A Global Information Assurance Certification (GIAC) is a vendor-neutral accreditation that IT professionals can earn to demonstrate security expertise. The System Administration, Networking, and Security (SANS) Institute founded GIAC in 1999 to “validate the skills of security professionals.” This isn’t hype, folks. If you’re pursuing GIAC accreditation, be prepared to do more than just study a few books and take tests.

The certifications
GIAC offers 10 certifications, or tracks, that each require completing a practical assignment and passing one or two exams. The tracks are:

  • GIAC Security Essentials Certification (GSEC)
  • GIAC Certified Firewall Analyst (GCFW)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Windows Security Administrator (GCNT)
  • GIAC Certified UNIX Security Administrator (GCUX)
  • GIAC Information Security Officer – Basic (GISO – Basic)
  • GIAC Systems and Network Auditor (GSNA)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Security Leadership Certificate (GSLC)

GIAC also offers its GIAC Security Engineer (GSE) track, but it requires more than just writing a practical assignment report and taking one or two exams. It’s not for the faint of heart.

To be eligible to sit for the GSE exam, you must earn and maintain all GSE track exams, which include the following:

  • GIAC Security Essentials Certification
  • GIAC Certified Firewall Analyst
  • GIAC Certified Intrusion Analyst
  • GIAC Certified Incident Handler
  • GIAC Certified Windows Security Administrator
  • GIAC Certified UNIX Security Administrator

You must also receive honors (scoring 90 or higher) in at least one subject area certification exam or practical assignment. To earn GSE certification, you have to pass a multiple-choice exam testing technical knowledge, a hands-on test of practical exercises, and a written scenario-based test, as well as a supervised hands-on evaluation of a real-world network.

The practical assignment
Before you can earn a GIAC certification, you must complete the written practical assignment. Essentially, that means you must write a research paper that can run anywhere from 15 or 20 pages to 100 or more. Once a GIAC Authorized Grader approves the practical assignment paper, you can take the exams needed to earn GIAC certification.

Authorized Graders are selected from the pool of GIAC-certified professionals who have scored well on GIAC practical assignments and exams, and who have experience working in the IT industry. The actual practical assignment topic is dependent upon the certification being pursued. Past practical assignment topics have ranged from developing a security policy for a fictitious company with specified needs to creating a security architecture for a company with specified requirements, as described by GIAC.

Each of the GIAC certifications targets different aspects of IT security. Practical assignment topics are announced at SANS training conferences (that map to GIAC tracks), as part of an online training session (that also maps to a GIAC track), or when a candidate who won’t be attending a special preparatory conference or accessing an online training session contacts GIAC to request pursuing accreditation independently. The practical assignments are routinely updated, but if you submit a practical assignment within the allotted deadline, you aren’t required to submit another assignment when the original topic is updated.

Community focus
GIAC makes excellent use of these practical assignments by posting papers receiving passing grades on its Web site. As additional IT professionals earn GIAC accreditation, the organization builds a larger library that can be used by GIAC-certified professionals, as well as others in the industry, for research.

Like having GIAC-certified individuals serve as Authorized Graders, GIAC emphasizes the importance of community participation by publishing the practical assignments completed by its members. The practical assignments GIAC publishes serve to share the research conducted by its members and educate other professionals in the industry.

GIAC also encourages members to serve as mentors in their communities and to educate other IT professionals. Such efforts help extend GIAC’s reach to communities and cities in which conferences aren’t held. In addition, certified community members can serve on an advisory board to help design and beta test new exams, select new practical assignments, and determine SANS/GIAC priorities for other projects.

The actual exams
Fortunately, you don’t need to leave home to take a GIAC exam. Instead, you can take your tests from any Internet-connected computer. No test center visit is required.

Most GIAC exams are 75 questions long, and you’re given two hours to complete them. A few exams run longer, with 90 questions and an extra hour to complete them.

Exam fees are reasonable—$250, if you’re taking the certification in concert with SANS online training or SANS conference training. If you study independently, you must pay an additional $175, making your certification fee $425.

Recertification
Because security threats change frequently, GIAC believes it’s important to maintain security certification. You’re required to recertify most GIAC certifications every two years, which certainly makes sense.

You recertify by taking a refresher exam, which tests you on the most current certification objectives. The cost for the recertification test is $120, although you can renew multiple GIAC certifications in the same year by paying a single $120 fee.

Eckel’s take
More than 3,200 IT professionals have earned GIAC certification. The practical assignment requirement is sure to weed out many IT pros who are unwilling or unable to conduct extensive research and take time to sit down and design, describe, or relate in another manner, some important aspect of IT systems security.

But that’s okay.

When you see IT pros who’ve earned a GIAC certification, you know that they’ve done more than just study for an exam. They’ve also had to apply their knowledge by writing a formal paper that they know will be publicly associated with them when it’s published on the Internet. And if you really want to know just how sharp a GIAC-certified IT professional is, you can read his or her report on GIAC’s Web site.