Make IT workers accountable, experts urge(continued)
By Vivian Yeo, ZDNet Asia
Friday, June 09 2006 07:18 PM

chairman of the security chapter under the Singapore Infocomm Technology Federation (SiTF). "But of course we don't have to wait so long to legislate IT security."

Lim acknowledged that it would not be an easy task to define the minimal criteria for someone to be labeled an IT professional.

"Does it mean that someone who works in a SMB (small and midsize business) environment cannot hope to become an IT security professional?" he said. "Does everybody have to apply for jobs in big companies with large complicated environments before they can hope to enter IT security?

"We haven't answered that question, and as long as we don't answer that question, it delays the ability to implement the legislation of IT security professionals," said Lim.

ITFC's Sin also highlighted the challenge of establishing legislation to hold IT security professionals accountable for any error or negligence in large projects.

"How does one define mission-critical or big projects?" he said. "For instance, a person who installs a virus-protection software may or may not be required to obtain a license to carry out the task."

NISER's Husin added that education and training opportunities are another area of concern. He noted that there has to be sufficient relevant certifications to meet the needs of the various security job functions, as well as the organization's business needs.

Progress in Singapore
According to Cheang, SIG^2 has been working with the Infocomm Development Authority of Singapore (IDA) since 2004 to lay the groundwork for a professional charter pertaining to information security practitioners. Last month, the SIG^2 Committee convened and voted to dissolve the society, and form the Association of Information Risk and Security Professional (AINSEP).

SIG^2 has also called for an Extraordinary General Meeting on Jun. 30 to discuss, among other things, timelines and milestones toward the formation of AINSEP.

ZDNet Asia understands from SiTF's Lim that Singapore is fast gearing itself to enhance the IT security profession, up to a level that is similar to that of medical professionals or lawyers.

In an e-mail reply, an IDA spokesperson told ZDNet Asia that it is spearheading efforts to establish a professional body for executives in the infocomm security realm. This will help build up a pool of competent IT security professionals in the country, the authority said.

AINSEP, which is expected to be launched at the end of the year, aims to elevate the status, professionalism and trust accorded to the professionals, through "a recognized body and qualifications, established career paths and career development programs", said he IDA spokesperson.

According to SiTF's Lim, some progress has been made in the development of a career and recognition framework. Lim is involved in a working group, set up for this purpose.

He noted that the framework will take into account an IT security professional's years of appropriate experience, type of specialization, and the depth of industry expertise. It would serve not only as a career roadmap for IT security professionals, but also offer a resource and referral point for employers.

Lim expects that in future, any individual who wishes to work as an IT security professional in Singapore will be required to be licensed with the professional body.

SCS's Lee stressed the need for a right balance to be struck between a heavy-handed approach and a self-regulating one--should Singapore be among the earliest countries in the region, or world, to legislate the IT security profession.

He added that legislation should not stop at IT security professionals.

"It could be convenient to start with IT security professionals, but let's not stop there," he said. "The various sub-branches of the IT profession should all eventually be covered by similar legislation and qualification frameworks."