Made in Australia security qualification?

The idea was swiftly rejected by programmers, many questioning the right of the ACS to act on their behalf. The organisation, after all, does not exclusively represent the interests of software developers.

One ZDNet Australia  reader rebuked the organisation, saying: "ACS is, and has always been in the 12 years I have been a professional programmer, a joke of an association. For the money you pay out, they do very little, and have absolutely no power in controlling how an employer may treat you."

Another reader asked if the software accreditation policy was a way for the ACS to display its elitist mentality. "They are trying to disguise it under the idea of securing Australia's place in the international development arena. What a joke. Developers having to be accredited in order to work is a sure fire way to disaster."

For now, the ACS has remained mute about plans to endorse the credentials of software developers.

There is a vast chasm between certification and accreditation. Certification is a prerequisite for accreditation. Not everyone understands the difference but hopefully the government does.

The Department of Communications, Information Technology and the Arts (DCITA) has released a request for tender in the hope of creating an Australia-specific skills accreditation and certification scheme for IT security professionals.

DCITA concluded that although vendor-specific and international IT security qualifications exist, there is a need for a widely-accepted or consistent framework for e-security qualifications and skills recognition in the Australian marketplace.

This requirement was first highlighted by a number of unnamed industry representatives and associations. They argued that a localised qualification would improve IT consumer choice and enhance overall industry standards. How this is so remains to be seen.

The government will adopt a hands-off approach -- the scheme is to be driven, administered and funded by the domestic technology and communications industry. Unfortunately, this could lead to a waste of time, money and resources since Australia has existing policies and procedures to ensure minimum standards for ICT security. This is currently applied across all government agencies and led by the Defence Signals Directorate, the national authority for signals intelligence and information security.

For instance, the Australasian Information Security Evaluation Program (AISEP) ensures that a range of evaluated IT products is available to meet the needs of Australian and New Zealand government agencies. Security companies that want to do business with the government should have their products evaluated under AISEP.

The Department of Foreign Affairs and Trade certifies the physical security of sites for computer systems located overseas while the certification for IT systems is conducted by the Defence Signals Directorate.

It's also hard to imagine how a pure Australian IT security qualification can match the likes of internationally-renowned and recognised certifications such as CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CCSP (Cisco Certified Security Professional), and GSE (SANS/GIAC Security Expert).

Although security requirements for government and commercial entities may vary, DCITA can take the cue from the Defence Signals Directorate and build on security policies that are already in place ... instead of reinventing the wheel.

Developing the framework is the easy part. The biggest challenge will come when it's time to administer such a scheme. Who can we trust to get the job done? Certainly none of our industry associations.

• Related stories

• Alerts

Add your opinion

helen coonan, plse wake up. th ...Anonymous -- 15/03/05

helen coonan, plse wake up. this is a ridiculous move!

• Reply to comment
• Reply to story
• Report offensive content

I have a GSEC qualification wh ...Anonymous -- 15/03/05

I have a GSEC qualification which was the most
difficult (and comprehensive)qualification I have ever obtained (I have been in the computer industry since 1978).

Thanks but I'll take my GSEC qualification anytime
over an Australian one which won't be recognised away from these shores. Whilst I have zero intention of going anywhere else for work, why would I intentionally restrict myself.

It's a non-starter.

• Reply to comment
• Reply to story
• Report offensive content

There are few things in the ar ...Anonymous -- 16/03/05

There are few things in the article that caught my attention:

1. reference parra 10 'since Australia has existing policies and procedures to ensure minimum standards for ICT security. This is currently applied across all government agencies ....'

my comment - this is so for the Commonwealth Government agencies but no so for the State Government agencies. DSD has no charter for the State Governments and their is NO ICT Security Authority for ICT Security architecture / design / products etc. for many of the States including NSW.

The NSW Dept Commerce pushes the responsibility of ICT Security to each of the NSW Gov agencies who typically quote DSD ICT Security guidelines and the Evaluated Products List but have no resources / authority for reviewing compliance, adequacy etc of designs and products (DSD do not provide these services for the State Government agencies).

The NSW Gov mandates ISO/IEC AS/NZ 17799 yet I could argue that they do not comply as they do not adequately define the 'Security Organisation' - some research for you perhaps.

A sad state of affairs.

2. Security is everyones problem and responsibility and we should all be accountable (no head in sand). People and organisations that make security their business should be leading the way and welcoming accreditation but I believe that it should be aimed at people and not organisations .

An accreditation program for Security proffessionals may help weed out opportunists that do not have a real interest in security.

Perhaps to start with security professionals should go through a security clearence process like the process the Commonwealth Government / Dept of Defence uses. This would place the onus on the individuals to do the right thing.

I have suggested to some of my clients that they should implement a screening process when evaluating Security organisations and products. I would rate highly, organisations that work regularly with the Dept of Defence and operate security clearances to SECRET level for their security professionals.

• Reply to comment
• Reply to story
• Report offensive content

With the plethora of 'global' ...Anonymous -- 17/03/05

With the plethora of 'global' certifications covering the gamut of security from technical (GSEC) through generalist (CISSP) to auditing (CISA) I can see no benefit for Australian oriented accreditation.

The only weak point that I have discerned regarding the above certifications (CISA,CISSP) are jurisdictional in the application of regulatory requirements. Perhaps an examination and/or a requirement to meet a certain level of experience/exposure to certify/accredit practioners in that jurisdiction.

• Reply to comment
• Reply to story
• Report offensive content

This is just another effort by ...Anonymous -- 17/03/05

This is just another effort by Australia's society for non-professionals, the Australian Computer Society, to take over control of the workforce.

They think it's easier to gain approval for accreditation of security specialists, so they can use that as a Trojan horse to sneak in accreditation of software engineering and other fields they have no expertise in.

Neither Mandla nor Varadharajan have actually yet explained how accreditation improves anything, especially if by the ACS.

It would actually cripple Australian development and leave us stuck years behind while ACS committees composed of lawyers, accountants and academics try to understand modern IT.

• Reply to comment
• Reply to story
• Report offensive content

In his article in The Australi ...Anonymous -- 18/03/05

In his article in The Australian Tuesday 15th March, (IT Business section) Professor Varadharajan mentions that "another possibility is
for universities to provide security courses covering the required range of topics...".

RMIT University has offered a Master of Applied Science (Information Security) for the past 5 years . We typically have 80-100 students
enrolled. This program includes courses such as Vulnerability Testing, Smartcard Cryptosystems, and Secure E-commerce. A Risk Management
course is scheduled to commence in 2006. We believe that students need to understand the basis of Information Security, including cryptography
and coding, and to know how to keep learning as the discipline evolves, since certificates have short shelf-lives.

It is very surprising that in its tender documents DCITA has not mentioned universities, which are major stakeholders in the education
area.

At present, security certifications seem to be proliferating as network administrator certifications did in the early 90s. The Information Security team at RMIT believes that tertiary education in this area is currently available in Australia and is evolving with industry and, as pointed out by Fran Foo on ZDNet, we too feel that, "DCITA can take the
cue from the Defence Signals Directorate and build on security policies that are already in place ... instead of reinventing the wheel."

• Reply to comment
• Reply to story
• Report offensive content

I think a local IT Security Ce ...Anonymous -- 21/03/05

I think a local IT Security Certification and Accreditation is a great idea. In the absence of any other credible IT organisation in Australia ACS is best placed to develop and manage a process to certify.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials