Frequently Asked Questions about DRI CANADA Certification
|Your Question:||DRIC Answer:|
|1. What is the first step in becoming a DRI certified professional?||The first step in becoming a certified professional is to pass the appropriate qualifying examination.|
|2. I have passed the DRI Qualifying Exam. Which certifications can I apply for?||With successful completion of a certificate course or a passing score on an Q-Exam, you may apply for ABCP, CFCP, CBCP, or CBCV levels of certification.|
|3. What fees are associated with the application?||There are application fees for each certification application you complete. This fee is for the processing of the application and first year of membership. Please refer to the Certification Matrix for more information on fees for each certification level.|
|4. Can someone write the Q-exam and, if successful, go straight to applying for the CBCP, skipping the ABCP level?||Yes they can. ABCP is not a mandatory step. The ABCP is a step for those without the experience necessary for CBCP (or CFCP). If one passes the Q-exam and chooses to apply for the CBCP, need to apply online and pay the appropriate application fee. They could also take the Master Case Study Exam and if successful, apply for MBCP without any 'lower' certification.|
|5. How do I complete the application?||All certification applications are available online. Login with your DRIC account and go to Application for Certification page in Online Learning Section. Please note that any missing information on the application will delay processing.|
|6. What time-frame should I reference in my application?||The experience must have occurred within a ten-year period from your application date, and focus on your business continuity/disaster recovery planning responsibilities and accomplishments--not your position responsibilities or organizational accomplishments. See years required for each certification level.|
|7. What should the framework of my Subject Matter Essays be?||Use the DRI Professional Practices as your guide for your essays. You should write about your experience in the first person.|
|8. Am I able to view the score I received on the exam?||DRI Exam scores are only released as PASS or FAIL.|
|9. I currently hold a DRI Certification, but the application website says that I have not passed the Qualifying Exam in last three years. What do I do?||If your certification is in good standing, please contact the certification administrator at email@example.com and they will be able to assist you with a test record.|
|10. Who reviews the applications?||The DRI CANADA Certification Commission conducts the reviews of applications.|
|11. My references need to have the email re-sent to them, how can I do this?||In order to have a reference request resent, log into your MyDRIC, view your application, select "View/Edit Reference," select the area you need to resend the reference email, select Change/Resend Reference and click OK. This will resend the email to your reference.|
|12.How do I change one of my references?||In order to change a reference, you will need to log into MyDRIC, view your application, select View/Edit Reference select the area you need to replace the reference, type in your new references name and email address, select Change/Resend Reference and select OK. This will replace your reference and also send your new reference the email.|
|13. If the commissioners have any questions about my certification, can they contact me?||Each reviewing commissioner has one opportunity to request additional information on an application. The request will be made through the application system and must be received through this system.|
|14. How long do I have to respond to a request for additional information?||The response must be received within 30 days of the request.|
|15. I received an email stating that my application was approved, what does this mean?||If you have received an email stating your application has been approved, congratulations! You may use the certification designation from that point on. You will also receive a certification certificate and lapel pin within the next few weeks.|
|16. How can I maintain several credentials at once?||You can align your certification cycles for all DRI credentials and maintain them simultaneously. You can also apply CEAPs earned for the one credential to the another one.|
|16. Will newer DRI credentials dilute the other established DRI credentials?||No. DRI's credentials reflect different roles in business continuity management, and therefore, are suitable for different candidates. Use Certification Matrix to determine which credential is right for you.|
If after reviewing our Certification FAQ you find your questions are not answered, please contact us at 1-844-228-8135
Website by Vieth Consulting
A degree will only take you so far up the job ladder. At some point in your career, an IT security certification from a reputable third-party organization may be necessary (e.g. you’re changing jobs, the job market is tight, you need experience, etc.).
Since the acronyms alone are enough to drive you nuts, we’ve created this short and simple guide to getting accredited. If you already know the basics, you might want to skip ahead to our breakdown of major certification organizations.
Security Certifications: What You Need to Know
Cyber security certifications come in all shapes and subjects – from forensics to intrusion to ethical hacking. They are typically administered by independent accrediting organizations like CompTIA, EC Council, GIAC, ISACA and (ISC)2.
Accrediting organizations often divide their programs into three categories: entry level, intermediate and expert.
- Entry-level certifications are meant to ground you in the basics – foundation principles, best practices, important tools, latest technologies, etc.
- Intermediate and expert-level certifications presume that you have extensive job experience and a detailed grasp of the subject matter.
Regardless of the topic or level:
- IT security certifications can be used across jobs and organizations.
- The credentialing process usually consists of training and a final exam.
- Certifications must be renewed periodically (every 3/4 years).
- To be reaccredited, you’ll need continuing education credits and the ability to pass the current exam.
Costs & Commitment
When you decide to get your cyber security certification is up to you. If you have the skills, there’s nothing to stop you from starting when you’re an undergraduate. A recognizable credential will burnish your résumé and catch the eye of hiring managers.
We won’t blow smoke up your proverbial. Certification can be expensive and time-consuming. An entry-level credential can take three to nine months to complete and set you back $300-$600 for the exam.
However, you may not have to pay for it. Universities and employers frequently help foot the bill. In a 2014 SANS survey of cybersecurity trends:
- 65% of respondents reported their employers completely paid for certification training
- 15% of employers shared the costs
The U.S. Department of Veterans Affairs has also approved reimbursement under the G.I. Bill for some certifications. Talk to your accrediting body about funding options.
Is it worth it? If you get the right one, yes. Certification can lead to promotion, better job prospects and/or a raise. Some respondents in the SANS survey reported salary increases of up to 5% after accreditation.
Which Certification to Choose
When it comes to entry-level training, you might start by considering certifications such as:
Take the time to compare CompTIA Security+ and GSEC. GSEC has a solid reputation within the industry and is approved for DoD 8570 Baseline Information Assurance. Alternatively, Security+ is one of the most well-known beginners’ certifications. Ed Tittel of Tom’s IT Pro named it to his list of Best Information Security Certifications for 2015.
Once you’re through the initial hoops, certification will depend on your level of expertise and your field of interest. For example, a Penetration Tester would probably want to take a look at GPEN.
Popular industry certifications include:
In March 2014, Burning Glass did a survey of cyber security job postings and found that CISSP, CISA, Security+, CISM and GSEC were the top 5 requested certifications.
A lot of organizations encourage you to start with their entry program and work towards more advanced credentials, but it’s not always necessary to go through every level. Check the fine print on prerequisites.
Department of Defense Directive 8570
In 2004, the Department of Defense realized it had a problem on its hands. There was no formal training process in place for its information security personnel. It had little way of knowing whether its IT technicians, administrators, managers and directors were qualified to handle their tasks.
In response, the DoD issued Department of Defense Directive 8570 (announced in August 2004 and implemented in December 2005). This directive was intended to ensure that its cyber taskforce was battlefield-ready.
- Mandated baseline professional certifications for all of its Information Assurance (IA) positions
- Required that IA certification be accredited by ANSI or an equivalent authorized body under ISO/IEC Standard 17024
- Applied to anyone with access to DoD systems, including military personnel, civilian contractors and foreign employees
IA jobs were broken down into five main categories:
- Information Assurance Technician (IAT)
- Information Assurance Manager (IAM)
- Computer Network Defense (CND)
- Information Assurance System Architecture & Engineering (IASAE)
- Computing Environment (CE)
These categories were then split into levels of expertise and proficiency. Requirements for baseline certification would depend on the level you were at.
For example, an IAT might need Security+ at Level 2 and an IAM would need CISSP at Level 3 (view a chart of DoD 8570 certification requirements at (ISC)²).
Department of Defense Directive 8140
As cyberspace has expanded into wireless, mobile and the cloud, DoD 8570 categories have become somewhat outdated. Department of Defense Directive 8140, aka the Information Assurance Workforce Improvement Program, is intended to address this issue.
Instead of job titles, DoD 8140 created seven categories under the National Initiative for Cybersecurity Education (NICE) framework. These include:
- Security Provision
- Maintain and Operate
- Protect & Defend
- Operate & Collect
- Oversight & Development
Each category is broken into a wide variety of tasks and jobs. For example, Analyze includes Cyber Threat Analysis, Exploitation Analysis, All-Source Analysis and Targets.
More Security Certification Resources
Cybersecurity Education and Training Catalog
NICCS maintains an up-to-date listing of all cyber security and cyber security-related education and training courses offered in the U.S. The catalog currently contains more than 1,300 courses. You can search by proficiency level, delivery method, specialty area and keyword.
Josh More’s Blog Series on Security Certification
It’s a few years old, but Josh More’s insider’s view on the pros and cons of certification makes for interesting reading. He has even developed a mathematical method for assessing the overall learning value of a qualification.
Tom’s IT Pro Security Certification Section
Tom’s IT Pro has scores of articles and blog posts on security certification. We’re particular fans of Ed Tittel’s advice column, where he gives career guidance to security professionals around the world.
Cybrary.it, founded by Ralph Sita, Jr. and Ryan Corey, is an online cyber security community offering dozens of free training courses. For example, students interested in earning CompTIA Certification can prepare by enrolling in Cybrary’s free CompTIA A+ Certification Training course. Browse courses by skill level or topic, connect with others in the online forum, and browse listings of cyber security jobs.
Security Certification Organizations
You’ll find a breakdown of 13 cyber security certification bodies and notes on some of their most popular accreditations below. These organizations are also listed on the website of the National Initiative for Cybersecurity Education (NICE). The big ones – CompTIA, EC Council, GIAC, ISACA and (ISC)2 – are members of the Cybersecurity Credentials Collaborative (C3), an effort to promote the benefits of certifications in the skills development of information security professionals around the world.
But this is far from an exhaustive list. The Department of Defense, for instance, has developed a separate SPēD Certification program run through the Center for Development of Security Excellence.
If you’re confused about which certification is right for your experience level and interests, reach out to your network. Your professors, employer and/or senior-level colleagues will have a strong sense of which qualifications are worth the investment.
Run as a division of the Software Engineering Institute (SEI), the CERT Program partners with the DHS, industry, law enforcement and academia to counter large-scale, sophisticated cyber threats.
SEI offers two security-focused certifications:
CERT-CSIH is geared towards professionals involved in a computer security incident response team. Training includes methods and best practices related to incident management and incident handling.
Although it’s far from vendor-neutral, we wanted to make sure Cisco was included in our list of certification bodies. In part that’s because the Department of Defense (DoD) has approved Cisco’s CCNA Security certification for DoD Information Assurance Technician Levels I and II.
Cisco has tiered its security accreditations into four levels of experience:
CCENT covers network fundamentals and basic network security. It certifies you’re able to install, operate and troubleshoot a small enterprise branch network.
The popular CCNA Security is an associate-level qualification. This is all about securing and defending Cisco networks. You’ll prove your knowledge of core security technologies, installation/troubleshooting/monitoring of network devices and Cisco security structures.
After that, you can choose to progress to CCNP Security (aligned specifically to the job role of the Cisco Network Security Engineer) and the expert-level CCIE Security.
CCIE Security does not have any formal prerequisites. Instead, like many top-tier certifications, you’ll have to pass a written qualification exam and a corresponding hands-on lab exam. Cisco recommends you accrue three to five years of in-depth job experience before attempting certification.
CWNP: Certified Wireless Network Professional
Founded in 1999, CWNP has developed a series of vendor-neutral training programs and exams, including four levels of professional career certification for Enterprise Wi-Fi.
The most relevant security qualifications are:
CWSP is a mid-tier certification designed to help you secure enterprise Wi-Fi networks from hackers, regardless of the Wi-Fi gear you might be using. You must hold a valid CWNA credential to earn a CWSP.
CWNE is the expert-level qualification. It goes much broader than security, giving you the skills to do pretty much anything with wireless network systems.
The program expects job experience in advanced design, protocol analysis, intrusion detection and prevention, performance and QoS analysis and spectrum analysis and management.
CompTIA provides a number of vendor-neutral IT certifications, including 16 certification exams in the cloud, networking, servers, Linux, security and more.
Notable security accreditations include:
As we mentioned in our introduction, CompTIA Security+ is a strong baseline certification for securing a network and managing risk. It is also approved to meet the requirements of IAT and IAM levels in the DoD 8570 directive (see above).
CASP is intended to give IT professionals advanced-level security skills and knowledge. It applies to IT specialists, risk managers and analysts, security architects/ISSO, penetration testers and ethical hackers.
CASP exam takers should have ten years of experience in IT administration, including five years of technical security experience.
Although there is no prerequisite, CASP is designed to build on the principles of CompTIA Security+. Like Security+, it has been approved by the DoD to meet IAT and IAM certification requirements.
Established in 1988, DRI International is a non-profit organization providing global education and certification in business continuity and disaster recovery planning. It has more than 12,000 active certified professionals worldwide.
The most popular DRII certification is the intermediate-level: CBCP: Certified Business Continuity Professional.
This follows on from the associate-level ABCP and precedes the expert-level MBCP. DRII also offers tiered certifications in Certified Specialties (Auditor, Public Sector and Healthcare), Certified Vendor and Certified Risk Management.
Be aware that the DRII process is quite thorough. The CBCP involves a qualifying exam, references and an application essay. To take the exam, you must have more than two years of recent experience in the business continuity/disaster recovery industry.
EC-Council: International Council of Electronic Commerce Consultants
EC-Council has developed an extensive range of offerings in IT security, including training in information, network, computer and Internet security. Courses are offered online, via iClass or led by live instructors.
EC-Council’s flagship course is: CEH: Certified Ethical Hacker.
In this intermediate-level program, candidates learn to scan, test, hack and secure their own systems. The content-heavy course lasts five days and is followed by a 4-hour multiple-choice exam.
Here’s the thing – there are seasoned security practitioners who intensely dislike EC-Council and will be biased against anyone with one of their certifications.
On the other hand, although many hackers favor IACRB’s CPT or Mile2’s CPTE, CEH consistently appears in lists of top (and top-paying) hacking certifications.
So do your research, talk to colleagues and decide for yourself.
GIAC: Global Information Assurance Certification
Founded in 1999 by SANS, GIAC provides more than 20 job-based cyber security certifications, including assessments in information security, forensics and software security.
If you’re interested in a GIAC credential, you might wish to investigate:
As we mentioned in the introduction, GSEC is a solid beginner’s credential. Over the course of a proctored exam, candidates have to demonstrate a fundamental understanding of key security concepts and techniques (e.g. DNS, Honeypots, ICMP, Linux, TCP, etc.).
GPEN and GCIH are more advanced qualifications. GPEN is targeted towards security professionals who are tasked with finding vulnerabilities in target networks and systems. GCIH is for incident handlers and focuses on skills for detecting, responding to and resolving computer security incidents.
At the top of the GIAC heap is: GSE: GIAC Security Expert.
This is a first-tier accreditation roughly equivalent in status to CISSP. The exam determines whether candidates have mastered the skills required by top security consultants and individual practitioners.
There is no specific training required for any GIAC certification. You can rely on your practical experience or take relevant courses from a training partner like SANS. High-scoring exam takers gain access to useful online mailing lists. Once you have a certification in hand, you can also pursue GIAC Gold Status – a valuable self-promotion tool.
IACRB: Information Assurance Certification Review Board
IACRB is a non-profit organization offering a variety of industry certifications for a wide range of job descriptions (e.g. Penetration Tester, Reverse Engineer, Data Recovery Professional, etc.).
Competitors to EC-Council’s CEH qualification include:
CPT is the initial certification; CEPT is the expert-level version. CPT deals with pen testing domains such as network protocol attacks, Windows/Unix/Linux exploits and wireless security. CEPT goes deeper into network attacks and recon, shellcodes, memory corruption and more.
Both CPT and CEPT consist of a multiple-choice exam, followed by a take-home practical. Candidates have to successfully complete three penetration challenges in order to become accredited.
Formed in 1969, ISACA is a global non-profit that provides practical guidance, benchmarks and effective tools for all enterprises that use information systems. It hosts a Knowledge Center where members can participate in communities, shared interest groups, discussions and document sharing. In addition, its Cybersecurity Nexus (CSX) is a central location for cybersecurity research, education, guidance and certifications. ISACA has been around for a long time and has a good reputation.
The organization offers certifications in CISA, CGEIT, CRISC and CISM: Certified Information Security Manager. Like CompTIA and CISSP, CISM was named to Ed Tittel’s list of Best Information Security Certifications for 2015.
As the title implies, CISM is designed for experienced management-level professionals who design, oversee and assess an enterprise’s information security. Job practice areas include governance, risk management and compliance, incident management and program development and management.
CISM is not a walk in the park. You must pass the exam, submit a written application, agree to the ISACA Code of Professional Ethics and have a minimum of five years of relevant work experience in order to gain accreditation.
(ISC)²: International Information Systems Security Certification Consortium, Inc.
(ISC)² offers a large number of information security certifications, including SSCP, CAP and CISSP. Members have access to an extensive range of resources, including a job board, e-Symposium, networking and a Chapter Program where peers can share knowledge, exchange resources, collaborate on projects and create new ways to earn CPE credits.
(ISC)²’s banner certification is the globally-recognized CISSP: Certified Information Systems Security Professional.
CISSP holders work as security managers, directors of security, network architects, security analysts – pretty much anyone in a senior management position. The program covers 10 domains, including access control, network and operations security, governance and risk management, legal issues and more.
You can also opt to take a concentration:
As with CISM, you must have a minimum of five years of full-time experience in order to take the exam. You are also required to commit to the adherence of the (ISC)² Code of Ethics and have your application endorsed by an (ISC)² certified professional.
MI: McAfee Institute
MI provides real-world training and job development programs for IT professionals involved in law enforcement and fraud.
Crime-related security certifications include:
After online training, candidates are required to pass a final exam.
Although details on its About page are fairly general, MI does list its advisory board members. It has also partnered with the Department of Homeland Security to implement the Workforce Framework.
Mile2 offers a variety of training programs and certifications in cyber security, including a CISSP alternative called CISSO. Courseware has been approved by the Committee on National Security Systems (CNSS) National Training Standards.
Mile2 has set itself up in direct competition to the EC-Council’s CEH and IACRB’s CPT. Its hacking certifications include:
CPTE requires a minimum of one year of experience in networking technologies. Candidates complete 20 hours of real-world training and must pass a multiple-choice exam.
CPTC is advanced penetration testing certification, targeted towards IT managers, Chief Security Officers and security consultants. In a six-hour practical exam, candidates must complete a vulnerability assessment and full penetration test on two IPs. They then have 60 days to turn in a written penetration test report.
Offensive Security is a private company offering training courses, penetration testing services and certifications. The team members at Offensive Security are the funders, founders and developers of Kali Linux, the successor to BackTrack Linux, a free security auditing operating system and toolkit. View a full list of their community projects.
If you’re a Pen Tester looking for a top-notch certification, you should seriously consider OSCP: Offensive Security Certified Professional. It is one of a handful of certifications that requires practical penetration testing/ethical hacking skills. To pass the exam, you’ll be given 24 hours to compromise a vulnerable network. You must also submit an in-depth penetration test report of the network and PWK labs.
Offensive Security offers other information security certifications, including the more advanced OSCE: Offensive Security Certified Expert, but OSCP is the one we’ve heard infosec experts mention the most.