42
Tools and Techniques for the IT Professional www.certmag.com June 2009 #@%&! $#@% e s L Gossip e r co FREE SPEECH ONLINE Where is the line drawn?
Tools and Techniques for the IT Professional www.certmag.com June 2009
#@%&!
$#@%
es
L
Gossipe
r
co
FREESPEECHONLINE
Where is the line drawn?
INVENT YOUR FUTURE.Get Certified!
Exam Registration Deadline: 23 September 2009
Exam Date: 12 December 2009
Visit www.isaca.org/certmag.
3Cs CertMag 8x10.875:3Cs CertMag 8x10.875 12/15/08 12:05 PM Page 2
June 2009 CERTIFICATION MAGAZINE �
EdITOR’s lETTER
Real-World ITAGAThA GIlMORE
Ah, summer is finally here. Inspired by the hordes of students graduat-ing this month, we, too, decided to venture out into the real world with this issue of CertMag and explore
some of the most inspiring applications of IT in everyday life.
In the cover story, for example, writer Lindsay Edmonds Wickman tackles the controversial — and increasingly prominent — issue of free speech online and the impact of technology on the First Amendment. As one source put it: “We have more opportunities to express ourselves than we had even 20 years ago. [And] speech that might have gone unnoticed, that might have caused no harm, now gets noticed [and] can be global and eternal.”
Then in this month’s Interface, Associate Editor Deanna Hartley talks to Christopher Buse, chief information security officer for the Minnesota Office of Enterprise Technology, about how in government IT, “you’ll never have an opportunity to work on bigger projects where more is at stake,” as Buse put it. “For us, if the systems fail, people could literally die.”
Further, this month’s Job Roles article delves into the world of health care IT, specifically examining the role of the health information manager. The most amazing part of the job? “Your delivery system helps people,” said Lior Blik, CIO for Hoboken University Medical Center. “People’s lives are on these floors in these hospitals. And that is an added value you won’t get in another industry.”
With so much emphasis on the bottom line these days, it’s important to step back, look at the big picture and remember that technology has the power to help, enlighten and shape us. And that, just like summer, is a breath of fresh air. 8
Agatha GilmoreSenior [email protected]
Tools and Techniques for the IT Professional
VOlUME 11 IssUE 6 JUNE 2009
GROUP PUBlIshER John R. Taggart | [email protected]
EdITOR IN ChIEF Norman B. Kamikow | [email protected]
VICE PREsIdENT, EdITORIAl dIRECTOR Mike Prokopeak | [email protected]
sENIOR EdITORs Agatha Gilmore | [email protected] Kellye Whitney | [email protected] Daniel Margolis | [email protected]
COPY EdITOR Meagan Polakowski | [email protected]
AssOCIATE EdITOR Deanna Hartley | [email protected]
VICE PREsIdENT, CREATIVE sERVICEs Kendra Chaplin | [email protected]
ART dIRECTOR Kasey Doshier | [email protected]
PROdUCTION MANAGER Linda Dziwak | [email protected]
TRAFFIC COORdINATOR Ishea Brown | [email protected]
dEsIGNER, sPECIAl PROJECTs Spencer Thayer | [email protected]
WEB MANAGER Michael Elmore | [email protected]
E-MEdIA dEsIGNER Rahel Haile | [email protected]
sENIOR VICE PREsIdENT, OPERATIONs Gwen Connelly | [email protected]
EVENTs MANAGER Trey Smith | [email protected]
EVENTs COORdINATOR Kara Shively | [email protected]
EVENTs sAlEs MANAGER Brian Klunk | [email protected]
MARKETING & COMMUNICATIONs MANAGER Laura Cibuls | [email protected]
BUsINEss MANAGER Vince Czarnowski | [email protected]
CIRCUlATION dIRECTOR Cindy Cardinal | [email protected]
lIsT MANAGER Jay Schwedelson | [email protected]
VICE PREsIdENT, AssOCIATE PUBlIshER James R. Yeakel | [email protected]
AdVERTIsING ACCOUNT MANAGER Dave Lienemann | [email protected]
E-MEdIA & AdVERTIsING ACCOUNT MANAGER Lisa Newton | [email protected]
CONTRIBUTING WRITERs Wayne Anderson Erica S. BrathLeonard FehskensAgatha GilmoreDeanna Hartley
Avner Izhar Carmi LevyElizabeth LisicanJames E. MoliniMeagan Polakowski
Ken WagnerLindsay Edmonds WickmanDave Willmer
Norman B. Kamikow John R. Taggart PREsIdENT EXECUTIVE VICE PREsIdENT
Philip S. Wolin Patricia Pierce GENERAl COUNsEl ChIEF FINANCIAl OFFICER
Certification Magazine (ISSN 1529-6903) is published monthly by MediaTec Publishing Inc., 318 Harrison St., Suite 301, Oakland, CA 94607. Subscriptions are free to qualified IT professionals and are issued in a digital-only format.
Certification Magazine, CertMag and CertMag.com are the trademarks of MediaTec Publishing Inc. Copyright © 2009, MediaTec Publishing Inc. ALL RIGHTS RESERVED. Reproduction of material published in Certification Magazine is forbidden without permission.
Printed by: RR Donnelley Inc., Mendota, IL
� CERTIFICATION MAGAZINE June 2009
JUNE 2009
columnists
Certifying Experience: The New FrontierlEONARd FEhsKENsAs IT departments get leaner, tech professionals must be increasingly flexible and creative to be successful. But how do you know you’ve got the right peo-ple on the job when most certifications validate only knowledge and skills? A new crop of certifications targets this issue by validating competence in hands-on application.
22
CERTIFICATION
26 Free speech OnlinelINdsAY EdMONds WICKMANThe freedom of speech is a basic right in many countries, but the Internet pushes this freedom to the limit. It gives people more opportunities for self-expression, but also defies common standards of decency.
IT CUlTURE
�� health Information Manager: helping People Through TechnologyAGAThA GIlMOREA hefty dose of tech knowledge, a pinch of business savvy and a spoonful of people skills are required to make it in the health care IT industry.
JOB ROlEs
10 TECh CAREERs Making the Best of a
less-Than-Ideal Job dave Willmer
12 dEAR TEChIE Commit to Job as Oracle Apps
dBA or diversify skill set? Wayne Anderson and Ken Wagner
16 TROUBlEshOOTING Remote Internet Access:
Overcoming IP Address, NAT Challenges Avner Izhar
20 lOOK AhEAd Welcome to Netbook Nation
Carmi levy
�2 ENdTAG hooked on Twitter
deanna hartley
#@%&!
$#@%
hateslander
Libel
Gossipobscene
Rumorconfidential
June 2009 CERTIFICATION MAGAZINE �
CERTIFICATIONIT CUlTURE
� EdITOR’s lETTER Real-World IT
6 dATA sTREAM
8 VIRTUAl VIllAGE Connect With IT Professionals
18 WhAT WE lIKE
�1 Ad INdEX
departments1� ACAdEMIC CONNECTION
Maximizing a Jobless summer AGAThA GIlMORE Summer jobs are hard to come by these days, and
as a result, many students are ending the school year without any plans for the break. Despite this setback, they can leverage their time off to build their resumes and add valuable skills to their repertoires.
�2 INTERFACE Academic Background Trumps
All in Minnesota IT Agency dEANNA hARTlEY Technical qualifications aside, a strong educational background can give candidates the upper hand when seeking an IT job in the state of Minnesota.
�8 INsIdE CERTIFICATIONCertifying software security Professionals: The CsslP JAMEs E. MOlINI As humans become more dependent on computer systems, the need for security will only increase. (ISC)2 has responded to that need with an international certification program for software development life cycle professionals.
resources
CERTMAG.COM COMMUNITIEs
CAREER dEVElOPMENTwww.certmag.com/careers Elizabeth Lisican
dATABAsEwww.certmag.com/database
Daniel Margolis
dEVElOPERs & dEsIGNwww.certmag.com/development Daniel Margolis
sECURITYwww.certmag.com/security Carmi Levy
sTORAGE www.certmag.com/storage Deanna Hartley
sYsTEMs & NETWORKs www.certmag.com/networking Shawn Conaway
TRAINERs www.certmag.com/trainers Lindsay Edmonds Wickman
Michael Brannick, President and CEO, Prometric
Peter Childers, Vice President, Global Learning Services, Red Hat Inc.
David Foster, Ph.D., President, Caveon
Neill Hopkins, Vice President, Skills Development, CompTIA
Bee Ng, Ph.D., Senior Director, Autodesk Learning
Shawn Rogers, Worldwide Certification Project Manager, Hewlett-Packard Education
Erik Ullanderson, Manager, Certifications, Cisco Systems Inc.
Daniel L. Veitkus, Vice President, Training Services, Novell Inc.
Bob Whelan, Vice President and General Manager, Pearson VUE
Lutz L. Ziob, General Manager, Training and Certification, Microsoft
editorial advisory board
6 CERTIFICATION MAGAZINE June 2009
dATA sTREAM News & Notes for Certified Professionals
Initiative Builds Workers’ skills, helps With Job PlacementCertiport, which provides training and certification opportunities for digital literacy and desktop pro-ductivity, recently teamed up with Utah’s Kelly Ser-vices in a new initiative to help candidates improve their skills and get placed in jobs.
Under this new partnership, Certiport will offer its certification programs to Kelly workers, and in turn, Kelly will place certified workers with employers in Utah. These certifications include the basic IC3 (Internet and Computing Core Certification) and the Microsoft Office Specialist Certification. Read more at http://certmag.com/read.php?in=3765.
Weathering the storm With Clean TechAccording to an annual report from research firm Clean Edge, the “big three” in clean energy — solar photovoltaics, wind and biofuels — expanded glob-ally by 50 percent in 2008, while wind sector revenues exceeded $50 billion for the first time. While the cur-rent economic situation might stunt clean technolo-
gy’s growth in the near term, long-term growth in this area is expected to boom, and that would mean stimulation for the economy and more jobs in the tech industry.
Benefits include less cost volatility than with traditional energy sources, greater ease in
obtaining permits to build clean energy infrastructure — think of gaining buy-in for a wind farm vs. a coal plant — energy security, and a continuing decline in the costs associated with renewables. Read more at http://certmag.com/read.php?in=3753.
Program helps Underrepresented Candidates Build IT CareersWhen an unfortunate accident left Jeannine Lilly, a former Latin and social studies teacher, paralyzed and disabled, she wasn’t sure what to do next. Fortu-nately, the CompTIA Educational Foundation’s Cre-ating Futures program recognized Lilly’s potential and signed her up for a free training program. She earned her CompTIA Network+ and Security+ cer-tifications, and now Lilly is a volunteer who teaches computer courses to individuals with disabilities.
According to CompTIA, the purpose of the Creating Futures program is to “provide free career opportu-
nities to populations historically underrepresented in the IT industry — including United States veter-ans, individuals with disabilities, minorities, women, at-risk youth and dislocated workers.” Read more at http://certmag.com/read.php?in=3746.
Gaming as Artistic PursuitGiven the cult-like popularity of video-game series such as “Grand Theft Auto” and “Resident Evil,” it’s hard to believe there are still gamers out there who prefer colorful and clean to violent and vulgar. But according to a CNN.com article, a video-game developer who’s interested in tapping into the “softer side” of gaming is making a splash in the industry.
Kellee Santiago, president and co-founder of that-gamecompany, has developed games such as “Flower,” “Flow” and “Cloud,” which she described as “mellow” rather than “spray and slay” and encourage “emotion, innovation and creativity.” The small company is gaining considerable ground in the gaming industry: “Cloud” had been played by 350,000 people online only months after its release.
Crime Fighting Goes high-TechCriminals beware. Carbon Motors Corp. has devel-oped a high-tech police car — described as “by cops for cops” — featuring a 300-horsepower clean die-sel engine, on-board computer, integrated shotgun mounts and more, according to a CNN.com article. It also boasts lights that flash from all angles and an ergonomic cockpit. The Carbon E7 concept car is the product of suggestions from 3,000 members of law enforcement.
Additional features include the ability to go from zero to 60 mph in 6.5 seconds and the capability to with-stand a rear impact of 75 mph. The car also was built with officer safety in mind, as extra attention was paid to making sure prisoners are securely fastened in their seats. Despite all its benefits, however, the car likely will be a tough sell to governments, CNN said.
Will Big Brother Watch You at the Mall?Soon, the Michael Jackson song “Somebody’s Watching Me” may ring truer than ever.
That’s because companies that use digital advertising in public areas might amp up their success measur-ability with smart technologies that “know” the age and sex of observers, according to a CNN.com article. These technologies are more commonly used to track terrorists, but ad companies could leverage them to cause signage to switch to different ads depending on the demographics of the people watching them. Crit-
The “big three” in clean energy — solar photovoltaics, wind and biofuels — expanded globally by �0 percent in 2008.
ics worry about the unaccountability of these “spy signs,” but proponents insist the signs would never attach names to the data or record anything.
Up in the CloudsCloud computing is expected to increase 21 percent this year, according to Gartner. Further, a PC Maga-zine article reported that cloud-based offerings are expected to jump to $56.3 billion this year, up from last year’s $46.4 billion. That number is projected to reach $150.1 billion by 2013.
The bulk of the market in 2008 consisted of business-related cloud services, with advertising as the most lucrative in that category. While cloud computing is pushing ahead, analysts say systems infrastructure was only 5.5 percent of the market in 2008, and com-panies “are not exactly rushing out to replace existing systems infrastructure with services in the cloud.”
Peek Pronto: Keeping It simpleIn a world where mobile devices seem equipped for anything and everything, it seems unlikely that a back-to-basics tool could thrive. Then again, those
glistening gadgets often can cost a pretty penny, and many people are hoping to save those these days.
According to a PC World article, the Peek Pronto cell phone “gets the job done” at the modest price of $80 with an unlimited data plan for $19.95 per month. The device builds on the Peek concept of basic e-mail by featuring push e-mail, SMS capability, Exchange support and access to five e-mail accounts. In this economy, a cheaper, no-frills mobile instrument may come as a welcome innovation, and the article said the Pronto could attract a strong following.
Google search Gets smarterGoogle wants to become a better scavenger for you. According to a TechNewsWorld.com article, the search giant recently unveiled two enhancements: One expands its list of related search options, and the other lengthens “snippets” — those descriptions found underneath each search result. The technology works by incorporating new algorithms that consider the semantic significance of users’ search terms. 8
– Deanna Hartley, Elizabeth Lisican, Meagan Polakowski, [email protected]
These days, you have to prove your value.So certify it — and save.
20%OFFMEASUREUP PRACTICE TESTS
TEST-PASSGUARANTEE
8 CERTIFICATION MAGAZINE June 2009
VIRTUAl VIllAGE
Connect With IT ProfessionalsJoin the discussion now.
FEATUREd MEMBER
John MongeonPatB asked: “Where are some good articles to help me prepare for an exam?”
John Mongeon responded: “If you are going to get a practice test, you should ensure the product is CAQC authorized from CompTIA — this ensures the product is approved or authorized by CompTIA and does not contain brain dump materials.”
Want to comment? Join the discussion.
Name: John Michael Mongeon
Age: 39
location: Tampa, Fla.
Title:Director of Corporate Strategic Alliances and Sales Operations at Adaptive Learning Systems Inc.
Certifications:Certified Technical Writer, various sales and busi-ness certifications.
Fun fact:I play the guitar pretty well and buy too many of them.
hobbies:My hobbies include keeping up on the latest IT news, certification changes and successful train-ing methods. I am a total nerd!
Entry into IT: While enjoying a successful career in the telecom industry, I was recruited by an executive headhunter firm. When I arrived at the interview, I was given a personality test rather than enduring the typical “let’s go over your resume” process. After taking the test, I was offered a position in the information security arena and have been working in policy/training/ in-formation security/certification ever since.
Would you like to be next month’s featured member? Join the CertMag Network and we just may select you.
June 2009 CERTIFICATION MAGAZINE 9
FEATUREd GROUP
Academic ConnectionNeed advice on academics? Want to connect with others who have similar interests? Then join the Academic Connection group on the CertMag Network.
MEMBER BlOG
Certification Overload: How Many and How Often?As a full-time MCT, I am more than happy to keep up my certifications; it allows me to have the latest knowledge and credentials to teach within the IT industry. Read more
Start a CertMag blog
Here’s your chance to share your ideas with the CertMag community.
FEATUREd dIsCUssIONs
DePaul University Online or Penn State University Online?James Richard Hopkins II asked: “I graduated from ITT Tech with my associate’s degree in computer networking systems. I’ve decided to pick an online school to further my education in IT; DePaul and Penn State are the ones that come to mind. [Can] anyone who has been to these schools [or is familiar with] their IT programs provide any advice?”
Join the discussion.
Internet Town Hall: Is Obama Trying too Hard?CertMag Editor asked: “President Obama recently engaged the Ameri-can public in a virtual town hall, marking yet another instance of the new commander-in-chief’s tech savvy. However, many of those polled did not feel the event was helpful or revolutionary. Is the president try-ing too hard to incorporate trendy technology and communications into his role, without much effect?”
Join the discussion.
Exam-Taking TipsPatB asked: “Do you have any tips to share about taking an exam?”
Join the discussion.
10 CERTIFICATION MAGAZINE June 2009
TECh CAREERs
Making the Best of a less-Than-Ideal JobdAVE WIllMER
You’ve come to a realization: You don’t enjoy your job. Perhaps you aren’t being challenged, advancement opportunities seem limited or you clash with your co-workers. Whatever the case may be, you feel you could be more satisfied working in a different environment.
But there’s a problem. The economic situation means jobs are more difficult to come by, and even though you’ve inquired about potential opportunities with other firms, you’ve gotten virtually no response. Unless your work situation becomes unbearable, it looks like you’ll need to stick with your current employer for a while longer.
Below are some tips for surviving — and even pros-pering — in a less-than-ideal job situation.
Identify the roadblock. Before concluding that it’s impossible for you to be satisfied in your current posi-tion, ask yourself what you find so unpleasant about it. Be honest in your assessment. By recognizing the factors contributing to your frustration, you might be able to rectify, or at least improve, the situation.
For instance, if you must frequently work with some-one who is difficult to collaborate with, speak with your manager about partnering with a different member of the team. Working with someone else could make all the difference.
Look for a change inside the firm. You might be able to find a new position with your current employer. With companies doing what they can to stay as lean as pos-sible, there may be opportunities to take on new proj-ects or responsibilities that you would enjoy more. For example, if you’re a help-desk professional who does Web design as a hobby, you might be able to apply your passion to help your firm enhance its online pres-ence. Talk to your boss and volunteer your services. Taking on different tasks can re-energize you, help you develop additional skills and may even lead you toward another opportunity within the company.
Adjust your attitude. The longer you’re in a job you don’t enjoy, the easier it is for a negative attitude to take hold. This can affect your productivity and how you get along with co-workers. Rather than focusing on what you don’t like about the position, concentrate on what you do enjoy. For example, you may have the opportunity to work from home one day a week, or you might appreciate the trust your manager places in you. By giving attention to the enjoyable aspects of your job, you’ll make the situation more tolerable.
Also avoid projecting an “I’d rather be anywhere but here” attitude. Your true feelings are likely to come through when interacting with colleagues, poten-tially harming your on-the-job success and long-term professional reputation. As much as possible, look on the bright side, help others when needed and con-centrate on producing high-quality work.
Build your skill set. If you’re likely to remain in your position for a while, don’t let your skills stagnate. Con-tinue to enhance your abilities. After all, doing so can help you become more qualified for a different job.
First, look internally. Many companies provide employ-ees with training resources — even during a downturn — so make sure you take advantage of these oppor-tunities. Also, consider enrolling in external classes, either through a local educational institution or a Web-based provider. And don’t forget volunteer work. You might be able to build your skill set by assisting a non-profit with its IT needs.
Stay on the lookout. Continue to network with tech-nology professionals, both in person and online through Web sites such as LinkedIn. In addition, keep your resume current so you can respond immediately to any promising employment opportunities. You also might set up informational interviews at companies you’re targeting. This allows you to find out more about the organization while establishing a point of contact should an opportunity arise.
One final tip: Remember there is a fine but distinct line between being mildly unsatisfied and completely miserable. If you’ve crossed it, move on as quickly as possible. Even if you don’t have another job lined up, a true change may be your best bet. 8
Dave Willmer is executive director of Robert Half Technology, a leading provider of IT professionals on a project and full-time basis. He can be reached at [email protected].
Unless your work situation becomes unbearable, it looks like you’ll need to stick with your current employer for a while longer.
unfolds here
Your future
As information technology grows more sophisticated and complex, the number of people with the skills to meet its challenges shrinks. Now, whether you’re an IT manager or a storage professional, one source can broaden your knowledge and appreciation of storage technologies so you’re positioned to meet these challenges—and to stand out in your career. Information Storage and Management, written by EMC storage professionals, explores broad principles and concepts—rather than narrow product specifics—that you can apply in all IT environments. Put yourself on the path to certification, increase your value to your organization, and take control of your future. Get your copy today.
Learn more at education.emc.com/ISMBook.
Introducing the industry’s first definitive reference on information storage and management.
EMC2, EMC, and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2009 EMC Corporation. All rights reserved.
12 CERTIFICATION MAGAZINE June 2009
dEAR TEChIE
Commit to Job as Oracle Apps dBA or diversify skill set?
Q: I work as an Oracle Apps DBA. What do you think the future of an Oracle Apps DBA is? Do you suggest I stick with it, or should I learn some other skills to survive in this IT job market?
– Mohammed
Wayne Anderson:
With Oracle’s continuing strong investment in acqui-sition-based growth, there’s plenty of fuel to look at a road map three to five years down the road. Most recently, Oracle bid $7.4 billion for Sun Microsys-tems, an acquisition that provides a base of tested and deployed applications on a variety of hardware platforms and operating systems.
Together with acquisitions of ClearApp, mValent and some other smaller players, Oracle’s utility comput-ing and system management portfolios seem to be on track for continued growth.
In past years, this kind of growth has been expressed through feature expansion in the exist-ing Oracle branded applications space by leveraging approaches to other systems that the previous appli-cation versions may not have included.
If anything, these new acquisitions — the acquisi-tion of Sun Microsystems in particular — appears to position a strategy around supporting the core Ora-cle applications business, ensuring that Oracle has solutions for the complete life cycle of the customer business space. Oracle-based applications show no signs of disappearing.
If you’re motivated by the desire to diversify your skills, both SAP and Microsoft offer comprehensive solutions with potential job opportunities in emerg-ing technologies in the near future.
In Microsoft’s Dynamics AX product line, becoming proficient in providing business intelligence devel-opment in the X++ language seems to be a rapidly growing market segment in terms of demand for learning products. That could be an excellent oppor-tunity to diversify your skills into a heretofore lightly targeted area that’s poised for high growth.
In my experience, bringing to the table a strong set of your specialization skills and experience in applying them will help get you in the door of larger companies.
Ken Wagner:
While no one can predict the future, we can make educated guesses based on trends and growths in the market. Oracle has been No. 1 for years and, based on growth trends, will stay on top for years to come.
That’s not to say everyone uses Oracle. A growing number of companies are using Microsoft SQL — not only as the stand-alone enterprise database, but as a part of other technologies such as Share-Point. It also offers better integration with other Microsoft products.
There are other alternative databases such as MySQL that are open source and offer cheaper solutions that fit into some business models. That’s why it wouldn’t hurt to acquire skills in other ven-dors’ DB products.
Technical skills are necessary — however, develop-ing soft skills also goes a long way. Skills and knowl-edge developed from certifications in project man-agement — such as CompTIA’s Project+, Prince2 or ISEB Project Management — will help you and your company when it comes to projects of all sizes, from planning to migration and/or implementation.
In addition, there are certifications and skills gained from the ITIL v3 range. ITIL is the framework for IT Service Management and how it’s applied within an organization. Even though the ITIL is aimed at IT Services Management, the foundation level of ITIL is aimed at all levels.
Finally, keep up to date with Oracle’s technology. This should be high on your priority list, even before learn-ing about other vendors’ databases, etc. 8
Wayne Anderson is the global manager of technical training development and certification for Avanade, a global Microsoft-focused consultancy. Ken Wagner is an IT network manager and part-time IT lecturer in the United Kingdom. He has lived in the United States, Asia and Europe. To pose a question to Ken and Wayne, send an e-mail to [email protected].
EnergizeyourIT careerat www.certmag.com• Career-Focused Communities
• CertScope®
• CertMag Network
• CertMag Blogs
• Dear Techie
• Study Guide
1� CERTIFICATION MAGAZINE June 2009
ACAdEMIC CONNECTION
Maximizing a Jobless summerAGAThA GIlMORE
The time has finally come: School’s out for summer! But while students everywhere may be rejoicing over the fact that they can finally stow away their books and pencils, some may find the moment bit-tersweet. That’s because in the current economy, it can be hard to find a summer job or internship, and there are undoubtedly quite a few budding IT profes-sionals with no plans for the next few months.
However, all is not lost. Even if you’re faced with a jobless summer, you can still make the most of your time by following a few of these simple tips:
Set a regular schedule. When you don’t have classes and you’re not working, it could be tempting to sleep until noon and wear pajamas every day. Don’t. Set goals for yourself both on a daily and on a monthly basis. Keep a checklist and be organized and diligent about crossing items off when you’ve completed them. This will give you a sense of accomplishment and keep you motivated.
Continue to apply. Just because a position hasn’t come through yet doesn’t mean you should give up. In fact, now you can dedicate yourself fully to find-ing employment. Continue to apply for positions, and pound the pavement if necessary. Set up informa-tional interviews with companies you’re interested in by contacting their human resources depart-ments. Always reiterate your interest. Also, be sure to have an up-to-date resume on hand.
Leverage job boards. This is related to the previous point. When you’re applying for open positions via
generic job boards, you want to stand out. Accord-ing to a Black-Collegian.com article, you should “actively follow up with listings that are of particular interest by calling your career center or other con-tacts you are aware of that may know individuals or professionals who work in the organization.”
Set up meetings with helpful professionals. Now’s the time to start building your professional network. A good place to start might be your parents’ friends. Express your interest in getting their career advice and see if you can get together for lunch or coffee. In addition to providing valuable insight, they might know of open, perhaps unpublicized positions in their organizations.
Volunteer. One great way to boost your resume while learning valuable skills is by volunteering. While many summer volunteering opportunities may not be within the IT field, these positions can teach you skills that will come in handy in any job, such as teamwork and discipline. Also, you can try to vol-unteer your IT services by seeking out firms you’re interested in and getting in touch with the appropri-ate hiring contact — usually someone in the human resources department.
Take summer classes. There are plenty of academic classes you can enroll in to fill your days while bulking up your skill set. Your college career center likely can provide a list of local summer programs. When choos-ing a program, you’ll want to consider class content, schedule, location, credit and overall atmosphere. For example, you’ll want to think about “what the school’s location offers besides studying,” according to an EHow.com article. The article added that you should ask yourself: “Are outdoor activities important to [me], or do [I] prefer an urban environment?”
Consider starting your own business. “Faced with the darkest summer-job market since the government began collecting data after World War II, a growing number of teens are turning to entrepreneurship,” according to a FamilyFinanceNews.com article. If you’ve ever had a great idea for a business, this might be a good time to test the market. To get the ball roll-ing, you will need to create a comprehensive busi-ness plan that includes a mission, budget, contact list and marketing strategy. You also will need start-up capital. And keep in mind your business will only suc-ceed if you’ve identified a niche that needs filling. 8
– Agatha Gilmore, [email protected]
summer jobs are hard to come by these days, and as a result, many students are ending the school year without any plans for the break. despite this setback, they can leverage their time off to build their resumes and add valuable skills to their repertoires.
“My (ISC)2® Review Seminar was terriÞc, but the location was the best part.Ó
Our courses are now Live OnLine.
Our courses are now Live OnLine.Our information security courses are now located wherever there’s an Internet connection, which is virtually anywhere you want to be. With companies cutting travel budgets and facing other economic challenges, we’ve made it that much easier to continue to invest in your education. Of course you can still attend our ofÞcial CBK® Review Seminars in person, but if you’re unable to do so, an (ISC)2 Live OnLine seminar is a convenient and cost-effective alternative.
Information security is the fastest growing sector of IT, and an ofÞcial CBK Review Seminar from (ISC)2 is the surest method of helping you grow along with it. To learn more about (ISC)2 courses and register to attend in person or Live OnLine, visit www.isc2.org/offeror call 866-462-4777 and press 3.
Act now and save 3 ways.Register for an (ISC)2 Review Seminar by June 30, 2009 and get:
¥ $250 off the registration fee, ¥ a free studISCope self assessment exam simulation, and ¥ a free course book.
This all adds up to a pretty strong reason to register now.
16 CERTIFICATION MAGAZINE June 2009
TROUBlEshOOTING
Remote Internet Access: Overcoming IP Address, NAT Challenges
AVNER IZhAR
A: First, you need to understand the challenges related to remote access over the Internet. You need the remote-control session to be secured/encrypted to prevent the eavesdropping of sensitive information. It should be lightweight in traffic since the Internet can be challenging in this aspect, and it should be simple to use from the controlled devices side (versus the controlling that’s usually handled by the experienced side).
It should also allow a user-less controlled device, where you can take control of a computer that has no user to interact with. Finally, it will need to over-come IP addressing challenges because, typically, the internal home addressing is defined on a private address space that is not accessible from the Inter-net. The home router will perform network address translation (NAT) to a public IP address — doing that will allow the returning traffic to find its way back.
Let’s start with the IP addressing issue. The address you’re referring to in your question is a well-known private IP address. Anything that’s in the 192.168.0.0–192.168.255.255 address range is a private network; the same applies to the 172.16.0.0–172.31.255.255 and 10.0.0.0–10.255.255.255. Those address spaces were allocated for this purpose by the Internet Engi-neering Task Force (IETF) in request for comment (RFC) number 1918. Click here for the complete RFC.
There is still one IP address that has to be associ-ated with you as a customer: your public IP address. Your Internet service provider assigns this IP to you, and it usually changes every few days or when you reboot the cable/adsl modem.
This public IP address is the key to getting back into your home network. The problem, however, is that it is dynamic: You can always tell what it is at any given moment, but there are no guarantees it will be the same a day later.
The way to handle dynamic IP addressing is to use some sort of dynamic DNS (domain name system)
application, in which the home router is registered with a DDNS provider, such as http://www.dyndns.com/services/dns/dyndns, and access your home devices using a name instead of an IP address. Your home router will update the DDNS provider approximately every five minutes — that will keep the name-to-address mapping correct, even if the IP address changes.
Another issue with getting from the Internet to your home network is that the network address transla-tion process is designed to operate from private address to public address only. It won’t allow a public-to-private kind of connection without special configuration on your home router.
If this is desired, you can set up a static network address translation pointer stating any request to the public IP address in TCP port 3389 (the remote desktop TCP port), and it will point to 192.168.2.6 on TCP port 3389. This will grant you access to your family’s computer, but it’s not recommended because it isn’t secure. A simpler way to get around the changing IP address and network address translation issues is to use a service that specializes in remote access over the Internet.
If you would prefer to use the native remote desktop in Windows, secure it by using a virtual private network that can either be configured on your home router — though not many support it — or by using another tool from LogMeIn.com called Hamachi, which is an easy-to-configure VPN application that’s capable of establishing direct links between computers that are behind NAT firewalls without requiring static NAT. In other words, it establishes a connection over the Internet and allows you to run the standard remote desktop application securely and with no changes to your router’s configuration. 8
Avner Izhar, CCIE, CCVP, CCSI, is a consulting system engineer at World Wide Technology Inc., a leading systems integrator providing technology and supply chain solutions. He can be reached at [email protected].
Q: I’m trying to control my home PC from work so I can help family members when they need it. I have enabled the “allow users to connect remotely to this computer” function on Windows XP. It works inside the house, but I can’t connect to the computer’s 192.168.2.6 address from work. What am I missing?
– John
CREATIVE ASSOCIATES
job #: 9002-09title/Headline: Skill is your engine. Certifi cation is your afterburner.
Space: Live — 7.375” x 10.375” (full page — vertical)Trim — 8” x 10.875
COLOR: CMYKCA CONTACT: Aimee Ridgway (919) 877-9020 x 232Publication: Certifi cation Magazine
Our self-study guides prepare you for Nortel Certifi cation exams in
Unifi ed Communications, Data, VoIP and Real-Time Networking, plus
certifi cation in Nortel-specifi c solutions like Ethernet Routing Switch
and Business Communications Manager 50. Each comprehensive guide
is your cost-friendly path to more career options, higher salary potential
and stand-out projects. If you’re ready to break down your career barriers,
we’ve got your fl ight manuals.
Nortel-AD_JET_fullPg.indd 1 1/23/09 10:47:02 AM
18 CERTIFICATION MAGAZINE June 2009
student’s Best Friend Remember sitting through hours of mind-numbingly bor-ing presentations in school? Well, the Pulse SmartPen promises to spice up any drab presentation — or at least keep you entertained.
The pen, which is sold by California-based company Livescribe, is about 6 inches long and weighs about the same as a highlighter. It looks like an average writing instrument, but the genius lies in its advanced capabili-ties and features.
Take, for instance, the tiny microphone that allows you to record a speech or conversation in a room at any given time. The pen also has the ability to capture and synchronize both the words you scribble on your digital paper, as well as the equivalent sound waves.
Need something clarified? Simply tap your pen on the word or sentence and voilà! It will play back the match-ing audio recording — perfect for someone with the ste-reotypical “doctor’s handwriting.”
In addition, the pen can be used to create “pencasts,” which are gaining popularity as folks strive to add some “oomph” to their presentations.
The New Pocket ProtectorsAccording to a recent survey, more than 9,000 USB memory sticks are left behind each year in peoples’ pockets at dry cleaners in the U.K.
Further, a study conducted by Cen-dant Technologies, which polled 500 dry cleaner manag-ers, found the problem to be particu-larly acute among London financial workers. One dry cleaner claimed to have found more than 80 in one year.
Expanding storage capabilities and the rising popularity of memory sticks has made it incredibly easy for workers to carry around a wealth of personal and professional information literally in their pockets. But that portability also exposes them to potential data theft if that informa-tion ends up in the wrong hands.
To address this vulnerability, PC Dynamics introduced SafeHouse Explorer. This free software locks and makes invisible documents, spreadsheets, photos, videos and other sensitive data stored on hard drives, memory sticks, thumb drives, network servers, CDs, DVDs, iPods and MP3 players.
SafeHouse Explorer creates hidden storage vaults of up to 2 TB under Microsoft Windows XP, Vista, Server, 32 or 64 bits. The files inside each vault are invisible and protected by a password. SafeHouse Professional Edi-tion supports numerous encryption methods, such as 256-bit Twofish, 256-bit Advanced Encryption Standard, triple DES and 448-bit Blowfish cipher.
WhAT WE lIKEsmartPen, safehouse Explorer, summer Movies
SafeHouse Explorer operates as a stand-alone executable file that enables users to copy the 5MB .EXE
program to any USB thumb drive or hard drive, MP3 player, iPod or digital camera to provide instant password-pro-tected access to files, even from public-access computers at schools, libraries and hotels.
Now, in addition to clean clothes, you can have a clean conscience!
summer Movie Preview The summer movie blitz is well upon us. Hopefully you have recovered from the May trifecta of “X-Men Origins: Wolverine,” J.J. Abrams’ “Star Trek” franchise reboot and “Terminator Salvation.”
In June, we have sci-fi films both high- and low-brow to look forward to. First comes the commercial release of “Moon,” the debut feature film from director Duncan Jones, son of rock star David Bowie — himself no stranger to creative
endeavors set in outer space. It seems the premise of the movie is that a man, played by Sam Rock-well, is stuck on the moon working as a miner for years on end. He eventually goes crazy, with assis-tance from a robot named Gertie, who is voiced by Kevin Spacey — also experienced in otherworldly films (remember “K-PAX?”).
Later in the month we have “Transformers: Revenge of the Fallen,” directed by the much-derided Michael Bay, who brought us “The Island.” The sequel brings back basically everyone from the first movie: actors Shia LaBeouf, Megan Fox, John Turturro and Tyrese. Oh, and there are also giant robots that turn into cars, planes, helicopters and cats. And this time around, they add the Constructicons! Stay tuned… 8
Today’s volatile businessenvironment makes taking control of yourfuture essential.
Protect your future. Get certified with one of ISACA®’s prestigious designations.
CISA®, CISM® and CGEITTM have becomeproven criterion for employment,advancement, earning potential and recognition.
Register today:December 2009 ExamEarly Registration Deadline: 19 August 2009Final Registration Deadline: 23 September 2009Exam Date: 12 December 2009
INVENT YOUR FUTURE.Get Certified!
Visit www.isaca.org/certmag.
3Cs CertMaghalf8x5.125:3Cs CertMaghalf8x5.125 3/18/09 6:53 AM Page 2
20 CERTIFICATION MAGAZINE June 2009
lOOK AhEAd
Welcome to Netbook Nation
CARMI lEVY
It’s clear we need to rethink why we buy certain machines and what we expect to do with them.Once upon a time, the smallest mobile computers came with the most outrageous price tags. Those days are over. While you can still push a MacBook Air and a Dell Adamo beyond a few grand, the era of four-figure machines is drawing to a close.
Desktop sales are crashing, and laptops aren’t far behind. Suddenly, the cheapest machines also are the smallest. Whether they want to accept it, chipmakers and hardware vendors now live in a low-margin world. And PC buyers have new choices at their disposal.
Figures recently published by Gartner point to a change of demand in the client-machine market. Netbooks emerged almost out of nowhere in 2008,
with 11.7 million sold. Gartner estimates this figure will almost double to 21 million units this year. Paired with an estimated 9.2 percent drop in overall 2009 PC sales, it’s clear we need to rethink why we buy certain machines and what we expect to do with them.
It’s easy to assume that netbooks’ popularity is being fueled by a recession-wracked market; how-ever, demand has been building for years. Increas-ingly mobile-centric consumers and businesses are clamoring for devices that fill the gap between smart phones — highly portable, but still somewhat fea-ture limited — and basic notebooks — fully capable, but still difficult to carry around.
June 2009 CERTIFICATION MAGAZINE 21
Solutions such as the Ultra-Mobile PC (UMPC) and the Mobile Internet Device (MID) have landed with a thud because, while they were largely able to bridge the size/mobility/capability gap, they cost more than a midrange laptop.
While vendors were throwing new form factors at the wall, the market already was beginning a seis-mic transition away from its desktop/laptop bread and butter. Growth in conventional desktop and lap-top PC sales was flattening in developed markets. Everyone who needed a machine likely had one, and the slowdown in the horsepower wars gave buyers less reason to rapidly upgrade to the next big thing.
Emerging markets, such as China and India, have long offered growth-hungry vendors ample opportunity to maintain global growth as demand in mature regions such as North America and Europe maxes out. Unfor-tunately for hardware vendors, these emerging mar-kets have limited interest in conventional PC-based form factors. If anything, massive growth in these places will bypass desktops and laptops completely as these suddenly wired and wireless consumers focus on next-generation smart phones.
Enter the netbook. It offers much of the functionality of a typical notebook PC without the bulk or the price. While a $300 price point for a device that looks a lot like a shrunken laptop has already attracted huge market interest, this is only the beginning of the revolution.
Savvy wireless carriers — with ample experience selling subsidized handhelds bundled into two- and three-year subscription contracts — are eyeing netbooks as the basis of a lucrative new revenue stream. Early results, such as AT&T’s experience in Atlanta and Philadelphia, indicate the shift may already be under way. By selling netbooks for as little as $49, AT&T is attracting national attention for busting traditional cost assumptions.
The stunningly low up-front price comes with a huge catch, however: lock-in to a wireless service contract that, when everything’s tallied up, can eas-
ily top $1,500 over the life of the agreement. Still, to consumers long accustomed to monthly service charges for everything from cable television to cell phones, netbooks could represent the next logical step toward a totally service-based model.
Of course, with netbooks running nontraditional operating systems sold through nontraditional channels by nontraditional vendors, our traditional assumptions of what questions to ask, what to buy and what these machines will be capable of are being turned upside down. You may want to keep the following in mind:
• Netbooks don’t have the processor capability, memory or storage capacity to replace desktops or laptops.
• Limited expansion capability means many net-books can’t easily drive a complete set of full-sized peripherals.
• You wouldn’t want to pound out a novel on their tiny keyboards.
• Small, relatively low-resolution screens force a lot of scrolling.
• Total cost of ownership can easily exceed that of a traditional laptop once you factor in relatively expensive data plans.
In their current form, netbooks are complementary devices only, so don’t be swayed by the fire-sale price. If you’re not careful, you could end up paying a lot more while getting a lot less than a supposedly high-end conventional machine.
For buyers willing to do some homework, the arrival of netbooks gives them more choice than they’ve ever had before — and that’s always a good thing. 8
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at [email protected].
22 CERTIFICATION MAGAZINE June 2009
CERTIFICATION
With mounting concerns about the economy, find-ing and retaining qualified IT talent is more critical now than it’s been in nearly a decade. And with a shortage of qualified senior-level IT executives, hir-ing managers continue to rely on certification as a gauge of competency.
Until recently, however, virtually all IT certifications have been knowledge-based, meaning they certify an individual’s recollection of a body of knowledge by requiring a passing grade on a test. Unfortunately, these certifications rarely confirm an individual’s abil-ity to use this knowledge successfully in practice.
A new class of certification programs for IT profes-sionals addresses this limitation by certifying indi-viduals based on their demonstrated competence as successful practitioners in actual engagements.
The shift in the Nature of IT CompetenceFrom the earliest days of IT, there has been an inexo-rable trend to reduce cost and increase flexibility. It manifests itself in three ways: consolidation, stan-dardization and commoditization.
Consolidation eliminates needless replication, and standardization eliminates needless diversity. Both reduce costs and increase flexibility.
More importantly, both ultimately lead to commod-itization, as vendors reap the economic benefits of larger markets and users conclude that the benefits of buying faster, cheaper and more reliable “black
boxes” off the shelf outweigh whatever benefits they might obtain by customizing their own components.
This trend has several implications for the skills, knowledge and experience IT practitioners need to be successful. In the lower layers of the IT depart-ment, the most valuable skills will be those that address the need for cross-enterprise integration with multiple solutions. But the most valuable IT staff will be those who are most comfortable work-ing closely with the business side.
What does this mean for how we define competence as an IT practitioner in today’s business environ-ment, and how can an organization be sure someone has that competence?
Practice, continuing professional development and certification are the cornerstones of acquiring, main-taining and confirming competence. In particular, new certification methods are necessary to effectively demonstrate these new kinds of competencies.
Knowledge, skills and ExperienceCompetence can be described as having knowledge, skills and experience. Strictly speaking, knowledge is something you know, a skill is the ability to do something, and experience is what you get by apply-ing knowledge and skills in real-world situations.
Ultimately, experience provides a practical context for your skills and knowledge, turning theory into practice. One can be knowledgeable without having
Certifying Experience: The New Frontier
lEONARd FEhsKENs
As IT departments get leaner, tech professionals must be increasingly flexible and creative to be successful. But how do you know you’ve got the right people on the job when most certifications validate only knowledge and skills? A new crop of certifications targets this issue by validating competence in hands-on application.
June 2009 CERTIFICATION MAGAZINE 2�
skills or experience, or have a great deal of experi-ence without actually acquiring skills or knowledge.
Nowadays, general skills tend to remain useful much longer than knowledge of specific technologies. At some point, though, a skill can become obsolete.
Let’s consider some simple examples. Riding a bicycle is a skill. Riding a bicycle through a particu-lar kind of terrain might be a refinement of that skill. Having knowledge about the mechanics of bicycle design and the dynamics of bicycle riding does not, by itself, make one a skilled bicycle rider, though it can be helpful in improving that skill.
Now, one might have knowledge about particular brands or models of bicycles and their suitability to different terrains. One might have knowledge about the kinds of terrain one would encounter when rid-ing from one place to another. However, the experi-ence of riding, perhaps repeatedly, from one place to another will refine and augment both one’s skills and
knowledge about riding in general and riding this route in particular.
Confirming CompetenceAny process for confirming competence must have several properties to be useful. It has to be practical and scalable, objective and consistently repeatable, and resistant to fraud.
Possession of knowledge is demonstrated by cor-rectly answering questions. But knowledge by itself is probably the least predictive measure of future competence since it doesn’t mean you can apply it effectively in diverse and novel situations. Further, while question-based tests are practical and objec-tive, they also are the most susceptible to fraud.
Demonstrable skills are probably a better predictor of future competence, but again, demonstrating indi-vidual skills in isolation does not imply that one can choose and integrate them effectively in diverse and novel situations. Furthermore, while tests of specific
2� CERTIFICATION MAGAZINE June 2009
skills can be made objective and generally are dif-ficult to cheat on, they present a major development and administrative challenge.
Fortunately, the possession of and ability to effectively apply both knowledge and skills can be confirmed by what many of us believe is the best predictor of future competence: demonstrated past competence.
It was based on this analysis that The Open Group chose to develop experience-based certification programs for IT architects and IT specialists.
About The Open Group and CertificationThe Open Group is a consortium of IT vendors and users, formed in 1996 by the merger of X/Open and the Open Software Foundation (OSF). Multiple forums allow members to contribute to open stan-dards in a variety of technology domains. One of the most active forums is The Open Group Architecture Forum (TOGAF), with more than 180 members from all over the world, representing a wide variety of industry sectors. In 1994, the membership decided a standard enterprise architecture framework was needed. This led to the development TOGAF and an affiliated certification program.
There are two ways an architect can become TOGAF certified: by taking TOGAF certified training or by passing a TOGAF certified examination. The training and examination tests must address a thorough and complete knowledge of the elements of TOGAF.
As TOGAF went through several successive revisions, members of the Architecture Forum asked, “How do you tell if someone is really an architect, in practice, not just in theory?” and considered the problem of experience-based IT architect certification indepen-dent of TOGAF. Several of the forum’s members oper-ated architecture profession programs, and certifica-tion often was part of the professional development and career paths of participating members.
These programs had comparable criteria and pro-cesses, but differed in many details and were essentially proprietary. The Architecture Forum recognized the value of industry-wide, vendor-inde-pendent standard certification criteria and asked The Open Group to initiate a project to define such a standard.
In early 2004, IBM and HP began collaborating on a detailed proposal to The Open Group. The pro-posal was approved in October 2004, and a work-ing group comprising volunteers from Capgemini, CLARS, EDS, HP and IBM developed IT architect certification (ITAC) requirements and policies dur-ing the next year. These were approved by The Open Group membership, and the program went public in July 2005. Following on the success of the ITAC program, the membership proposed and The Open Group implemented an analogous experience-based certification program for IT Specialists (ITSC).
A Competency Model for ITIn the development of ITAC, the first step involved the sharing of IT architect competency models across the ITAC group. While there were some minor dif-ferences in terminology, the skill models contributed were remarkably consistent. A similar process was later followed for the ensuing IT Specialists Certifi-cation (ITSC) program.
Good IT architects and specialists will have mastered skills specific to their disciplines, but truly success-ful professionals also will have skills borrowed from other disciplines — skills that allow them to work productively at a particular employer and in a certain client context, as well as within the context of a par-ticular nation, region, enterprise and business unit.
The three most relevant areas with which IT archi-tects and specialists share skills are project and pro-gram management, business and consulting.
Skills borrowed from project and program manage-ment include planning, sizing and estimation, risk
Until recently, virtually all IT certifications
have been knowledge-based, meaning they
certify an individual’s recollection of a
body of knowledge.
June 2009 CERTIFICATION MAGAZINE 2�
management, leadership and team building. Busi-ness skills include basic competence in areas such as management, finance, legal and regulatory con-cerns, organizational structures and dynamics, gov-ernance and portfolio management. Finally, consult-ing skills include oral and written communication, conflict resolution, various kinds of assessments, political savvy and negotiating.
The diversity of knowledge and skills expected of successful IT architects and specialists confirmed that a certification based on experience rather than on individual skills was the correct strategy. The certification process seeks to validate successful application of the combined knowledge and skills necessary to achieve business results.
Implementing CertificationBoard review of demonstrated skills and experience by certified peers was chosen as the evaluation method for this certification program. Because of the decision to use board review rather than a test, particular attention was paid to creating a demon-strably objective process. This was especially chal-lenging because of the additional requirement of process scale to a high number of candidates.
Because many member companies already had large architectural practices and internal certifica-tion programs, an obvious strategy was to leverage these existing programs. This led to the idea of “indi-rect” certification by an Accredited Certification Program (ACP), by which a company could certify its own architects and specialist using an internal process that had been accredited to conform to The Open Group standard and that was periodically audited by The Open Group for continued confor-mance and quality control.
In addition, The Open Group would directly certify IT architects and specialists whose employers, for what-ever reason, chose not to set up an ACP.
Getting CertifiedCandidates for certification prepare a submission package consisting of a document of no more than 50 pages, based on a template provided by The Open Group and letters of reference. If the package is judged complete and the references are confirmed, it is passed on to a three-member review board, and a board interview with the candidate is scheduled.
The board members are themselves certified archi-tects. The review board examines the package in detail to confirm that the evidence the candidate provided adequately demonstrates the skills and experience specified in the certification confor-mance requirements. The candidate then interviews with each of the three board members for one hour.
While the goal is for a board to reach a unanimous agreement to approve or reject a candidate, a 2:3 vote
is required. Each board member’s conclusion is cap-tured and preserved by an online candidate assess-ment tool. When a board member judges that a candi-date does not satisfy some certification requirement, that board member must provide a specific explana-tion as to how the evidence fails to demonstrate the skill or experience required. This feedback is provided to the candidate. Candidates approved for certifica-tion also are provided with career development sug-gestions from board members.
Both the ITAC and ITSC have met all their goals and continue to grow rapidly in adoption. More informa-tion on both programs can be found at The Open Group Web site at http://www.opengroup.org. 8
Leonard Fehskens is vice president of skills and capabilities at The Open Group. He is responsible for all activities relating to enterprise architecture. He can be reached at [email protected].
Nowadays, general skills tend to remain useful much longer than knowledge of specific technologies. At some point, though, a skill can become obsolete.
#@%&! %&!#@%
slanderLibel
ll
Gossip#@#@
$#@%
h ts
L
Gossip
ene
mor
confidential
FREESPEECHONLINE
Where is the line drawn?lINdsAY EdMONds WICKMAN
IT CUlTURE
26 CERTIFICATION MAGAZINE June 2009
#@%&! %&!#@%
slanderLibel
ll
Gossip#@#@
$#@%
h ts
L
Gossip
ene
mor
confidential
FREESPEECHONLINE
Where is the line drawn?
The freedom of speech is a basic right in many countries, but the Internet pushes this freedom to the limit. It gives people more opportunities for self-expression, but also defies common standards of decency.
When America’s Founding Fathers drafted the First Amendment, no one could have imagined there would eventually be a technology — the Internet — that would allow Americans to speak to people around the globe within seconds. Now, more than 200 years later, some wonder if the existence of this modern technology complicates one of America’s basic rights: the freedom of speech.
“The Internet doesn’t change the dynamic in any fundamental way. What it does is it presses hard on some existing problems,” said John Palfrey, faculty co-director of the Berkman Center for Internet & Society at Harvard University and a principal investigator with OpenNet Initiative.
“If I say something that’s harmful about you online, it can be read instantaneously by billions of people around the world at basically no cost. The number of people who can hear [that] speech [can] be vastly greater than it could have been before, and many more people are holding the megaphone that could reach that large group of people.”
Free-speech advocates argue that despite this scope and speed, it’s unnecessary to create laws that restrict speech online. Others disagree. On the Internet, there’s no segregation of material, no cel-lophane wrapper, nothing to protect children from seeing graphic pornography unless you’re proactive.
June 2009 CERTIFICATION MAGAZINE 27
28 CERTIFICATION MAGAZINE June 2009
Welcome to the Village screenBefore the rise of technology, communities came together at the village green, but now with the Internet, people from around the globe meet on the “village screen,” and that presents some unique challenges, according to Gene Policinski, vice president and executive director of the First Amendment Center.
“We have more opportunities to express ourselves than we had even 20 years ago,” Policinski explained. “Speech that might have gone unnoticed, that might have caused no harm, now gets noticed [and] can be global and eternal. We’re seeing comments about one’s employer, one’s principal or one’s teacher — that might have been scrawled on the wall or in a note — now posted on a Facebook page.”
Even though this is a new wrinkle in the free speech debate, Policinski doesn’t see the need for new laws.
“I’m very wary of proposals that restrict speech just on the Web for some special reason,” he explained. “I’m sure when the telegraph, telephone, radio and TV were new, everybody thought we needed special kinds of regulations [on] that speech.”
Brock Meeks, director of communications for the Center for Democracy & Technology, agrees.
“We want prosecutors to use the laws that are on the books right now to go after the perpetrators of crime on the Internet, not to create new laws just because something is being carried out in cyber-
space,” he said. “To put those kinds of restrictions online or to treat the Internet differently than the nonelectronic world just doesn’t work.”
The government has tried to do this before and failed.
Take the Communications Decency Act (CDA), which “was the very first piece of legislation that tried to put restrictions on how people spoke on the Internet,” Meeks said. In 1997, the Supreme Court struck down the CDA except for Section 230, which says “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
This decision gave the Internet the same free speech protection as print.
“You can print four-letter words in magazines and newspapers, and it’s not against the law,” Meeks said. “[But] you can’t say it on TV on open broadcast networks without getting in trouble [with] the [Fed-eral Communications Commission]. On the Internet, those standards don’t exist, those laws do not trans-fer, and the 1996 ACLU v. Reno [decision] cemented that First Amendment protection.”
There are certain forms of speech that are not pro-tected under the First Amendment, though, such as defamation, certain types of incitement to violence and child pornography — that speech is illegal both in the online and offline mediums, Palfrey said.
“We have more opportunities to express ourselves than we had even 20 years ago. speech that might have gone unnoticed, that might have caused no harm, now gets noticed [and] can be global and eternal.” – Gene Policinski, Vice President and Executive director, First Amendment Center
June 2009 CERTIFICATION MAGAZINE 29
Policinski believes the government should define these limits “with great caution.”
“One person’s hate speech is another person’s politi-cal statement,” he explained. “The First Amendment really exists to protect speech on the fringe because if it’s speech we all agree is fine, it doesn’t need to be protected. So by definition, the First Amendment protects speech that pushes the limits of what you or I or someone else might find comfortable.”
That’s exactly what happened during the Civil Rights Movement — people talked about issues many Americans weren’t comfortable with. If we didn’t have the freedom of speech, the United States might be in a different place today.
“Civil rights advocates would have been labeled hate speakers for trying to upset the customs, habits and sometimes laws of the nation regarding segre-gation,” Policinski said. “You just have to imagine what our society would be like today had they been prevented from speaking even though at the time perhaps the majority of Americans didn’t want to hear what they had to say.”
What About Pornography?In 2006, there were 4.2 million pornographic Web sites, 420 million pornographic Web pages and 68 million daily pornographic search engine requests, according to the Internet Filter Review.
Because of this prevalence, Donna Rice Hughes, president of Enough Is Enough, doesn’t believe the status quo works, especially when a simple search for “water sports” can return sites with urination pornography. The Internet has thrown open the doors to pornography for adults and, even more unsettling, for children, she said.
“The early pioneers in the Internet industry will tell you behind closed doors that one of the ways they [made] and still do make money is because of the access that people have to pornography,” Hughes explained. “But having an entire generation of youth fed a steady diet of very hard-core material is not worth that price.”
According to Hughes, there are three types of por-nography: child pornography, obscenity and inde-cency. In the U.S., it is a federal crime to make, pro-duce, distribute or possess child pornography.
Obscenity — also not protected under the First Amendment — refers to hard-core material or devi-ant forms of pornography such as bestiality, incest and rape. “[Still], it’s everywhere on the Internet because the federal obscenity statutes are not being aggressively enforced,” she said.
The third kind of pornography is indecency, which is “programming [that] contains patently offensive sexual or excretory material that does not rise to the level of obscenity,” according to the FCC. Indecency is constitutionally protected for consenting adults, but not for minor children.
“If you are being censored, it chills the way you speak; it chills the way you use the Internet. It drops to the lowest common denominator, so things become no more useful than the dialogue taking place in an elementary school classroom.” – Brock Meeks, director, Communications, Center for democracy & Technology
�0 CERTIFICATION MAGAZINE June 2009
The Child Online Protection Act (COPA), which was enjoined in 1998 as soon as it was signed into law, would have protected minors from these forms of por-nography on the Internet. After being jostled about in the courts for 10 years, the Supreme Court declined to hear the case again in January, effectively killing COPA, said Hughes, who was on the COPA Commission.
“It never went into effect and it never will go into effect because it’s dead now,” she explained. “The net result is that all these years there has not been a cyber brown wrapper, if you will, to screen minor chil-dren from getting into any of these porn sites online.”
Hughes would like to see the same standards of decency for broadcast applied to the Internet.
“The Internet shouldn’t get a free pass,” she said. “Since it has become the M.O. of how we communi-cate, then shouldn’t we have some rules for the road?
“If you could turn on the television and see people having sex, women having sex with dogs, people uri-nating in sexual ways, then that would be the same as the Internet. With television, if you want to get some-thing that’s adult, you have to opt in to get it. When you turn on the Internet, you’ve got everything.”
But Hughes doesn’t believe this will change, as evi-denced by what happened to the CDA and COPA.
“To go in and shift the paradigm to where every-thing’s locked down, and if you want free access to everything you’ve got to start opting out of the safe
zone, that’s a huge jump from where we are. I don’t think it’s going to happen,” she said.
Enough Is Enough has developed a three-pronged solution to provide a safe environment for children.
First, end users — especially those responsible for children — need to be educated on the dangers that exist on the Internet and implement safety measures to protect kids. Second, the technology industry must implement IT solutions and develop family-friendly poli-cies. Third, there must be aggressive enforcement of existing laws and enactment of new laws to stop “the sexual exploitation and victimization of children using the Internet,” according to the organization’s Web site.
“You can’t expect parents and the public to enforce the law, and you can’t expect government to parent kids,” Hughes said. “Everybody’s got a unique role, and if everyone’s doing their part, then you’ve got a very strong chance that kids are going to be much safer online. But we’ve still got a long way to go in each of those areas.”
how do Other Countries Tackle This Issue?Not every country is as tolerant of free speech as the U.S. According to the 2007 OpenNet Initiative study, 25 out of 41 countries surveyed engaged in Internet cen-sorship, and that number is on the rise, Palfrey said.
The most basic form of censorship can be found in Saudi Arabia, where there is a single gateway that everyone has to go through.
“The Internet shouldn’t get a free pass. since it has become the M.O. of how we communicate, then shouldn’t we have some rules for the road?” – donna Rice hughes, President, Enough Is Enough
June 2009 CERTIFICATION MAGAZINE �1
“Whenever somebody tries to access the Internet from Saudi Arabia, it goes through this proxy sys-tem,” Palfrey said. “The request from the user is judged against a blacklist, which says, ‘Is this site acceptable material or not?’ If it’s on the blacklist, they do not return the page.”
In direct contrast to that is China’s filtering system, which is a complicated multi-level strategy with a gateway at every possible level, and many people share the responsibility of filtering the Internet.
“They [effectively] erected the Great Firewall of China around the edge of the country, [which] turned out to be porous,” Palfrey said. “So at the Internet service provider level, there are blocks for material that [is] deemed to be harmful; there are blocks on search engines, including Google and others based in the United States; there are blocks through blog servers; there are blocks at the university level; there are blocks at the cyber-cafe level; and so forth.”
China is one of the most repressive filtering regimes. Anything that is a threat to its form of government or way of life is censored, Meeks said.
“Let’s look, for example, at the big earthquake that happened in China,” he explained. “People got all upset because there [were] a lot of schools that crumbled and children died. People got on the Inter-net criticizing the way the government handled that construction. The Chinese government stepped
in and started to shut down access to information about construction and arrested people who were speaking out against the government.”
But Meeks doesn’t believe the Internet can be cen-sored effectively even in China.
“[China has] their hand on the information pipe, and they squeeze it pretty tight,” he said. “There are ways to get around that, and people are finding ways to circumvent the Chinese censors all the time. But it’s kind of like escalating warfare. The Chinese clamp down harder, and then new tools spring up and find better and faster ways of circumventing that censorship. The Chinese government [then] retaliates by finding out what those are and clamp-ing down even harder — so it goes back and forth.”
One might argue that any type of censorship runs contrary to the nature of the Internet, which is inher-ently about the free flow of information.
“One of the great advantages of being able to use the Internet is that people feel empowered to say things that they may not say face-to-face,” Meeks said. “If you are being censored, it chills the way you speak; it chills the way you use the Internet. It drops to the lowest common denominator, so things become no more useful than the dialogue taking place in an ele-mentary school classroom.” 8
– Lindsay Edmonds Wickman, [email protected]
“We want prosecutors to use the laws that are on the books right now to go after the perpetrators of crime on the Internet, not to create new laws just because something is being carried out in cyberspace.” – Brock Meeks, director, Communications, Center for democracy & Technology
�2 CERTIFICATION MAGAZINE June 2009
Whereas many IT employers harp on experience and view a college degree in computer science or a related field as a nice-to-have, others consider it a critical component in the recruiting process.
Case in point: Christopher Buse, chief information security officer for the state of Minnesota’s Office of Enterprise Technology, believes a solid academic back-ground produces well-rounded candidates and demon-strates their ability to learn. Buse’s agency is proof that investing quality time, money and effort in a rigorous IT-heavy college education pays off in the long run.
structure of the AgencyThe Office of Enterprise Technology is responsible for the overall technology planning and coordination for the state government. The IT agency boasts about a
325-member staff, although the state government of Minnesota as a whole consists of approximately 35,000 employees.
Within the agency are a vast assortment of job roles and responsibilities. Some of the technology manage-ment functions include database administration, server administration, networking, network support and data-center facility management. On the development side, the agency recruits people who are skilled in enterprise architecture, IT procurement, contract management, project management and application management.
“We have an information security incident response team, [which is responsible for] things like vulner-ability scanning, intrusion detection and prevention, security information and event management and penetration testing,” Buse said.
INTERFACE
Academic Background Trumps All in Minnesota IT Agency
dEANNA hARTlEY
Technical qualifications aside, a strong educational background can give candidates the upper hand when seeking an IT job in the state of Minnesota.
June 2009 CERTIFICATION MAGAZINE ��
Buse’s area of expertise is the enterprise security group, which essentially manages the enterprise security governance for the entire state.
“We have a group in my area that assesses secu-rity compliance, both within state government and with third-party vendors,” Buse said. “We also have a group called Access Control Services, which is developing a framework and tools for government-wide identity and access management.”
In addition, one section of the department handles finance, accounting and budgeting, while another wing is responsible for customer-service manage-ment — including service-desk, client relations and service portfolio management.
“If it’s related to IT, we have it in our organization,” Buse said.
The Merits of a College EducationOne particular qualification that would make an applicant stand out in Buse’s eyes is a strong aca-demic background.
“I think it gives them a very well-rounded perspec-tive on learning, and they’re not just pigeon-holed in certain technology areas,” he explained. “More and more you find that people — in order to provide good technology service and good IT security service — have to have the capability to understand the busi-ness of government. I think that’s where being a well-rounded person with a college degree makes sense.”
An ideal academic combination, Buse explained, would be a degree in computer science or MIS (management information systems), along with some experience in accounting and finance.
“To me, those are the ideal things because being able to marry really strong technology skills with the ability to put deals together and make them make sense from a financial perspective is really the challenge that we
face today — not just doing technology for the sake of technology, but really doing technology to solve a problem and doing it cost effectively,” he said.
Buse explained that while obtaining certifica-tions and garnering industry experiences were of immense value, academic experience would serve as a necessary foundation.
“The strong educational background is more impor-tant for me because we do a lot of high-level archi-tectural design. So if I have people who have com-puter science degrees and are college-educated, it shows me they have the ability to learn,” Buse said. “[And] if we have people who can show that they have the demonstrable ability to learn, then we can always teach them new vendor products and get them vendor certifications.”
An Optimal Mix of Veterans and GradsThe workforce at the agency comprises individuals fresh out of college, as well as recognized experts.
“Starting off, we hired a lot of really experienced people, a lot of high-level architectural folks to help us develop the program,” Buse said. “[But we’re] going to need people to come in at the entry level to run our vulnerability and threat management pro-gram, work in our security operation center and help develop continuity of operations plan. So all those kind of roles are going to have to be filled long term.”
To that end, Buse and his team have been working to build affiliations with local colleges and universities, with the ultimate goal of creating a feeder program.
A Combination of skills hard to FindBuse started out an English major in college with the intention of becoming a technical writer. Over time, however, he wound up migrating over to the IT audit side before being fully integrated into the IT world.
INTERFACE continued on page 37
�� CERTIFICATION MAGAZINE June 2009
JOB ROlEs
health Information Manager: helping People Through Technology
AGAThA GIlMORE
Even during the economic downturn, there’s one industry in which technology has massive growth potential. What is that industry, you might ask?
Consider this: The recently passed U.S. economic stimulus package has set aside $17 billion to pro-vide incentives for health care providers to adopt technology. And one study found the U.S. will need at least 40,000 more health care IT professionals to make the investments worth it.
“We’re looking at a change in the next four years, [as] 95 percent of the hospitals in the United States will become 80 percent digitized,” said Lior Blik, chief information officer for Hoboken University Medi-cal Center in New Jersey. “[Currently], they’re 30 percent digitized, maybe 40 percent if they’re lucky. People will store everything on their IT. The medical records staff will probably have to become IT staff.”
During a time when IT professionals are vying for jobs, a career in health care IT might be just the ticket.
“I don’t see [demand] getting any smaller,” Blik said.
So what are the skills required to work one’s way up through hospital IT? The No. 1 asset is basic IT knowledge, Blik said.
“I’m a true believer that you need to come from the technical part of the business,” he said. “It’s more
important to know IT first. It’s like assuming the law-yer who does health care doesn’t need to know law. You have to know IT to manage IT.”
In fact, when he’s hiring health information man-agers (HIM) — those who “are responsible for the development and administration of health care data-collection and reporting systems,” according to a description on Temple University’s Web site — Blik said he wants to see experience working hands on in server rooms, on networks or with applications.
“I want to see some programming background, I want them to know the code, because I think the fear of technology drives a lot of the decisions [otherwise],” he said. “What happened over the years in health care is [the industry] decided to take people from within — nurses, doctors — and promote them to IT posi-tions, relying on the application vendors to basically tell them what they need. This created a problem.”
Since a vast majority of the HIM’s job is to vet pur-chases, a thorough knowledge of the technology is required to make the best possible decision.
“[Without it], you’re buying features a lot of the time without understanding the real costs that stand behind those features,” Blik said. “Anybody can look at a contract and make sure that it’s OK, but not a lot of people can look at a contract and understand
A hefty dose of tech knowledge, a pinch of business savvy and a spoonful of people skills are required to make it in the health care IT industry.
June 2009 CERTIFICATION MAGAZINE ��
the statement of work with it. The statement of work is key. It’s where you find the biggest gaps between the vendor’s presentation and really what’s going to be delivered in the end.”
That’s not to say that people on the clinical side can’t transition into health care IT. Blik said the main paths to the role of health information manager are through the IT world, coming typically from a software com-pany, or from the hospital side — in which the per-son might formally be a nurse or an accountant in the billing department.
How would the latter type get into the tech side?
“If you’re interested in going into IT, definitely become a super-user,” Blik said. A super-user is an individual with unlimited access privileges in a cer-tain application.
“So if you’re a nurse in a hospital and you’re look-ing to grow in your [IT] skills, become a super-user in the application that you’re managing — through that, you’re introduced into the IT department,” Blik said. “I have two users in my analyst department who used to be super-users. They actually got their knowledge directly from being down in the depart-ment levels and knowing the internal department processes and being the super-user of the applica-tion. It was just a matter of filling the gap with techni-cal studies, and they were ready to go.”
That said, while firsthand IT experience is key, indus-try-specific knowledge is less crucial. After all, the hospital or clinic is full of industry experts, Blik said. What an aspiring health information manager will need to know, however, is how a standard business works.
“What I do believe you need is operational knowl-edge of an enterprise,” Blik said. “[In the past], CIOs in health care were not able to deliver the right mes-sages to the executives in the business level. It’s because of the presentation.”
�6 CERTIFICATION MAGAZINE June 2009
That’s because a good portion of the job is support-ing not just the clinical, but the financial branch of the organization.
“The analogy that I like to give to what I do most of the time to my department is, essentially, it’s basi-cally the roads where the cars are running on,” Blik said. “A lot of it is being creative and having a lot of initiative, and then acting essentially as the gateway to this facility as far as growth is concerned.”
A typical day for Blik involves managing everything from electronic medical records (EMRs) to billing, as well as reviewing new applications and programs, assessing budgets and meeting with the executive staff. For this reason, he said another key component of being a successful health information manager is commendable soft skills — specifically communica-tion, management and leadership skills.
“It’s saying ‘no.’ It’s saying, ‘No, we don’t want to do this.’ It’s saying, ‘No, we do want to do this but we can’t.’ It’s really standing behind your decision,” he said.
Further, being able to build and maintain strong ven-dor relationships is important, as is being a good listener.
“Ninety-nine percent of what I do is provide ser-vices to the hospital. So [you need] understanding [of] what the customer is going to require,” Blik said. “Know what you’re trying to achieve, listen, review, try to understand — know what you don’t know.”
Blik said the typical academic background for some-one who goes into health care IT is a college degree in computer science, followed perhaps by an MBA.
However, actual IT experience still trumps book smarts, he said.
“The experience is far more important than your educational level. And I think that’s what’s going to be important as we go forward through the organization.”
When it comes to certification, HIM professionals can work toward the Registered Health Information Administrator (RHIA) credential. They also would do well to get certified in the integration language Health Level 7 (HL7). That’s because “the Health Level 7 (HL7) version 2 messaging language has become a standard framework for the exchange, integration, sharing and retrieval of electronic health information that supports the management, delivery and evaluation of health services,” according to a 2006 report on the “Trends Influencing the Cost of Care and Patient Safety.”
“I think the future will bring in the .Net and will bring in interfaces that are outside of HL7. But for now, HL7 is the key,” Blik added.
Other important skills for the role of HIM include project and storage management.
“Because of EMRs, storage management will grow because people will store everything on their IT now. [And] project management [will grow], defi-nitely, for the next two to three years because of big implementations that are going to come about,” Blik said. “It’s a matter of how the stimulus funds will take effect and how fast. The sooner they start it, the better.”
Perhaps most important, however, getting involved in health care IT requires a dedication to helping people. Case in point: A recent project Blik helped out with involved the implementation of “telemedicine.”
“We had a baby [sent] into a different hospital because of an emergency situation, and the mom was able to see her newborn over a screen,” he explained. “[She] was able to talk to the doctors in another hospital. They completely explained to her the procedures that the kid had, and how is he doing. She was shocked.
“Your delivery system helps people,” he continued. “People’s lives are on these floors in these hospitals. And that is an added value you won’t get in another industry.” 8
– Agatha Gilmore, [email protected]
The main paths to the role of health information manager are through the IT world, coming
typically from a software company, or from the
hospital side.
June 2009 CERTIFICATION MAGAZINE �7
INTERFACE continued from page 33
Although his academic background solidified his soft skills around communication, Buse said that’s one area in which his IT agency struggles.
“I come into a world today where people aren’t used to writing public reports,” he said. “What I find is a ten-dency to do really good work, [but] I think the work gets discredited because the written product is so poor.”
In fact, the lack of communication skills has become a major challenge for the agency. The burden for fill-ing this skills gap ultimately falls on Buse.
“It’s heartbreaking, and I spend a lot of nights as the state [chief information security officer] rewriting a lot of stuff because people can’t [effectively com-municate through writing],” he said.
The ramifications spill over into other areas of the agency, as well.
“One of the sad things is I have three full-time tech-nical writers on my staff right now because people just don’t write,” Buse said. “To develop good ser-vices — services that can be sold to businesspeople and make a lot of sense — there’s got to be a bible on the shelf that really defines every service from the marketing side all the way to the back-end processes that help-desk and support people have to run.”
supplementary CapabilitiesIn addition to your run-of-the-mill checklist for hir-ing IT professionals — which often includes solid technical requirements — the Office of Enterprise Technology seeks candidates with strong business skills that augment their technical skills.
“That’s why I look at certifications,” Buse said. “If I see people who are both a CISSP [Certified Infor-mation Systems Security Professional] and a CPA [Certified Public Accountant] or a CISA [Certified Information Systems Auditor], those kinds of com-binations mean a lot to me.”
Moreover, the manner in which candidates conduct themselves can speak volumes in terms of determin-ing a good fit for the organization.
“People’s presence and demeanor is really impor-tant,” Buse said. “How well do they interview? How well do they speak? Do I feel like I can put these people out there in front of the world? That means a lot to me.”
Furthermore, Buse is inclined to recruit candidates who give back to the IT profession. These typically
are individuals who are actively involved in profes-sional organizations, such as ISACA [Information Systems Audit and Control Association] or ISSA [Information Systems Security Association].
“I like people who are involved in professional orga-nizations because, if they take the time and make a commitment to their own development and career, then they’re probably going to take the time to do a good job for us, too,” Buse said.
Formulating a long-Term Career Track The agency believes in investing in employees in the long-term, which is why Buse and his staff are working on defining roles and responsibilities of specific positions.
“I [want to be able to] go to college students and say: ‘Here’s our career path — we have a three-year gen-eralist track where we’ll bring you through these two positions, and from there we have a branch where you can go into vulnerability and threat management or intrusion detection,’ or whatever the case may be,” Buse said. “I want to show them what the career path is and what choices are available to them.”
In addition to its commitment to career development, Buse said a career in government can be rewarding.
“In government, you have to give up a little bit of money, but you’ll never have an opportunity to work on bigger projects where more is at stake,” he said. “For us, if the systems fail, people could literally die.” 8
– Deanna Hartley, [email protected]
“In government, you have to give up a little bit of money, but you’ll never have an opportunity to work on bigger projects where more is at stake.” – Christopher Buse, Chief Information security Officer, Minnesota Office of Enterprise Technology
�8 CERTIFICATION MAGAZINE June 2009
INsIdE CERTIFICATION
Certifying software security Professionals: The CsslP
JAMEs E. MOlINI
June 2009 CERTIFICATION MAGAZINE �9
Humans have been developing computer software for about 65 years now. We’ve come a very long way during that time, and many futurists expect we will see just as much technological advancement in the next 65 years. This amount of change will challenge even the best minds in computer science to keep up.
It can be hard to appreciate just how sophisticated computers have become. But consider this: In 1981, the most sophisticated spacecraft in the world was the U.S. Space Shuttle. The Space Shuttle could launch, orbit the Earth and land without human inter-vention. The first shuttles were able to accomplish this feat with 104Kb of RAM. Today, you’d be hard-pressed to find anything larger than a wristwatch with only 104Kb of RAM. An average cell phone has more than 2.5 billion bytes of RAM and processes data faster than many of the mainframes used in Mission Control in 1981. It won’t work in the harsh environment of space, but it will do just fine down here on Earth.
However, like the Space Shuttle, a cell phone would be an expensive brick without software. For that reason, reliable and secure software is an essential investment.
Why software security?Until 1975, most programs were written, run and used in the same building. The idea of a computer virus was still science fiction in 1981 when IBM delivered the first PC. Security meant gates and guards, not firewalls and Web filters. During the past 30 years, the explosion in computing required that we change many of our approaches to computer security.
Early efforts at computer security were focused on providing a secure location for the computer. Then the tech community set about building tools that would enhance the security of a particular machine, such as a Web server or an accounting PC. Today,
as software becomes more complex, the need for secure software is increasingly critical to software development organizations. That is why (ISC)2 — a certification body that specializes in information security — developed a new certification for soft-ware developers, called the Certified Secure Soft-ware Lifecycle Professional (CSSLP).
The CSSLP is one way to define a new standard for software development security. (ISC)2 felt the security of software was an important area to investigate. In the course of its research, (ISC)2 found a critical need for specialists in both security and software development and determined that creating a certification program would be the best way to enable widespread adoption of better development security standards.
What the Certification AddressesWhen building secure software, it is necessary to address security throughout the life cycle, from con-cept through maintenance. Although many people might think a security bug is just another kind of cod-ing bug, simply avoiding coding bugs won’t result in secure software. Every year, security flaws arise from incorrect security requirements or design. With more than 14 million software developers worldwide, modern software development organizations must be ready to implement an entire security develop-ment life cycle. They also must hire professionals who understand both the principles and practice of secure software development.
Studies sponsored by (ISC)2 have found that profes-sionals who work every day in the field of software development often walk a fine line between profit and process. They must balance the mandate for high productivity with their professional commitment to producing high-quality systems. Those responsible for security must promote security best practices in orga-nizations that often are driven by conflicting priorities. Upon examination, (ISC)2 concluded that these pro-fessionals would benefit professionally and financially from clear standards for secure software development and an industry standard recognition of their skills.
The CSSLP is intended for software life cycle profes-sionals who are responsible for improving the secu-rity of software and those responsible for developing secure systems or application software. In providing certification opportunities to developers, (ISC)2 aims to establish a base level of professional skill for indi-viduals who wish to pursue this area as a career path.
In a nutshell, the CSSLP is designed to:
• Establish minimum professional standards for a global audience of software developers.
As humans become more dependent on computer systems, the need for security will only increase. (IsC)2 has responded to that need with an international certification program for software development life cycle professionals.
�0 CERTIFICATION MAGAZINE June 2009
• Provide a portable method for conveying and veri-fying professional qualifications.
• Encourage opportunities for all organizations to develop software development security capabili-ties by not tying certification to an enterprise or infrastructure.
• Support specialized areas of information security with critical needs.
Why Certify Individuals?In the past, other organizations have attempted to certify development organizations or to provide third-party testing for systems. However, organizational certifications tended to localize the expertise to specific geographic or service communities. More-over, those certifications actually slowed the spread of expertise, since an individual with certified skills might lose that certification by changing jobs.
With the advent of ubiquitous computing, it was necessary to address the need for a global commu-nity of professionals who could build skills and drive best practices within every enterprise. Moreover, experts thought a certification program might pave the way for wider acceptance of software certifica-tion. By providing an opportunity for professionals to become certified on independent criteria, (ISC)2 is hoping to raise the level of software security throughout the global IT community.
Additionally, rather than certifying only developers of security software (i.e., those who build firewalls and anti-malware programs), the CSSLP is targeted at people who improve the security of all software, including those who improve the security of gen-eral-purpose software and those who develop security tools. Subsequently, (ISC)2 believes this certification offers benefits to the software com-munity at-large.
Certification Body of KnowledgeThe field of software security is not easy to master, even on a good day. Just as a pathologist first must learn to become a doctor, a CSSLP-certified professional must learn how to develop software before understanding how it breaks and how to prevent those failures. They must then learn how other people will attack the soft-ware and how to prevent those attacks.
These multiple layers of expertise challenge even the best professionals, and as a result, deep dedication to the field is not uncommon. For this reason, the CSSLP
CBK, a compendium of secure software development topics, might seem intimidating at first glance.
The CSSLP CBK covers all the stages of normal soft-ware development. Candidates must understand requirements, design, coding, testing, deployment, patching, maintenance and disposal. Further, they must learn the security functions associated with each of these stages in the software development life cycle (SDLC).
Additionally, candidates must know how to apply core information security concepts such as risk management, vulnerability assessment, auditing and legal issues. Finally, candidates will be required to show that they understand the mathematical models that represent the engineering foundation for secure software development. (ISC)2 expects that universities will begin to offer graduate degrees in software security as a way to prepare candidates for specialization in this field.
Common standards of CertificationThe CSSLP was designed from the ground up with American National Standards Institute (ANSI) stan-dards in mind. Activities such as job-task analysis and exam-item writing were strictly supervised by (ISC)2 staff to meet ANSI standards. At the same time, the development process was run with an eye toward full globalization of the certification itself.
Today, (ISC)2 supports more than 60,000 certified infor-mation professionals in more than 130 countries. Many affiliates of (ISC)2 have operations across several con-tinents. For these reasons, the certification process needed to be universal so certified professionals could move around the world and still know their expertise would be applicable to the local environment.
looking AheadSoftware security is a critical element of computing today. Although the CSSLP is new, the pedigree of the organization has been upheld for more than 20 years, and the people behind this creation are confident it will play a positive role in computing for the next 65 years. 8
James E. Molini, CISSP, CSSLP, is a senior program manager at Microsoft, working in the Identity and Security Division. He has more than 22 years experience in the field of information security, including extensive experience in system and software security, intrusion detection and risk management. He can be reached at [email protected].
June 2009 CERTIFICATION MAGAZINE �1
AdVERTIsING sAlEs
WEB REsOURCEs
CertMag.com www.certmag.com
Subscribe to Certification Magazine
and newsletters www.certmag.com/subscribe
CertMag’s Forums network.certmag.com/forum
CertMag’s NewsCenter www.certmag.com/newscenter
To change your address www.certmag.com/subscribe
lIsT RENTAl
Jay Schwedelson 800-331-8102
hOW TO CONTACT Us
To contact our editors, write to: [email protected]
For advertising information, write to: [email protected]
Letters to the editor may be sent to: [email protected]
To submit an article for publication, go to www.certmag.com/publish
James R. YeakelVICE PRESIDENT, ASSOCIATE PUBLISHER
510-834-0100 [email protected]
Natasha PozdniakovaADVERTISING ADMINISTRATIVE ASSISTANT
510-834-0100 [email protected]
David LienemannADVERTISING ACCOUNT MANAGER
510-834-0100 [email protected]
Lisa NewtonE-MEDIA & ADVERTISING ACCOUNT MANAGER
510-834-0100 [email protected]
AdVERTIsER INdEXAdVERTIsER/URl PAGE AdVERTIsER/URl PAGE
CertMag 13 www.certmag.com
EMC Corporation 11 education.emc.com/ISMBook
ISACA 2nd Cover, 19 www.isaca.org/certmag
ISC2 15 www.isc2.org/offer
MeasureUp 7 http://www.measureup.com/site/display_article.aspx?id=1745
Nortel 17 www.nortel.com/nortelpress
Registertoday
forCertMag.com
MemberBenefits!
www.certmag.com
REPRINTs
For single article reprints in quantities of 250 and above and e-prints for Web posting, please
contact PARS International at [email protected]
or http://tinyurl.com/9l5kj6. For all other requests, including
bulk issue orders, please contact MediaTec Publishing at
�2 CERTIFICATION MAGAZINE June 2009
</ENdTAG>
hooked on Twitter dEANNA hARTlEY
Is it just me, or does the world — and the media — seem to be abuzz over Twitter, the social networking and micro-blogging service?
For those of you who aren’t familiar with the service, it allows people around the world to stay connected in real time via short updates — better known to the Twitter community as “tweets.”
There’s no doubt that during the past year Twitter has exploded in popularity. Chances are at one point or another you’ve attended a meeting or sat on a train or bus in which the individual next to you has been furi-ously typing tweets into his or her iPhone.
In fact, a recent CNN article pointed out the number of unique visitors on Twitter grew more than 1,300 percent from February 2008 to February 2009. In terms of actual numbers, the platform saw a jump from 475,000 users to approximately 7 million for the same time period.
To put these mammoth figures into perspective, con-sider the fact that social networking giant Facebook grew by 228 percent — to a total of 65.7 million users — during the aforementioned time.
Even though Twitter came into existence a couple years ago, it wasn’t until quite recently that what I refer to as “Twitter mania” began. That’s when the input from notable personalities and intensive media coverage helped boost participation and drive the number of users to unprecedented levels.
An example is President Barack Obama’s use of the social platform during his 2008 campaign. According to one published report, the president managed to gar-ner more than 118,000 followers by Election Day, and at some point during his campaign he even held the cov-eted status of “the most followed person on Twitter.”
In addition to supplying the general public with up-to-the-minute information via Twitter, the Obama cam-paign managed to spawn other groups on the plat-form, such as “Asian Americans for Obama ’08.”
In fact, the Obama administration continues to remain active in the “Twitterverse” to this day, posting links and other updates on-site.
Twitter also has managed to attract the crème de la crème of Hollywood A-listers. Take, for instance, power actor couple Ashton Kutcher and Demi Moore, whose tweets have made national headlines on news outlets ranging from CNN to People magazine. Musi-cian John Mayer is another Twitterer who has used his celebrity status to publicize this rapidly growing platform. Meanwhile, Shaquille O’Neal boasts more than 470,000 followers.
While these larger-than-life celebrities manage to garner hundreds of thousands of followers, Twitter also gives ordinary folks the opportunity to attract a sizeable following.
For example, a group of surgeons at Henry Ford Hos-pital made it a point to use Twitter while performing a surgical procedure to remove a cancerous tumor from a patient’s kidney. The chief resident sat in the oper-ating room and sent out a series of tweets — such as “Tumor is excised, bleeding is controlled, we are about to come off clamp” — to curious followers.
The ultimate goal was noble: to educate fellow doc-tors, medical students and others on risky medical procedures.
Now, I have to admit: Even though I was familiar with Twitter and knew people who interacted with others via the social network, one of my first experiences with Twittering came earlier in the year — in a busi-ness context, no less!
It turned out to be an incredibly valuable tool to keep peers in the loop and make them feel like part of the community, even when they weren’t there. This is especially important today, as more and more com-pany travel budgets are slashed.
But while there’s no denying Twitter has its share of benefits — including knowledge sharing — as with all forms of social media, I think we run the risk of using it excessively. Do you think society has gone gaga over Twitter? In my opinion, if we are so impatient to pull out our handheld gadgets to the point where social decency has been lost, we have crossed that line. 8
– Deanna Hartley, [email protected]
There’s no doubt that during the past year Twitter has exploded in popularity.
![High-throughput, Scalable, Quantitative, Cellular ...iwbbio.ugr.es/2014/papers/IWBBIO_2014_paper_158.pdftools like K-Means clustering [22] , Random Forests [23], Linear Discriminent](https://static.documents.pub/doc/80x56/5f772d93c9929132a94c35ea/high-throughput-scalable-quantitative-cellular-tools-like-k-means-clustering.jpg)
![Computational Co-Creative Systems - viXravixra.org/pdf/1808.0175v1.pdftools in harnessing valuable live information. [20] To achieve remarkable results in computer vision tasks, deep](https://static.documents.pub/doc/80x56/5fd87da85fca1a09f1324225/computational-co-creative-systems-tools-in-harnessing-valuable-live-information.jpg)
