1. completion of a three-course sequence from the Software Engineering Institute (SEI) or its licensees (SEI Partner Network)
   • Information Security for Technical Staff (5 days) or
     Advanced Information Security for Technical Staff (5 days)
   • Fundamentals of Incident Handling (5 days)
   • Advanced Incident Handling for Technical Staff (5 days)

2. three (3) years of experience in incident handling or incident management (in a technical or managerial role) within the most recent seven (7) years prior to submission of the Certification Application. The applicant will need to provide a detailed resume listing experiences.
3. submission of the Certification Application package, including
   • completed Certification Application, accompanied by a current resume
   • completed Certification Recommendation Form signed by your current manager
   • a $200 (US) payment (made payable to the Software Engineering Institute) to be applied toward the certification examination fee ($150) and the non-refundable application processing fee ($50)

4. successful completion of the application review by the SEI

5. successful passing of the individual assessment examination administered by the SEI

The approved three-course sequence is available through the Software Engineering Institute (SEI) and its licensees (SEI Partner Network):

• Information Security for Technical Staff (5 days) or
  Advanced Information Security for Technical Staff (5 days)
• Fundamentals of Incident Handling (5 days)
• Advanced Incident Handling for Technical Staff (5 days)

For more information on the required courses for certification, please see the CERT Training and Education Courses page or the SEI Education and Training page. Independent study or related reading of relevant materials does not constituent completion of the certification course requirements.

The applicant can choose to take either the Information Security for Technical Staff course or else the Advanced Information Security for Technical Staff course. If you are just beginning your professional career, then you may want to take the Information Security for Technical Staff course; however, if you have been performing system and/or network administration activities for several years, then Advanced Information Security for Technical Staff might be more appropriate.

Note that applicants choosing to take the Advanced Information Security for Technical Staff course instead of the Information Security for Technical Staff course should be aware that your version of the certification examination will draw upon questions from both of these courses. The reason for this is that applicants should have equivalent training or experience about the information security topics covered in the Information Security for Technical Staff course.

You have three years to complete the three-course sequence from the SEI or its licensees. The three-year window begins when you take the first course in the sequence. If you are not able to complete the three-course sequence within three years, you might be asked to retake a course before sitting for the certification examination.

In some cases, the SEI grants waivers for the three-year course completion requirement. If you would like to request a waiver, please send your request, the dates for the courses you attended, and an explanation for why you are requesting the waiver, to credentials-info@sei.cmu.edu. The SEI considers waiver requests carefully; requesting a waiver does not guarantee that the SEI will grant a waiver.

We are looking for security professionals who have experience in various tasks and processes related to computer security incident management activities.

Incident management processes include preparing for, detecting, analyzing, and responding to computer security events and incidents. This includes steps taken to contain or prevent threats and incidents from spreading throughout systems and networks.

Experience in incident management can cover a wide spectrum of tasks, including the initial detection or reporting of a security event or incident, the categorization or prioritization of reports, analyzing incidents and events, determining the appropriate response strategies, performing the actual response, resolving the incident, communicating with appropriate individuals throughout the process, and documenting or recording actions taken.

Specific experience would include, for example

• activities involved in operating and/or managing a CSIRT, or working in a security operations center or network operations center
• teaching courses in incident, vulnerability, or artifact handling
• taking action to protect systems and networks affected or threatened by intruder activity (such as filtering network traffic, patching or repairing systems, and rebuilding systems)
• collecting evidence (following established rules of evidence)
• performing computer forensic analysis on compromised systems (following established rules of evidence)
• performing artifact analysis or malicious code analysis
• analyzing networks and systems to look for security weaknesses, anomalous activity, or intruder activity
• providing solutions, mitigation strategies, or work-arounds through hands-on assistance or via alerts, bulletins, advisories, technical documentation, web sites, phone calls, emails, or other dissemination mechanisms
• coordinating response efforts and incident data exchanges
• coordinating and collaborating with management, legal, law enforcement, and other internal or external organizations
• coordinating communications with stakeholders involved in computer security events and incidents such as affected individuals, management, and other internal or external organizations

Applicants should meet the three years of experience requirement and complete the three-course sequence requirement before submitting a Certification Application package.

A total fee of $200 (US) is required from all applicants. This fee includes $150 for administration of the CSIH certification examination and a non-refundable application processing fee of $50. Checks should be made payable to the Software Engineering Institute and mailed to

Software Engineering Institute
Carnegie Mellon University
Attn: Incident Handling Certification / J. Welch
4500 5th Avenue
Pittsburgh, PA 15213

Once you have completed your application package, send the application, payment, and all supporting documents to the following address:

Software Engineering Institute
Carnegie Mellon University
Attn: Incident Handling Certification / J. Welch
4500 5th Avenue
Pittsburgh, PA 15213

We strongly recommend that you keep copies of all materials you submit to the Software Engineering Institute for the duration of the application process.

Recommendations must be submitted in sealed envelopes, signed by the recommender across the seal, and mailed to the address below by you or the recommender:

Software Engineering Institute
Carnegie Mellon University
Attn: Incident Handling Certification / J. Welch
4500 5th Avenue
Pittsburgh, PA 15213

You will hear from the SEI Certification Program Manager approximately 2-6 weeks after we receive and process your completed application package.

The SEI Certification Program Manager will review your application materials for completeness. At that point, one of the following will occur:

1. If you have completed the curriculum and the experience requirements, the SEI Certification Program Manager will approve the application and contact you to make arrangements for the certification examination.
2. If you have not met the requirements, the SEI Certification Program Manager will notify you with the specific steps that you must take to meet the requirements and complete the application process.

The SEI Certification Program Manager will provide you with the specific steps that you must take in order to meet the requirements to qualify. You also have the option of requesting a refund of your $150 examination fee and reapplying when you are ready.

Administration of the certification examination can be arranged upon request by contacting the SEI Certification Program manager at certification-info@sei.cmu.edu

The certification examination can be taken at the SEI offices located in Pittsburgh, Pennsylvania and in Arlington, Virginia.

To schedule the examination, contact the SEI Certification Program Manager at certification-info@sei.cmu.edu

Candidates will need to present two forms of identification to be admitted into the examination facility. At least one form of identification must have a picture and a signature (driver's license, passport). State or government issued identifications are valid with photograph. Candidates who do not have the required identification will not be allowed to take the examination.

If you do not pass the certification examination on the first attempt, you may retake the examination up to three (3) additional times within six (6) months of the initial attempt. These three retakes of the examination within the first six months may be made at no additional charge.

After three retakes or six months from your initial attempt, you must reapply to retake the examination. Once you reapply, you are then permitted to take the examination up to four additional times under the following terms:

• Each successive time you want to retake the examination, you must pay an additional $150 (US) examination fee.
• For these subsequent requests to retake the examination, you do not need to submit a new certification application package or $50 (US) processing fee with your payment of the $150 (US) examination fee each time.

If you do not pass the examination after these four subsequent attempts, you are required to wait one year and show evidence of further incident handling and/or security experience and knowledge before you can reapply again. You must then submit a new Certification Application package, including Application Form, Recommendation Form, current resume, and payment of $200 (US) (covering the certification examination fee [$150] and the non-refundable application processing fee [$50]).

The certification is valid for three (3) years after the award date, after which it will expire. The certification may be renewed by applying for CSIH Certification Renewal. The application fee for renewal is $150 (USD).

Renewal involves

• obtaining continuing education or professional experience, as measured by Professional Development Units (PDUs) earned by participating in qualifying events equal to 60 PDUs. Qualifying events must be relevant to the practice of Incident Management and are further described in Question #4. Additional qualifying events are explained on the CSIH Certification Renewal page.
• submission of a $150 (USD) certification renewal fee

Carnegie Mellon University will award CEUs for all SEI authorized courses that are required for this certification. (See also the Certification Renewal page.)

A Professional Development Unit (PDU) is a measuring unit used to quantify learning and development activities. One (1) PDU can be earned for every one (1) hour spent in a planned structured experience or activity as approved by the SEI. Additional information about PDUs is available on the Certification Renewal page.

For more information about the Computer Security Incident Handler certification program, please see the CERT-Certified Computer Security Incident Handler page. You can also request additional information by contacting the SEI Certification Program Manager via one of these methods:

• Email: certification-info@sei.cmu.edu
• Telephone: +1 412-268-4024