The document provides an overview of the information security profession and guidance for hiring information security professionals. It discusses the expanding role and types of jobs in the field, ideal traits for professionals, typical career paths, how to craft job descriptions and the importance of certifications. The document is a hiring guide intended to help HR, recruiters and hiring managers better understand the scope of the information security profession and find qualified candidates.
2. inTrOduCTiOn
Welcome to the (ISC)2® Hiring Guide to the infrastructure. Today, driven by legal and regulatory
Information Security Profession. It’s no secret that compliance and the desire to maximize global
it’s not easy to find qualified experts to protect commerce, hiring first-rate information security
your organization. As the world’s largest body staff is critical to mitigating risks that can destroy
of information security professionals, with more a company’s reputation, violate privacy, result in
than 54,000 certified members in 135 countries, the theft or destruction of intellectual property,
(ISC)2 wants to help HR professionals, recruiters and, in some cases, even endanger lives.
and hiring managers understand the scope of
We hope this hiring guide, compiled with
this burgeoning profession and lessen the pain
significant contributions from Alta Associates,
of obtaining the best and brightest information
will shine some light on the significance of this
security staff.
relatively new profession, as well as offer tips on
The information security profession is expanding ensuring your security staff is filled with talented
rapidly. The 2006 (ISC)²/IDC Global Information and qualified professionals.
Security Workforce Study (GISWS) showed
You can also find more tools at the online
that the number of professionals worldwide will
(ISC)² Hiring Center at www.isc2.org/HRCenter.
increase to slightly more than 2 million by 2010,
Best of luck in your recruiting efforts!
a compound annual growth rate of 7.8 percent
from 2005 to 2010. Eddie Zeitler, CISSP
Executive Director
It wasn’t always this way. Twenty years ago, the
(ISC)2
field of information security was in its infancy,
and companies often brushed off threats to their
(1)
3. TABLe OF COnTenTS
TABLe OF COnTenTS
What is Information Security? ...................................... 3-4
The Evolving Role of the Information
Security Profession .............................................................. 5-6
What Types of Job Functions Exist? ........................... 7-8
What are the Ideal Traits of an Information
Security Professional? ...................................................... 9-10
What are Typical Career Paths? ......................................11
Crafting a Job Description ..........................................13-14
Certification Requirements ........................................15-16
Recruiting ..............................................................................17-18
Screening ..............................................................................19-20
Interviewing ....................................................................... 21-23
References/Security Checks ............................................ 24
Crafting and Presenting an Offer .......................... 25-26
Retention ................................................................................... 27
Resources ............................................................................29-30
(2)
4. WHAT iS inFOrmATiOn SeCuriTy?
WHAT iS inFOrmATiOn SeCuriTy? Information security involves protecting
information and information systems from
Governments, military, financial institutions,
unauthorized access, use, disclosure, disruption,
healthcare and private business today amass
modification, or destruction. The purpose
volumes of confidential information about their
of information security is to ensure that all
employees, customers, products, and financial
information held by an organization, regardless
status. Most of this information is now collected,
of whether it resides on a computer hard drive
processed and stored on computers and servers
or in a filing cabinet, is maintained with:
and transmitted across networked systems.
Confidentiality - ensuring that information is
Should such confidential information fall into the
accessible only to those authorized to have access;
hands of outsiders, such a breach of security could
lead to lost business, lawsuits, reputation damage Integrity - safeguarding the accuracy and
and even bankruptcy. Protecting confidential completeness of information and processing
information is a common sense requirement these methods;
days, and in most cases is also a legal requirement.
Availability - ensuring that authorized users
have access to information and associated
assets when required; and
(3)
5. WHAT iS inFOrmATiOn SeCuriTy?
Compliance – ensuring that all laws and industry
regulatory requirements, such as the Health
Insurance Portability and Accountability Act (HIPPA)
for healthcare providers and Sarbanes-Oxley (SOX)
for publicly traded companies, are met.
The objective of an information security policy is to
minimize damage to the organization by preventing
and controlling the impact of security breaches.
Information security provides the essential protective
framework in which information can be shared while
ensuring its protection from unauthorized users.
(4)
6. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn
THe evOLving rOLe OF THe A secure organization requires seasoned
inFOrmATiOn SeCuriTy PrOFeSSiOn professionals who can create and implement
Years ago, the majority of people responsible a program, obtain support and funding for the
for protecting information assets entered the program, and make every employee a security
field without a formal background or education conscious citizen, all while adhering to necessary
and obtained their experience in broader regulatory standards. In addition, it requires a
disciplines, such as information technology (IT) or team of technical practitioners to implement the
engineering, transferring into information security policies set by the security manager.
only as the need arose. Today’s information security professionals work
Unlike two decades ago, many younger closely with HR, legal, audit, IT and other areas
professionals in today’s sophisticated cyber world of business to mitigate risk throughout the
have information security in mind from the organization. Many are now called upon as critical
beginning, pursuing college degrees in information contributors to business-decision making.
security, information assurance, or a related In the face of these daunting challenges, the role
discipline such as computer science. They also of the professional has changed dramatically over
likely have a working knowledge of network the past few years. The successful professional
systems and security protocols, security software must now quickly and securely respond to
programs and implementation, and best change, whether brought on by external and
practices for developing security procedures internal threats, or by customer demand for new
and infrastructure. goods and services. The professional must also
(5)
7. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn
implement integrated security solutions at all
levels where people, processes and technologies
intersect, and ensure they support the objectives
of the organization.
Although having qualified information security
professionals on staff is a necessity for
organizations of all industries and sizes, it is
especially important to those who have critically
sensitive information, such as financial, healthcare
or insurance entities, or those who have to
comply with strict legal or regulatory mandates.
(6)
8. WHAT TyPeS OF JOB FunCTiOnS eXiST?
WHAT TyPeS OF JOB FunCTiOnS eXiST? • IT Security Manager
In the early days of information security, an • Certification & Accreditation Specialist
organization hired a single “security engineer”
• Risk Manager
who was an adjunct to the IT department
and focused on network security and security • Compliance Officer
administration. The position required an
The scope of traditional security roles has also
understanding of network protocols, firewalls
expanded. The early role of security engineer
and network vulnerabilities.
now has expanded to include numerous areas
Today, with the increasing dependence upon the of specialization, such as identity and access
virtual world in every corner of business and management, vulnerability management and
society, the requirements and job functions of the application security. These positions require
information security profession have exploded. extensive technical backgrounds, as well as
Security-specific roles include: business risk analysis so the security controls
appropriate to the specific organization can
• Forensics Specialist
be developed.
• Security Architect
• Chief Information Security Officer
• Information Assurance Manager
(7)
10. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL?
WHAT Are THe ideAL TrAiTS OF An perceptions. The best security policies won’t
inFOrmATiOn SeCuriTy PrOFeSSiOnAL? be effective without buy-in from all employees;
While the information security profession • The ability to articulate business value.
has become too complex for any one set of Professionals must know their audience and
specific skills, there are general attributes that talk in a language they understand;
are important to consider when seeking a
professional. A few of these ideal traits include: • Understands and manages risk. Security
professionals must tailor their security postures
Skills and Competencies to the specific needs and risk appetites of
• A track record of developing information the organization;
security and risk management solutions; • Ability to build strong relationships with the
• A keen understanding of technology and the key stakeholders of the organization, including
ability to leverage this knowledge to implement legal, HR, audit, physical security, PR, and risk
effective security solutions; managers; and
• An understanding of the industry, the company’s • Ability to see the overall security needs of an
place in the market, relevant regulatory and legal organization. Even in more traditional network
requirements, and how they can add value; security roles, organizations need professionals
who can interpret technology in a way that’s
• Solid communications skills. These include the useful and in line with its business and risk
ability to influence employee behavior and management goals.
(9)
11. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL?
Personal Attributes
• A positive attitude. While professionals need a
healthy dose of caution, the professional should
emphasize the power of defense, rather than the
negatives or costs of vulnerability;
• Commitment to ethics. To be effective, a professional
must always tell the truth and never exaggerate
about what can and can’t be done; and
• Embraces the need to stay current in the latest
security and technology knowledge.
(10)
12. WHAT Are TyPiCAL CAreer PATHS?
WHAT Are TyPiCAL CAreer PATHS? Desired attributes for a security technologist
may include:
An information security professional can come
from many different, non-security disciplines. • Deep understanding of multiple technologies
Indeed, many exemplary professionals began
• Subject matter expertise in a technical domain
their careers in technology and went on to learn
security. Although professionals typically have • Desire to remain part of technical
technology backgrounds, increasingly they are also implementation and monitoring side of security
coming from risk assessment areas with strong
Desired attributes for a security manager
project management experience.
may include:
The two most common job paths available to
• Broad understanding of multiple technologies
information security professionals are the security
technologist or the security manager/strategist. • Executive management and presentation skills
Some professionals enjoy meeting the day-to-day
• Particular knowledge of a business line
technical challenges of the security technologist
or product
role and will remain there throughout their careers,
although even this role is increasingly requiring the • Desire to manage broader risk issues
“soft skills” of business knowledge, communication
and collaboration. Others acquire the management
skills needed to bridge the gap between an
organization’s technical and business priorities.
(11)
13. WHAT Are TyPiCAL CAreer PATHS?
(iSC)2 CAreer PATH testing and specialized concentrations. (ISC)2
members are at the forefront of today’s dynamic
(ISC)2 provides a career path for information
information security industry. Look for one of
security professionals from the beginning of their
these credentials when you make your next
career until retirement. We offer a unique blend
hiring decision.
of certifications, advanced education, rigorous
(12)
14. CrAFTing A JOB deSCriPTiOn
CrAFTing A JOB deSCriPTiOn If you are working with an experienced external
recruiter who specializes in information security,
A common misconception that still exists in many
this is the time to get them involved in the
HR departments is that information security is
process. A knowledgeable recruiter can advise
part of information technology. In fact, because of
you on competitive salary ranges for the role
expanding business requirements, the information
and assist with the creation of the job description.
security profession has splintered into many
different facets beyond IT and offers specialization Getting the recruiter involved this early in the
in process, auditing, policy, compliance and other process lays the groundwork for a successful
topics. As with many fields, even a position with partnership by creating a common understanding
the identical job title in two departments of the of the role and responsibilities and consistent
same company can have different requirements. messaging to potential candidates.
The key to developing a solid job description for
the information security field is to ensure the
hiring manager has an in-depth conversation with
the HR department. Regardless of the level of
the position, this initial discussion should help the
hiring manager focus on what the organizational
chart looks like, where this position sits, its roles
and responsibilities, how the position relates to the
larger organization, and expectations for success.
(13)
15. CrAFTing A JOB deSCriPTiOn
An information security manager’s job description • Monitor compliance with the organization’s
may include: information security policies and procedures
among employees, contractors, alliances, and
• Develop and oversee implementation of the
other third parties;
organization’s information security policies and
procedures; • Monitor internal control systems to ensure
that appropriate information access levels and
• Oversee implementation of the organization’s
security clearances are maintained;
information security policies and procedures;
• Perform information security risk assessments
• Ensure unauthorized intrusions, access and
and ensure auditing of information security
tampering are prevented, and detect and
processes;
remediate security incidents quickly;
• Prepare the organization’s disaster recovery
• Ensure the most effective and appropriate
and business continuity plans for information
security technology tools are selected and
systems;
correctly deployed;
• Monitor changes in legislation and accreditation
• Provide information security awareness training
standards that affect information security.
to all employees, contractors, alliances, and other
third parties;
(14)
16. CerTiFiCATiOn requiremenTS
CerTiFiCATiOn requiremenTS According to the 2006 Global Information
Security Workforce Study, 85 percent of security
In the requirements area, in addition to the
hiring managers worldwide believe in the
education and experience level you are seeking,
importance of information security certifications
it’s important to determine the professional
as a hiring criterion. Employee competency and
certification that best validates a candidate’s
quality of work remain the top reasons that
suitability for the position. If you are seeking a
employers and hiring managers continue to place
security technologist, a vendor certification that
emphasis on security certifications. Company
matches your organization’s particular technology
policy and regulations are becoming critical
environment, such as certifications from Microsoft
reasons as well.
or Cisco, might be desirable.
For security management positions, the industry’s
A vendor-neutral certification to ensure
gold standard certification is the Certified
the security technologist understands the
Information Systems Security Professional
overarching principles of effective security and
(CISSP®), also from (ISC)2. The CISSP was
can communicate well with security management
developed by information security pioneers in the
is also desirable. These include certifications
early 1990s and is the first and most respected
such as the Systems Security Certified
security credential on the market. It tests the
Practitioner (SSCP®) from (ISC)2®
broadest knowledge of any information security
and the GIAC from SANS.
certification with a six-hour exam on its CISSP
CBK®, a regularly updated taxonomy of global
(15)
17. CerTiFiCATiOn requiremenTS
information security topics. It also requires the
candidate to possess five years of experience
in at least two domains of the CBK, obtain
endorsement by a certified (ISC)2 professional,
subscribe to the (ISC)2 Code of Ethics, and
complete annual continuing professional education
requirements to remain certified.
Other professional security certifications include
the Certified Information Security Auditor
(CISA) and Certified Information Security
Manager (CISM) from ISACA, as well as CISSP
Concentrations from (ISC)2 in management,
architecture and engineering.
(16)
18. reCruiTing
reCruiTing roles that you are filling and knowledge of your
industry. Ask for references and gain a comfort
Information security professionals possess
level with the recruiter to ensure that you are
highly specialized skills that are in high demand.
confident that they are capable of partnering
Because of this demand, talented professionals
with you on the full life cycle of recruitment, from
are often available for just a few weeks. It’s a fact
sourcing the candidate through negotiating an
of the current market that organizations must
acceptance. Developing a trusted relationship with
hire a desired candidate quickly. Many qualified
a specialized recruiter will enable you and the
candidates are lost because the hiring process
hiring manager to have confidence that you are
went on too long.
finding the best possible candidate in the most
To be competitive in successfully recruiting expedient time frame.
information security professionals, the HR
Professional associations can also be an excellent
department should partner with the hiring
resource for finding the right candidate. (ISC)2®,
manager and a specialized recruiter to streamline
for instance, offers employers access to nearly
the hiring process before recruiting begins.
60,000 certified members worldwide through
Engaging a specialized recruiter can have many
its online Career Center. Employers can post
benefits, including reducing your time to hire,
jobs and search resumes by industry, specific
reaching passive candidates and extending your
certification and location. Only certified
brand in a positive manner to the community.
(ISC)² credential holders may post resumes
Make sure you choose a firm that has an on the (ISC)² Career Center. The service is
established track record of success in the types of free of charge.
(17)
19. reCruiTing
Another avenue of recruiting is to build a Centers of Academic Excellence in Information
partnership with an association and sponsor Assurance Education.
programs or provide informational sessions that
You may also wish to consider a student or recent
might be appealing to their membership. Placing
graduate who has attained the Associate of (ISC)²
your organization’s name regularly in front of
designation. This designation is earned by those
security professionals is a great way to connect
who pass the rigorous the CISSP® exam and
with the person who is not actively looking but
have committed to the professional Code of
may be interested when he or she hears about
Ethics but do not yet possess the requisite
an opportunity.
experience to be certified.
If your position is one that a recent college
graduate would be qualified for, consider
contacting schools that have been qualified as
a U.S. National Center of Academic Excellence
in Information Assurance Education (CAEIAE)
Program or regional equivalent (www.nsa.
gov/ia/academia/caeiae.cfm). The goal of the
U.S. program is to identify four-year colleges
and graduate-level universities that demonstrate
academic excellence in information security
education. Currently, there are 85 National
(18)
20. SCreening
SCreening Education Options/Requirements:
Detailed initial screening of the information • Associate Degree in systems administration
security candidate will allow for a better
• BA in information technology or related field
assessment of whether an individual’s goals and
motivators are in line with what the organization • BS in computer science or equivalent
is seeking. information security experience
Information security is a relatively new discipline • MS or MA for director or higher position
and has a recently established educational
• Ph.D. for professor, researcher, advanced
curriculum and career path. For instance, many
developer
academic institutions have only been offering
security-focused programs in the past five years
or so. Besides the IT field, many more senior Technical Skills Required:
information security professionals have come
• Knowledge of network systems and security
from the military, law enforcement and security
protocols
auditing fields.
• Knowledge of security software programs and
Below are some general requirements or
implementation
suggestions, broken down by education,
technical skills and general skills. • Knowledge of best practices in developing
security procedures and infrastructure
(19)
21. SCreening
General Skills and Aptitudes: • Ability to effectively relate security-related
concepts to a broad range of technical and
• Excellent oral, written and presentation skills
non-technical staff.*
• Strong conceptual and analytical skills
• Ability to operate as an effective member
of a team
• Ability to manage multiple diverse tasks
simultaneously
• Strong project management skills (ability to
manage the overall project while understanding
the subcomponents and how they relate to the
total project)
• Possess a vendor-specific or vendor-neutral
professional certification*
• Excellent leadership qualities*
• Demonstrate interpersonal and conflict
management skills* *
Helpful for advancement to information security management.
(20)
22. inTervieWing
inTervieWing Companies need to devote attention to selecting
and preparing the interviewers. Those selected
Before any interview, HR should work with the
should have a clear understanding of the roles
hiring manager and specialized external recruiter
and responsibilities of the position and know
to develop a set of evaluation criteria for all to
the priority of skills required. In addition, all
follow and confirm who the final decision maker
interviewers must provide a consistent message
will be. The final decision maker, along with the
about the details of the position, such as reporting
interviewers, may then create an evaluation
structure, title, compensation, and responsibilities.
form listing agreed upon critical profile points
for each position. It can include specific technical Everyone must also take part in selling or
requirements, cultural fit, communication and closing the candidate. This means everyone in
presentation skills, potential for growth, and the interview process must be positive and
relevant past experiences. informative, and highlight the position’s potential
for growth. Interviewers must recognize that they
Each interviewer ought to touch on all topics but
are the face of your department and company,
also be assigned specific profile points to delve
and the image they present will make a significant
into. This approach will facilitate a comprehensive
impression on the candidate.
understanding of the candidate’s strengths and
weaknesses, allowing the decision maker to make While the hiring manager will likely focus on
an informed choice when extending an offer. the hard technical skills, HR should help the
interviewers get a sense of the candidate’s “soft”
skills that he or she can communicate effectively
(21)
23. inTervieWing
and articulate business value. If the information Another good interview question can center
security professional cannot positively influence on what differentiates the candidate from other
employees, especially those not under his or her information security professionals. A quality to
direct authority, processes and technology won’t look for includes how well a candidate articulates
solve anything. Asking the candidate to explain a the effect their efforts have had on the success or
security issue to a non-technical person can be bottom line of their organization.
one way in evaluating their communications skills.
Ask the candidate to describe a specific security
The candidate should know how to deliver issue and how he or she solved it. The type of
appropriate messages to different audiences and answers you hear define the traits of a successful
tailor security posture to fit the specific needs security professional:
and risk appetites of an organization. Ask the
• Did they display an understanding of the cause
candidate to provide examples of where he/she
of the problem before they implemented the
has utilized common ground to build credibility
solution?
and gain consensus.
• Did they consider and anticipate the impact of
Leadership is another key desired attribute, and
different courses of action?
asking for a specific example where the candidate
demonstrated leadership can be helpful. Both the • Were they able to tailor the solution to meet
answer and the manner in which it is answered the needs and risk appetites of the business,
reflects leadership qualities. and how successful were they in communicating
the results?
(22)
24. inTervieWing
Also, identify what your candidate reads and the
Websites they visit. Information security is a field
that’s constantly changing, so you should make
sure a candidate is well-informed and keeping
up with the latest forums, discussion groups and
other industry sites.
(23)
25. reFerenCeS/SeCuriTy CHeCkS
reFerenCeS/SeCuriTy CHeCkS Test the candidate’s credibility by verifying
academic and professional credentials, professional
Checking references and verifying background
background and personal references. (ISC)2®
information are critical when hiring an information
offers a free online certification verification tool
security professional, as information security
for employers that only takes a few seconds. Also,
professionals have more access to employee,
several vendor-neutral certification organizations,
customer and proprietary data than often any
including (ISC)2, require candidates to subscribe
other single job function. Strong ethics and
to a professional code of ethics and risk de-
honesty are imperative.
certification if they are found to be in violation.
Professional references not only validate and
Look at credit reports as an indication of financial
verify an information security candidate’s
problems that may influence misdeeds. Some of
technical ability to do the job but also his/her
the issues to consider are a record of multiple
communication skills, personality and moral
collections, civil judgments, bad debts, charge-offs,
compass. An information security candidate who
a tax lien or repossession.
fails a background check either for errors of
omission, misstatements of facts, or financial or Make sure you notify the applicant that he or
legal problems presents a red flag, and great care she can dispute the information contained in the
should be taken before proceeding any further background check report if he or she deems it to
with the hiring process. be inaccurate or incomplete.
(24)
26. CrAFTing And PreSenTing An OFFer
CrAFTing And PreSenTing An OFFer One of the more accurate salary surveys is
included in the Global Information Security
HR departments often fail to recognize that salary
Workforce Study, which surveys thousands of
scales for information security professionals are
information security professionals worldwide.
higher than general IT practitioners, resulting in
It can be downloaded free-of-charge from the
the extension of offers that are below market
(ISC)2® Website at www.isc2.org/workforcestudy.
value and ultimately rejected. Information security
is a field where conditions are constantly changing, Before making a decision on an offer, make sure
and it is difficult to stay on top of the skill sets, the interview team:
profile and market value of security professionals.
• Collects and discusses evaluation criteria
Be hesitant to rely on information security salary
• Understands the candidate’s total current
surveys by publications and industry analysts, as
compensation and expectations
they are often not in line with the realities of the
marketplace, offering estimates that are much • Considers creative compensation alternatives
lower than actual to retain high-caliber talent.
Again, everyone should be aware of the hiring
These don’t take into account the specialist skills
process time line. The more time taken to deliver
in demand, different geographic regions and
the offer, the more likely the candidate will be
different organizational layers to be used to make
contacted by other companies, may re-evaluate
a competitive offer.
his/her current position, get promoted, or just
(25)
27. CrAFTing And PreSenTing An OFFer
plain lose interest. There is an inverse correlation It is also wise to discuss succession plans.
between the length of time it takes to extend an Discuss professional growth and give examples
offer and the number of offers accepted. of how other employees have developed a
more prominent role during their tenure at the
If you can, be creative in your job offer by
organization. Also consider the organization’s
including a bonus or commission related to
policy for reimbursement of certification and
performance beyond the base salary. It’s a fact,
education fees, continuous education, etc.
too, that many information security professionals
are not attracted solely by salary and respond In the end, the hiring manager, HR and recruiter
to opportunities to further their educational should work together on presenting and selling
development, work on an innovative project, the offer. Presentation and messaging are
obtain professional certification, attend extremely important in making a successful offer
conferences, write and publish papers, join and retaining the desired candidate. Information
associations, etc. Many professionals appreciate security professionals generally aren’t prima
the flexibility to network with their peers in donnas but often receive a certain level of
addition to meeting the requirements of their job. attention from your competitors because of
Much of that networking also makes them more their specialized skills and high demand in the
knowledgeable professionals. marketplace.
(26)
28. reTenTiOn
reTenTiOn term career goals and need for professional
challenges of its information security staff because
With the amount of competition for quality
they are in such high demand in the job market.
information security professionals, companies must
take a more strategic and supportive approach to HR professionals should also encourage
retention if they want to keep the new breed of information security employees to seek out
evolving talent. opportunities in training and education. Evolving
and emerging threats and attacks will continue to
Develop a formalized career progression for
require security professionals to learn new skills
the best and brightest members of your current
and techniques. By cultivating home-grown talent,
information security team. One of the most
the HR team will be giving valued employees the
unique and beneficial attributes of working
tools to succeed, benefiting the organization in
in an information security department is the
the long run. In addition, the reputation of having a
exposure one gets to operations, processes and
strong security team can result in an organization’s
technologies across all operations. This exposure
ability to hire the best candidates on the market.
provides a great training scenario for building the
management teams of the future. Also allow the security professional to network
with their peers to establish an external support
Also, defined career paths will help assure the
network consisting of people outside of their
continuing supply of capable successors for each
company that they can go to openly or privately
important position within the security team.
for advice and support.
Organizations must work to satisfy the long-
(27)
29. reSOurCeS
reSOurCeS Executive Women’s Forum
www.infosecuritywomen.com
AFCEA International
www.afcea.org Information Assurance Professionals Association
(IAPA)
Alta Associates
www.iapa-glc.org
www.altaassociates.com
Information Systems Audit and Control
American Council for Technology (ACT) and
Association (ISACA)
Industry Advisory Council
www.isaca.org
www.actgov.org
Information Systems Security Association (ISSA)
American National Standards Institute (ANSI)
www.issa.org
www.ansi.org
Information Technology Association of America
ASIS International
(ITAA)
www.asisonline.org
www.itaa.org
Computer Security Institute
International Association of Privacy Professionals
www.gocsi.com
www.privacyassociation.org
The Computing Technology Association
International High Technology Crime Investigation
(CompTIA)
Association (HTCIA)
www.comptia.org
www.htcia.org
(28)
30. reSOurCeS
International Information Systems Forensics SANS Institute
Association (ITFSA) www.sans.org
www.iisfa.org
Security Industry Association
International Information Systems Security www.siaonline.org
Certification Consortium, Inc. [(ISC)2®]
www.isc2.org
Internet Security Alliance
www.isalliance.org
National Academic Centers of Excellence
www.nsa.gov/ia/academia/caeiae.cfm
(29)
31. Acknowledgements
(ISC)² wishes to acknowledge the invaluable
contributions of Joyce Brocaglia, president and
CEO of Alta Associates, Inc., in the making of
this guide. Founded in 1986, Alta Associates is
widely respected as a leading information security
recruiting firm, helping global enterprises build
world-class information security departments for
22 years. For more information, please visit
www.altaassociates.com