The Role of Cybersecurity Certifications

The chapter looks at the burgeoning field of certification for individuals in the field of information security or cybersecurity. Individual information security certifications cover a wide range of topics from the deeply technical to the managerial. These certifications are used as a visible indication of an individual's status and knowledge, used to define experience and status, used in job descriptions and screening, and may define expectations placed on the individual. This chapter examines how these certifications are produced, the subjects they cover, and how they integrate and the various audiences to which the certifications are aimed. The role, the perceived and real value, and benefits of certification within the field of information security both from an individual and an organizational perspective are discussed. Finally, some conclusions on certification are presented.

The Role of Cybersecurity Certifications

The chapter looks at the burgeoning field of certification for individuals in the field of information security or cybersecurity. Individual information security certifications cover a wide range of topics from the deeply technical to the managerial. These certifications are used as a visible indication of an individual's status and knowledge, used to define experience and status, used in job descriptions and screening, and may define expectations placed on the individual. This chapter examines how these certifications are produced, the subjects they cover, and how they integrate and the various audiences to which the certifications are aimed. The role, the perceived and real value, and benefits of certification within the field of information security both from an individual and an organizational perspective are discussed. Finally, some conclusions on certification are presented.

The Need for Integrated Cybersecurity and Safety Training

Companies involved in the nuclear energy domain, like component and platform manufacturers, system integrators, and utilities, have well-established yearly trainings on Nuclear Safety Culture. These trainings are typically covered as part of the annual quality assurance-related refresher trainings, introductory courses for new employees, or indoctrinations of temporary staff. Gradually, security awareness trainings are also addressed on a regular basis, typically with a focus on information technology, the daily office work, test bay, or construction site work environment, and some data protection and privacy-related topics. Due to emerging national nuclear regulation, steadily but surely, specialized cybersecurity trainings are foreseen for integrators and utilities. Beyond these safety, physical security and cybersecurity specific trainings, there is a need to address the joint part of these disciplines, starting from the planning phase of a new nuclear power plant (NPP). The engineers working on safety, physical protection, and cybersecurity must be aware of these interrelations to jointly elaborate a robust instrumentation and control architecture (defense-in-depth, design basis events, functional categorization and systems classification) and a resilient security architecture (security by design, security grading, zone model or infrastructure domain, security conduits, forensic readiness, security information, and event management). This paper provides more in-depth justification of when and where additional training is needed, due to the ubiquitous deployment of digital technology in new NPPs. Additionally, for existing NPPs, the benefits of conveying knowledge by training on specific interfaces between the involved disciplines will be discussed. Furthermore, the paper will address the need of focused training of management stakeholders, as eventually, they must agree on the residual risk. The decision-makers are in charge of facilitating the interdisciplinary cooperation in parallel to the allocation of resources, e.g., on security certifications of products, extended modeling-based safety and security analyses and security testing coverage.

Encryption-Based Secure and Efficient Access Control to Out Sourced Data in Cloud Computing

The cloud stockpiling framework, comprising of capacity servers, gives long haul stockpiling administrations on the Internet. Maintaining the data in the cloud computing of third parties generates: serious concern about the confidentiality of data and the reduction of data management costs. Nonetheless, we should give security certifications to outside information. We plan and actualize a protected cloud stockpiling framework that gives secure, secure and available record security for document administration and secure information exchange. It includes foreign files with a file access policy, possibly deleting files, to avoid being denied to anyone with a file access policy. To achieve these security objectives, a set of password keys is implemented that maintain a host (s) or head (s) separately. We offer a twofold edge intermediary coding plan and incorporate it with a decentralized disposal code, which is detailed with a safely Cloud storage framework. The Cloud storage system not only provides a secure and stable search and storage of data, but also allows the user to transfer their data to the user of the backup to another user without the data being returned.

The Need for Integrated Cybersecurity and Safety Training

Companies involved in the nuclear energy domain, like component and platform manufacturers, system integrators and utilities, have well established yearly trainings on Nuclear Safety Culture. These trainings are typically covered as part of the annual quality assurance-related refresher trainings, introductory courses for new employees, or indoctrinations of temporary staff. Gradually, security awareness trainings are also addressed on a regular basis, typically with a focus on IT, the daily office work, test bay or construction site work environment, and some data protection and privacy-related topics. Due to emerging national nuclear regulation, steadily but surely, specialized cybersecurity trainings are foreseen for integrators and utilities. Beyond these safety, physical security and cybersecurity specific trainings, there is a need to address the joint part of these disciplines, starting from the planning phase of a new Nuclear Power Plant (NPP). The engineers working on safety, physical protection and cybersecurity, must be aware of these interrelations to jointly elaborate a robust I&C architecture (defense-in-depth, design basis events, functional categorization and systems classification) and a resilient security architecture (security by design, security grading, zone model or infrastructure domain, security conduits, forensic readiness, Security Information and Event Management). This paper provides more in-depth justification of when and where additional training is needed, due to the ubiquitous deployment of digital technology in new NPPs. Additionally, for existing NPPs, the benefits of conveying knowledge by training on specific interfaces between the involved disciplines, will be discussed. Furthermore, the paper will address the need of focused training of management stakeholders, as eventually, they must agree on the residual risk. The decision-makers are in charge of facilitating the inter-disciplinary cooperation in parallel to the allocation of resources, e.g. on security certifications of products, extended modeling-based safety and security analyses and security testing coverage.

Strategic Importance of Security Standards

Even before September 11, 2001, security and privacy was a concern to nearly 80% of the current and potential Internet users around the globe, according to survey released by the Information Technology Association of America (ITAA) (Poulsen, 2000). The survey, commissioned by the American Express Company, randomly polled 11,410 people in 10 countries, and found that nearly half of the respondents enjoyed some form of Internet access. As might be expected, most of the world’s Internet users utilize Internet for e-mail, browsing, and entertainment. However, fewer than 28% do some shopping online, and 24% use the Internet for banking and financial transactions. But when Internet users and non-users of many countries were asked if they agree with the statement, “I am or would be concerned about security and privacy issues when purchasing or making financial transactions online,” 79% agreed. Prior to the tragedy of September 11, 2001, U.S. citizens also expressed legitimate concerns toward the issues of privacy and security, with an 85% showing. The poll released by the Information Technology Association of America also illustrated that approximately 80% have doubts about the U.S. government’s ability to maintain computer security and privacy. Hence, protecting operating systems is a major strategic concern if the success of e-government as a whole is to reach its potential. Although most of these issues are typically not discussed in relationship with e-government, the need for trusted computing systems within e-business and computing systems can be made as an effective argument that all these issues affect e-government systems as well. Secure computing systems issues in terms of e-government are just as important. The scope of this article is to present a description of one the most generally known security certifications; namely, the trusted computer system evaluation (TCSEC) and its commercial implementation procedure in the commercial product evaluation process and discuss the influence of this evaluation/certification on the incidence of hacker attacks on e-business. As evident by the abundance of marketing literature of different operating systems for e-business that frequently refers to its security strength ranked against popular security certifications, it is very common to rank commercially available operating systems against TCSEC evaluation and/or certification criteria. This article will also explore where the many operating systems stands on this particular evaluation. In essence, given the vulnerabilities exposed after September 11, 2001, strategic security managers should be deeply concerned that the e-business platform they are responsible for contains the highest security standards to prevent any type of potentially harmful hacker attacks. Managers need to have a working knowledge of TCSEC security evaluation/certifications to become better informed when choosing the e-security platform for e-government/e-business. Essentially, the selection of a particular operating system for e-government/e-business have as much to do with factors ranging from existing skills, existing infrastructure, and economic reasons all the way up to political and strategic reasons. In dealing strategically with modern e-business environments, one of the most important factors that management must consider when choosing an operating system for their e-business platform is the security strength to resist computer hacker attacks on the operating system. If, for example, during different hacker attacks, one of the major aspects of these attacks is a certain operating system, as opposed to other systems, then this is a clear message to management to build in proper safeguards in the proposed operating system (Smith & Rupp, 2002a, 2002b). Certainly some of the reasons for frequent hacker attacks may probabilistic in terms and not random events, since Linux and Windows operating systems are more frequently used for e-commerce than other systems. So, it is not surprising that there are practically few reports of successful hacker attacks against operating systems that run e-business platforms (Smith, 2005; Smith & Lias, 2005; Smith & Offodile, 2002).