Twenty years ago, when I was in high school, computers had just made their way onto the desks of staff and administrators. I couldn't play football or slam dunk, but I could wrestle a computer program to its knees, and nothing gave me more pleasure than beating the administration at their own game. Before I incriminate myself further, let me get to the point: I understand what lurks in the restless hearts of the thousands of students whose records we secure. Grades, tests, and even confidential e-mail messages are all susceptible to the urges of nascent crackers.
And then there's the problem with people like us. When it comes to security, many of us don't know what we don't know. And this lack of knowledge potentially places all of our networks in danger. If you have an administrator who leaves her password taped under her keyboard, or a teacher who doesn't change his password (ever!) or can't be bothered to log out or lock the computer, all the firewalls and antivirus programs in the world will not protect your network.
That's why it's critical to have someone at your district or school who can not only design a comprehensive security plan, but educate the staff as to why security is necessary. Achieving this requires formal training. One path to better understanding security is through local universities that offer technical degrees. In San Francisco, for instance, Golden Gate University's School of Technology (www.ggu.edu/school_of_technology) has created a new master's program in systems and network management. Three of the 10 classes in this program specifically address enterprise and network security.
The quicker route, and the one I ended up taking, was the (ISC)2's Certified Information Systems Security Professional program, a well-constructed, vendor-neutral certification that offers best practices, recommended procedures, and much more on topics ranging from business continuity to security architecture. To be certified, you can read a 550-page book, which costs about $75, or take a one-week crash course that typically costs in the $2,000 range. Either way, after passing a test on your new-found knowledge and having another CISSP verify your practical experience, you will receive your certification.
The CISSP certification is excellent for the person who is or will become the designated security manager for your organization; however, it may not be the best fit for every person in your technology department. In order to determine what's appropriate, start by doing your own research. Below, I've broken out a list of selected security certifications to investigate. Each site includes recommended readings and classes designed to help you achieve certification.
For security managers:
For security practitioners:
For junior security practitioners:
Eric Svetcov, CISSP, is president of Palint Technology, Inc. and former director of technology for St. Ignatius College Preparatory in San Francisco.
Learn more about security issues at our Web site.
Data Privacy Trouble Spots (August 2004 issue)