I have the CISSP and CAP.   I know many doing IT/security/Risk Management work with one or more  of the listed certifications and have direct experience hiring and teaching for organization looking for risk management professionals.

ISC_2-logo-certification
ISC_2-logo-certification

What is the TOP risk management certification?

The choice of “best” or “top” risk management certification depends on the industry.

Financial industries are very much into the CISA.  The ISACA CISA and CISM are certs that came from the financial industry.  I was surprised to learn that a friend of mine who worked for Ernst & Young as a corporate tax/finance auditor was working on taking the CISA.  When I asked him why, he said that other accountants/financial auditors take that test.  Banks and other financial organizations look highly upon the CISA and CISM.

US Federal organizations heavily favor the CISSP for risk management work.  Within the government, its the gold standard for risk management and Information Security jobs.  So much so that they think that someone with a CISSP can do ANY security job.  It’s very broad in content so its a misconception that a CISSP can perform any security or risk management job.  Its best if the CISSP is accompanied by actual experience with a given subject matter and/or a specific certification that might give indication of knowledge on a subject matter that is not so general.  All of that said, the CISSP is a GREAT certification if you want to get paid well.

The ISC2 CAP, is a great certification for risk management.  It is the most relevant for risk management.  The CAP focuses on the NIST risk management framework.  It breaks the entire process down.  CISSP is really all over the place covering way too many security points.  By contrast, the CISA is all about auditing systems.  The CISM is all about Information Management. The CAP is a solid certification that goes 6 feet deep into pure risk management.  If you are serious about learning risk management for IT, then the ISC2 CAP is for you.

The ISSEP is a step up from the CISSP and the CAP.  Its like a SUPER CAP.  Its an actual concentration of the CISSP.  I noticed that high level risk management positions in the US federal space sometimes ask for it.  It is definitely and Alpha Predator of risk management certifications.  You cannot go higher than this for RMF outside of getting a Masters or PHD in Information Assurance/Information Security or the like.

The problem that I see with the ISSEP (CISSP concentration) is that its a LOT of work for very little extra marketability.  I mean, with an ISSEP you are a 1% in the RMF space but only .01% of the jobs in RMF/C&A category actually require an ISSEP.  What I mean to say is that not many people are looking for the ISSEP.  Its a hard certification because you must first achieve the CISSP.  The ISSEP material is hard, boring and very comprehensive.

Over all the CAP, CISSP and CISA/CISM are the best certifications for a professional in doing Risk Management Framework for IT.