Organizational Systems Security Analyst
The Organizational Systems Security Analyst (OSSA) is a technical vendor-neutral Information Security certification programme which is being offered in Asia. This programme consists of a specialized technical information security training and certification course and practical examination which technical Information Technology professionals can attend in order to become skilled and effective technical Information Security professionals and to prove their level of competence and skill by undergoing the examination.
Technical staff enrolling in the programme are taught and trained how to address the technical security issues they encounter in daily operations and how to methodically establish, operate and maintain security for their organization's computer network and computer systems infrastructure. It is developed by ThinkSECURE, an information-security certification body and consultancy. The OSSA programme is listed in the Singapore-based Infocomm Competency Management System which is a government-maintained public database of information technology-related courses.
The OSSA programme does not focus on hackers' software as these quickly become obsolete as software patches are released. It first looks at security from a methodological perspective and draws lessons from Sun Tzu's "The Art of War" to generate a security framework and then populate it with resources and tools by which the various security aims and objectives, such as "how to defend your server against a hacker's attacks" can be met.
Sun Tzu's 'Art of War' treatise is used to provide a guiding philosophy throughout the programme, addressing both offensive threats and the defensive measures needed to overcome them. The philosophy also extends to the sections on incident response methodology (i.e. how to respond to security breaches), computer forensics and the impact of law on security-related activities such as the recovery of information from a computer crime suspect's hard drive. Under the programme, students are given coursework and experience how to set up and maintain a complete enterprise-class security monitoring and defence infrastructure which includes firewalls, network intrusion detection systems, file-integrity checkers, honeypots and encryption. A unique attacker's methodology is also introduced to assist the technical staff with identifying the modus operandi of an attacker and his arsenal and to conduct auditing against computer systems by using that methodology.
The generic title sections under the programme appear to comprise the following:
- What is Information Security
- Network 101
- Defending your Turf & Security Policy Formulation
- Defensive Tools & Lockdown
- The 5E Attacker Methodology: Attacker Methods & Exploits
- Wireless (In)Security
- Incident Response & Computer Forensics
- The Impact Of Law
Under each section are many modules, for example the defensive section covers the setting up of firewalls, NIDS, HIDS, honeypots, cryptographic software, etc.
The OSSA programme consists of both practical hands-on lab-based coursework and a practical hands-on lab-based certification examination. According to the ThinkSECURE website, the rationale for this is that only those who prove they can apply their skills and knowledge to a completely new and unknown exam setup will get certified and those who only know how to do exam-cramming by memorizing facts and figures and visiting brain dump sites will not be able to get certified. Compared to non-practical multiple-choice-question exam formats, this method of examination is beneficial for the Information Security industry and employers as a whole because it provides the following benefits:
- makes sure only candidates who can prove ability to apply skills in a practical examination are certified.
- stops brain-dumpers from attaining and devaluing the certification as a basis of competency evaluation.
- protects people's and companies' money and time investment in getting certified.
- helps employers identify technical staff who are more skilled.
- provides the industry with a pool of competent, qualified technical staff.
