News

UPDATE: Certifying Your Security Expertise

Check your transcript — you might already be a security specialist, according to Microsoft.

• By Michael Domingo
• 06/02/2003

The new titles will be indicated by the word "Security" appended to the titles — MCSA: Security and MCSE: Security — once candidates complete the requirements for each specialization. Requirements for both specializations is based on currently available Microsoft exams, with the option of substituting CompTIA's Security+ for one of the requirements.

"We put together these certification specializations to allow IT professionals a way to demonstrate a specific technical focus in the area of security within their job roles," said David Lowe, product manager for security with Microsoft's Training and Certification group. "The new specializations are directly analogous to the existing base credentials, but with a 'prescribed path' of specialization exams rather than electives."

As far as the term "specialization," Lowe emphasized that the new monikers are not separate certifications mandating additional exam requirements.

The MCSA: Security requirements are based on the current MCSA on Windows 2000 requirements. Candidates will need to pass five exams, consiting of one core client OS exam:

• 70-210, Windows 2000 Professional or 70-270, Windows XP

and two core networking exams:

• 70-215, Windows 2000 Server
• 70-218, Managing a Windows 2000 Network

Then, candidates must pass two more exams related to security specialization:

• 70-214, Implementing Windows 2000 Security
• 70-227, ISA Server 2000 or CompTIA's Security+

The MCSE: Security has similar core networking requirements but, instead of requiring exam 70-218, specifies the following two exams:

• 70-216, Implementing, Administering a Windows 2000 Network
• 70-217, Implementing, Administering Windows 2000 Directory Services

The security specialization portion is the same as the MCSA: Security, but with the addition of another prescribed exam, 70-220, Designing Windows 2000 Security.

If the requirements for the security specializations have an uncanny familiarity, it's because all the exams are already available. "It's not like we're trying to validate an entirely new set of skills," Lowe explained. "We're validating existing skills based on tasks that IT professionals are performing today."

With the addition of CompTIA's Security+ to the prescribed exam choices, that exam joins the A+, Network+ and Server+ exams as options under the MCSA title.

"We're very pleased," Kris Madura, Security+ Program Manager for CompTIA commented. "What Security + will do for these distinctions is allow candidates to leave the program...with additional, broad-based knowledge of vendor-neutral security issues on a global basis." Madura added that Security+ would be an additional MCSA elective in combination with one of the other CompTIA exams, but Microsoft was unable to verify this; at press time, the option wasn't reflected on the current MCSA on Windows 2000 Requirements page.

[Microsoft has since confirmed that Security+ can now be counted toward the MCSA and MCSE on Windows 2000 tracks; see "Security+ Added as MCSA/MCSE Exam Options."—Ed.]

Unlike the approach it took with the MCP/MCSE+Internet certifications, the creation of specializations based on job roles is unique in the company's certification program. "We don't really think that the industry has clearly defined security job roles yet," Lowe said. "We recognize that in IT job roles, like systems administrator and systems engineer, there are a number of individuals who have a very specific concentration on a particular area and, obviously, in an important area as security. So that's what these specializations will allow individuals to demonstrate; they'll get to highlight their focus on platform-specific security and design skills."

Lowe said that the impetus for the latest announcement came from feedback from its customers. "There have been a number of studies that have shown that human error [and] lack of training are [the top] reasons for a broad range of security issues that companies and organizations are facing today."

"We recognize that security certification not only provides a way for individuals to measure and validate their skills on important security issues, but it also provides a way for employers and IT managers to ensure that their technical staff has obtained and validated the appropriate security skills necessary for the creation of a secure computing environment in their organizations. This is another way in which Microsoft is supporting the 'Secure in Deployment' tenet of the Trustworthy Computing Framework," which Bill Gates announced amid fanfare last February 2002.

Lowe wasn't sure how many MCSAs and MCSEs would be automatically certified as security specialists upon launch of the designation. Also, because the specialist designations are being added to existing titles, Lowe said that Microsoft would not issue Early Adopter or Charter Member cards. However, the company will automatically update transcripts of MCSAs and MCSEs who have already passed the exams and make new logos available shortly via the MCP Secure Web site. The company is also in the process of creating Welcome Kits for the new specializations.

Lowe added that the idea of specializations would probably surface later in other areas of certification, but he declined to offer details.

For more about the security specialist designations, click here.

To read more about the Trustworthy Computing Initiative, click here.

For earlier MCPmag.com news on security certifications, see "Microsoft Considering Desktop, Security Certs" by Becky Nagel, CertCities.com Editor, (May 9, 2002).

—Additional reporting by Dian L. Schaffhauser, Editorial Director (in Dallas) and Becky Nagel, CertCities.com Editor.

NOTE: As of the original posting of this article on June 2, this article has been updated.