If you've been in IT for any length of time, you've heard the debates about experience vs. certification. Experienced professionals sometimes claim that they do not need a certification to prove their knowledge, since hands-on experience is the best proof of all. Others, who are trying to advance their careers, hope that a certification will help document their skills, fulfill job application requirements, and validate increased personal financial worth.
But here's a new perspective you may not have considered: You might need to hold special information security certifications just to meet your industry's regulatory or compliance guidelines. The Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act of 1999 (GLBA) may require some IT pros, along with others in the organization, to have certain information security (infosec) certifications.
In the United States, we now have legislation that is forcing the healthcare industry to strictly manage the privacy and security of sensitive information, such as health records. Healthcare organizations have already invested untold millions to comply with HIPAA's Privacy Rule. Hospitals, insurers, physicians, and all other employers that handle patient information are now required by law to meet regulatory requirements for protecting personal health information from “deliberate or inadvertent misuse or disclosure.”
Part of that responsibility includes making sure that organizational security policies are complete and comprehensive and that employees are properly trained to understand, implement, and maintain information security as specified within those policies. Healthcare organizations may show that employees are properly trained by providing simple security awareness training documented with house-administered tests for everyday users of the information. However, the people who implement and maintain the controls to enforce information security confidentiality, integrity, and availability (information custodians) are naturally expected to have a far greater depth of understanding of how to protect data.
To prove that its information custodians are up to the task, healthcare organizations may require a private sector certification called the Certified Information Systems Security Professional (CISSP), which is widely recognized as a premier certification for the security management concerns addressed in HIPAA.
Although HIPAA does not explicitly refer to or require the CISSP itself, the certification serves as a strong way for healthcare providers to ensure that their key information security staff are competent. The certification might even lend more credibility to the provider's commitment to practicing proper due diligence with regard to meeting HIPAA's information security mandates.
Jim Bahm, president of Networking Technologies in Erie, PA, is a professional acquaintance of mine who is heavily involved in helping healthcare providers with security control design and implementation. He recently explained to me the enormity of interpreting the actual security control requirements of HIPAA, only to face the staggering task of translating those requirements into effective—and compliant—technical solutions. This level of comprehensive understanding of the whole of information security design and management cannot be validated by a typical technical certification.
The CISSP is a certification that testifies to an individual's understanding of a broad spectrum of information security, from general security management practices to physical security to infosec legal and ethics issues to cryptography. It's designed to demonstrate an individual's strong understanding of every aspect of protecting information confidentiality, integrity, and availability.
The Gramm-Leach Bliley Act
The healthcare industry is not alone in its dilemma of rushing to meet federally imposed standards of privacy and security. The GLBA enforces similar requirements on financial services companies. Like HIPAA, GLBA was designed to enforce information privacy as well as security. You've probably experienced the touch of GLBA yourself. Remember when your credit card company and bank sent you those notices explaining their position on maintaining confidentiality of your personal financial information and even providing you with the opportunity to “opt out” of allowing them to share such information with other “affiliated” organizations? Yeah, that was the GLBA Privacy Rule.
The Privacy and Safeguards restrictions and guidelines outlined in the GLBA are fairly lengthy and complex, but they're not nearly so difficult to interpret as those found in HIPAA. Most financial services companies, including banks, have already been thoroughly audited for compliance with the Privacy Rule, but the final Safeguards Rule is just now hitting the end of its compliance grace period.
As of May 23, 2003, banks must be able to prove compliance with the Safeguards Rule to various governmental agencies, including the FTC, FDIC, the Federal Reserve, the OCC, and the OTS. Interpreting the GLBA Safeguards Rule is a little easier than with HIPAA since we really know which agencies are enforcing it. Those agencies have also provided a condensed, user-friendly set of guidelines for complying with the Safeguards Rule.
Where does information security certification come in? The GLBA guidelines are pretty clear about requiring a financial institution to prove its internal information security expertise. Take a look at these audit items taken directly from the FDIC's "Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information":
- If the board has assigned responsibility for program implementation and review of management reports to an individual or committee, do they possess the necessary knowledge, expertise, and authority to perform the task?
- Has the institution used personnel with sufficient expertise to assess the risks to its systems and customer information on an enterprise-wide basis?
- Is staff adequately trained to implement the security program? Review existing staff qualifications and requirements for ongoing training to ensure that the staff stays abreast of current technology and methods to safeguard customer information.
- Obtain from management a listing of the training provided to all users of the institution's system. Training includes awareness programs as well as classroom instruction. Training should be consistent with user's security-related responsibility and function.
As you can see, these requirements go straight to the point. In an audit with the FDIC, a bank must not only show how it is protecting and safeguarding its customers' personal information, but it also must document and prove that its staff and executive management have the knowledge and expertise necessary to get the job done.
Having its security management, technology management, and even some of its executive management achieve CISSP certification helps an organization fulfill GLBA compliance. That's why my training company has many bank clients who send a wide variety of executives and personnel to our CISSP classes across the United States. These financial institutions also invest in computer-based CISSP training for ongoing staff education maintenance.
The European perspective
As an interesting aside, I was fortunate to meet two gentlemen who attended a CISSP class I taught recently in Dublin, Ireland—Dan Quealy and Mick Hughes. As the director of security and technology solutions for Ernst & Young, Quealy was able to provide some insight into how organizations in Europe are struggling to meet the information security standards found in BS7799 and ISO17799, which are used as a “common language” for IT security management best practices. Neither the British Standard nor the ISO standard is actually law, but both provide much of the foundation or framework for emerging European and international information security laws.
Hughes is an independent incident response and computer forensics expert in Dublin. He was able to illustrate how the influence of local governments, although well intentioned, can sometimes seem difficult to justify. He showed an example with the pending Irish Private Security Services Bill, 2001. An interesting quirk of this bill is that it requires security personnel and companies to obtain a license to provide security services. That sounds like it might be a good idea, but the bill goes on to explain that security personnel include security guards as well as IT security consultants, and they all have to pass the same exam for the same license.
An opportunity to lead
HIPAA and GLBA compliance requirements have moved IT security to the top of the executive agenda. The acts have given IT professionals another reason to pursue certifications like the CISSP and have challenged the executive and board-level officers at healthcare and financial institutions to obtain the technical knowledge necessary to make critical information security decisions. Further, the requirements of HIPAA and GLBA offer IT pros an opportunity to lead changes that will affect their entire organization.
Are your company's non-IT personnel getting security certs?
If you work for a banking or healthcare organization, does it encourage non-IT personnel to obtain infosec certs? If so, have you, as an IT pro, been asked to assist them in any way? Send us an e-mail or post to the discussion below.