in Information Security and Assurance

Size: px
Start display at page:

Download "in Information Security and Assurance"

Transcription

1 [DRAFT] A Model Curriculum for Programs of Study A Model Curriculum for Programs of Study in Information Security and Assurance in Information Security and Assurance v. 6.0 February 2013 [DRAFT] Michael E. Whitman, Ph.D., CISM, CISSP Herbert J. Mattord, Ph.D., CISM, CISSP KSU Center for Information Security the Coles College of Business Kennesaw State University 1000 Chastain Rd. MS 1101 Kennesaw, GA (770) *A limited use license is granted to adopt parts of this curriculum for use in your institution. Specific permission is required to reproduced or republish this content. Contact the authors for additional details.

2 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Note: Kennesaw State University was designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security in 2004, 2007 and Contents Introduction... 6 Statement of the Problem... 6 Goals and Objectives... 8 Approaches to Implementing Information Security Curricula... 8 Preliminary Work Completed Information Security Position and Roles CISO Security Managers Security Administrators and Analysts Security Technicians Security Staffer or Watchstander Update: The NICE Definitions of Security Roles and Responsibilities Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) Component 3: Cybersecurity Workforce Structure Lead: DHS Component 4: Cybersecurity Workforce Training and Professional Development Tri-Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS) I. Securely Provision II. Operate and Maintain III. Protect and Defend IV. Investigate V. Operate and Collect VI. Analyze VII. Support Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense Information Security Professional Certifications Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) Global Information Assurance Certification (GIAC) Security Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 2

3 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) Certified Forensics Investigator Certifications Established Standards, Models And Practices ISO/IEC 27002/17799/BS Mapping Positions and Roles to Knowledge Areas Mapping the CISSP Common Body of Knowledge NSTISSC Training Standards Mapping the CISSP Common Body of Knowledge to NICE {Additional Material to be added here as the NICE framework continues to evolve and disseminate}defining the Focus of the Program Managerial InfoSec Program Technical InfoSec Program Balanced InfoSec Program Levels of Mastery Determining Numbers of Courses Needed Mapping Mastery Depth to Courses Pilot study Principles of Information Security & Assurance Technical Applications in Information Security & Assurance The Draft Curriculum Model Implementation of the Draft Curriculum Model Number of Course the Institution can Implement in InfoSec Certificate in Information Security and Assurance (ISA) ISA 3100 Principles of Information Security and Assurance ISA 3200 Technical Applications in Information Security and Assurance ISA 3300 Policy and Administration in Information Security and Assurance Project Presentations Bachelor of Science in Information Security and Assurance Program Objectives General Program Learning Objectives Specific Program Learning Objectives Major Electives Business Electives: Criminal Justice Electives: CSIS Electives: Information Security Electives: Information Technology Electives: Sample Programs of Study Development of the Degree Program Textbooks used in the program: ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec) Introduction to Information Security The Need for Security Legal, Ethical, and Professional Issues in Information Security Risk Management Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 3

4 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 5. Planning for Security Security Technology: Firewalls, VPNs, and Wireless Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools Cryptography Physical Security Implementing Information Security Security and Personnel Information Security Maintenance and ediscovery ISA 3200: Network Security (Technical InfoSec) ISA 3300: Management of Information Security in a Global Environment ISA 4330: Incident Response and Disaster Recovery 2 nd ed ISA 4350: Computer Forensics Lab Manual used for a variety of ISA courses: If you would like additional information on these books (i.e. how well they worked in the class, or what support materials are included) please contact us. All Course Technology texts include instructor s ancillaries including PowerPoint slide shows, text banks, and instructor s guides.2011 and the Bachelor of Business Administration in Information Security and Assurance Program Description: Program Curriculum: Program Goals and Objectives Note Goals 1-4 are common to all BBA programs: Minor in Information Security and Assurance Minor Curriculum: Revision of Pilot Model Broader Impacts of This Proposal Evaluation Plan Academic Information Security Peer Review External Practitioner Review DISSEMINATION ) Proceedings of the upcoming academic conferences ) Inclusion in PIs texts ) Course University and Working Connections Series ) Publication through Educational Portals: ) Posting on Regional Security Web Sites ) Recognition through NSA ) Publication in regional and national venues How you can help Appendix: Information Security Curriculum Development Procedures and Forms for use at your institution: 126 I. Determine interest, scope and intent of the program II. Determine stakeholder interest and guidance III. Form the curriculum development committee IV. Map desired positions to knowledge areas V. Discuss the following constraints on the program VI. Define program objectives VII. Determine the level of mastery desired in the program Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 4

5 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance VIII. Determine the number of courses to offer IX. Determine the Prerequisite knowledge areas necessary to support the desired classes X. Develop specific course learning objectives XI. Define laboratory components and required resources XII. Pilot test key courses XIII. Refine and revise as needed Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 5

6 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Introduction Greetings! We would like to take this opportunity to thank you for allowing us to share our lessons learned in the development of Information Security Curriculum. As part of our ongoing commitment to Information Security education, we have decided to formally compile our information into a single packet and provide it to any who seek it, without any requirements, associated costs or restrictions. As a courtesy we would like to ask that if you like what you see, and would like to adopt the contents in whole or in part, that you send us a letter indicating your intent. This is to allow us to maintain a contact within institutions that are adopting our curriculum and to gather feedback on its feasibility and use. This document begins with pieces of the overall curriculum model as defined in an NSF proposal. We then continue through a discussion of the specific courses and programs implemented at Kennesaw State University, along with accompanying course materials. We then conclude with the intended next steps in the development of this curriculum. We invite you to participate in this process by forwarding suggestions, constructive criticisms, and ideas to us at the address above or by to The following sections overview our experiences and findings in developing security curriculum. At the end of this discussion an abbreviated copy of our methodology is repeated with blank worksheet so that you may duplicate our process yourself. Statement of the Problem One of the continuing challenges facing society is the security and protection of information assets. Advances in information security (InfoSec) have been unable to keep pace with advances in computing in general [1]. Daily, press accounts of dramatic computer theft, fraud and abuse are reported as leading to extensive economic loss. Continuous attacks on the American IT Infrastructure have highlighted the need for information security [2]. The annual CSI/FBI Computer Security survey highlights the high levels of respondents detected computer security breaches (usually in the 80-90% range), with the majority reporting significant financial losses due to these computer breaches. According to Dr. Joseph Bordogna, Deputy Director, National Science Foundation in remarks at a June 2002 NSF Workshop The events of September 11 only accelerated longstanding concerns about the threat of cyberterrorism and the vulnerability of the nation s information systems and communications networks [ ] Questions about the adequacy of the U.S. science, engineering, and technology workforce are also rising to a chorus. Reported shortages of skilled workers in the IT sector are only one example. The need we all recognize, for a cadre of professions in computer security and information assurance, is right at the top of the list [4]. Education in information security prepares IT students to recognize and combat information system threats and vulnerabilities [5]. The article Integrating Security into the Curriculum argues an educational system that cultivates an appropriate knowledge of computer security will increase the likelihood that the next generation of IT workers will have the background needed to design and develop systems that are engineered to be reliable and secure [6]. The need is so great that the President of the US issued Presidential Decision Directive 63, the Policy on Critical Infrastructure Protection in May 1998, which prompted the National Security Agency to established outreach programs like the Centers of Academic Excellence in Information Assurance Education (CAEIAE). This program s goal is to reduce vulnerabilities in our National Information Infrastructure by promoting higher education in 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 6

7 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance information assurance, and producing a growing number of professionals with IA expertise [7]. According to the US Government document The National Strategy to Secure Cyberspace, Education and outreach play an important role in making users and operators of cyberspace sensitive to security needs. These activities are an important part of the solution for almost all of the issues discussed in the National Strategy to Secure Cyberspace [8]. Even as part of the more recent National strategies: U.S. International Strategy for Cyberspace (May 2011) and the Comprehensive National Cybersecurity Initiative (May 2009), there is a recognized national goal To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace [39]. There are two dominant technology curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards. The IS version of the standard specifies the need for an IS Environment: 15 semester hours which must be a cohesive body of knowledge to prepare the student to function effectively as an IS professional in the IS environment as well as 12 semester hours of advanced IS coursework [20]. The CS standard similarly provides for 16 hours of advanced CS course work. These courses could be used for InfoSec courses or programs. The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest professional technology organizations: Association for Computing Machinery (ACM), Association for Information Systems (AIS) and Association for Information Technology Professional (AITP). IS 2002 is a model curriculum for undergraduate degree programs in Information Systems and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an academic field, encompasses two broad areas: (1) acquisition, deployment, and management of information technology resources and services (the IS function); and (2) development and evolution of technology infrastructures and systems for use in organizational processes (systems development). It also includes a detailed set of course descriptions and advice to [those] who have a stake in the achievement of quality IS degree programs [21]. The IS 2002 (and IS guiding principles have been adopted and revised for this curriculum model development: 1) The model curriculum should represent a consensus from the InfoSec community. 2) The model curriculum should be designed to help InfoSec faculty produce competent and confident entry level graduates well suited to work-place responsibilities. 3) The model curriculum should guide but not prescribe. Using the model curriculum guidelines, faculty can design their own courses. 4) The model curriculum should be based on sound educational methodologies and make appropriate recommendations for consideration by InfoSec faculty. 5) The model curriculum should be flexible and adaptable to most IS/CS programs [21]. Existing courses have been predominantly designed for graduate-level coursework [9,10], for computer science and engineering specific programs [5,11,24], or as pure practitioner-level training programs [12,13,14]. Even established curriculum bodies, like the Association for Computing Machinery (ACM) and the Accreditation Board for Engineering and Technology Computing Accreditation Council (ABET-CAC), do not have formal models established for curriculum in Information Security at the fouryear level. The only recommendation that does exist resulted from a workshop sponsored by the NSF and the American Association of Community Colleges, resulting in the draft recommendation 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 7

8 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Protecting Information: the Role of Community Colleges in Cybersecurity Education [15]. This report serves as both a starting point for two-year institutions and as a reference for this project. The report provides details for community colleges to design curriculum focused on providing technical skills through training for the security technician, and hinges on the role of certification as an assessment tool. While supportive of the two-year institution s mission, this level of approach is inadequate for the mission of the four-year institution. The proposed model is designed to allow undergraduate Information Systems (IS) and Computer Science (CS) majors to move toward career fields that include and evolve through technical knowledge areas and into the management of information security, an area not usually addressed at the two-year level. Goals and Objectives This project is designed to increase the quality of baccalaureate-level information security education by creating a curriculum model in information security that provides students with technical and managerial skills needed for the IT workforce. The curriculum can be adopted by other institutions with undergraduate technology degree programs as individual courses, minors or concentrations in information security. It is intended to provide adopters of the curriculum with the means to deliver a quality education with breadth and depth of the information security common body of knowledge. The curriculum will adapt current national standards for security training. Standards for training programs do presently exist, but there are no baccalaureate education models. The closest work available to support a standardized baccalaureate curriculum is in The Role of Community Colleges described earlier. There is a clear lack of managerial and administrative education that this project will identify and develop. Approaches to Implementing Information Security Curricula There are five approaches to implementing information security curricula: 1. Elements added to existing courses. In this option, a number of existing courses can have an information security module added to reinforce the need to address information security at all junctures of organizational effort. This is a preferred technique and can be used in conjunction with other approaches. It is important to thread information security through a course, rather than adding it as a single module at the end. The following table provides examples of how information security could be integrated in existing courses Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 8

9 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Existing Course Programming Principles Networking/ Data Communications Systems Analysis & Design Database Principles Operating Systems Information Security Topics Software Assurance (see Applied cryptography Network security principles Use of security tools (firewalls, IDS systems) Security in the SDLC Developing secure database structures Security tools for data management Privacy topics OS Hardening Configuration management 2. Elements added to a capstone course or courses. In this second approach to adding security content, specific modules are added to specific capstone experiences or courses. In our program for example students have two classes that represent their capstone experience. In the first, they are exposed to strategic policy and planning in IT, and presented with a number of guest speakers on various topics. In the second they are required to develop a system to solve a business problem, incorporating all aspects of learning to that point including database, data communications, programming, project management etc. By addressing strategic Information Security planning in the first course and having at least one speaker on an InfoSec topic, we integrate security into this course. By requiring the student teams to demonstrate how they used secure development techniques in the second we reinforce the concepts there. 3. Independent information security courses. The third approach to implementing information security is to create single security courses. This is the approach most commonly used today. Many programs develop one or two classes in security. Unfortunately many of the classes labeled as security classes fail to address the overall comprehensive breadth and scope of what is information security. A class in theoretical cryptography, while interesting does not provide much value to an information security professional-to-be. This requires faculty to develop courses in the manner described in detail the subsequent sections, rather than implementing classes that would be fun to teach. Also indicated in subsequent sections are suggestions for topics and components of individual security classes. 4. Information security certificates / minors. Continually increasing in frequency, the fourth option is to implement a cohesive set of classes, under the title of minor, concentration, specialization, or certificate. This requires detailed planning based on the desired focus and outcome of the program. In our case, we made a conscious decision to focus more on managerial information security, and less on technical information security. While we have courses in the technical arena, the bulk of the foundational courses are on the roles and responsibilities of an information security professional manager, rather than technical. This is purely a choice based on our strengths. There are many institutions out there that could, and should, consider implementing technical programs, if they have 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 9

10 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance the resources and support to do so. 5. Information security degree programs. In our mind, the ultimate goal for enhanced information security curriculum is the baccalaureate-level information security program. As indicated in the statement of the problem, there are several programs in the field that list bachelors in information security degree. When you take a close look, however it is more of a concentration or minor. Nothing wrong with that, but it tends to be misleading to the students. It takes a great deal of effort and support to create enough courses to populate a program of this magnitude, and even more resources to offer it. It does represent the pinnacle of InfoSec education at the baccalaureate level. Which of these approaches should you consider? First one must examine the available resources, time, faculty, money, technology and student demand. It may help to begin with the first two approaches and then slowly roll out additional approaches as demand presents itself. Or just jump in. No pain, no gain. Preliminary Work Completed Education is recognized as a critical component to improve information security throughout the nation [5]. The development of a curriculum model would provide direct benefit to the various academic, business, and governmental agencies, to support formal education efforts. During the initial analysis phase, we, the authors, examined existing literature, reviewed other programs of interest and their implementations. We also examined current and emerging national and international standards and guidelines for the training of InfoSec professionals [15,17,18], instructional methods and materials from programs recognized as NSA centers of excellence across the country [7,19], and general recommendations and constraints from curriculum supporting organizations such as ACM and ABET. In developing the curriculum for our pilot project, we used the Backward Curriculum Design Process [22] a well-known approach to curriculum design that begins with the desired outcomes and goals and works backward to learning objectives grouped into courses. The curriculum model seeks to answer the following question: What should an information security person who graduates from a particular program be qualified to do, and what positions should they expect to be able to hold? Information Security Position and Roles As position descriptions are not sufficiently descriptive of the roles the individuals play in the information security function, the next step was to identify the roles information security professionals assume and then map them to the positions an individual should hold. The following sections are from the text Management of Information Security, 3 rd ed 2010 Course Technology. A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that positions can be classified into one of three types: those that define, those that build and those that administer. Definers provide the policies, guidelines and standards They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth. Then you have the builders. They're the real techies, who create and install security solutions Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 10

11 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance... Finally, you have the people who operate and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. [...] What I find is we often try to use the same people for all of these roles. We use builders all the time... If you break your InfoSec professionals into these three groups, you can recruit them more efficiently, with the policy people being the more senior people, the builders being more technical and the operating people being those you can train to do a specific task [30]. A typical organization has a number of individuals with information security responsibilities. While the titles used within any specific organization may be different from one organization to the next, most of the job functions fit one of the following categories: Chief information security officer (CISO) Security managers Security administrators and analysts Security technicians Security staffer CISO The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization s information. The CISO may also be called the Manager for Security, the Security Administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations one or more layers of management may exist between the two officers. Security Managers Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives identified by the CISO, to whom they report as shown in Figure 5-11, and resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise. Managing technology requires an understanding of it, but not necessarily a technical mastery in its configuration, operation, and fault resolution. Within the information security community, there may be team leaders or project managers responsible for management-like functions, such as scheduling, setting priorities, or administering any number of procedural tasks, but who are not necessarily held accountable for making a particular technology function. The accountability for the actions of others is the hallmark of a true manager. The accountability found in true management roles can be used to differentiate between actual managers and other roles that may include the word manager in their job titles but in fact to not have such accountability. Security Administrators and Analysts The security administrator is a hybrid between a security technician (see below) and the security manager, described in the previous section. These individuals have both technical knowledge and managerial skill. They are frequently called upon to manage the day-to-day operations of security technology, as well as assist in the development and conduct of training programs, policy and the like. The security analyst is a specialized security administrator. In traditional IT, the security administrator corresponds to a systems administrator or database administrator, and the security analyst to a systems analyst. The systems analyst, in addition to security administration duties, also must analyze and design security solutions within a specific domain (firewall, IDS, antivirus). Systems analysts must be able to 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 11

12 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance identify the users needs, as well as understand the technological complexities and capabilities of the security systems they design. Security Technicians Security technicians are the technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented. A security technician is usually an entry-level position; however, some technical skills are required, which can make it difficult for those new to the field. It is difficult to get a job without experience, and experience comes with a job. Just as in networking, security technicians tend to be specialized, focusing on one major security technology group (firewalls, IDS, servers, routers, or software), and further specializing in one particular software or hardware package within the group, like Checkpoint firewalls, Nokia firewalls, or Tripwire IDS. These technologies are sufficiently complex to warrant a high level of specialization. Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general, organizational issues of information security, as well as all technical areas. Security Staffer or Watchstander This is a catchall title that applies to the individuals who perform routine watch standing activities. It encompasses the people that watch intrusion consoles, monitor accounts, and perform other routine-yet-critical roles that support the mission of the information Security Department. Why is it important to understand these roles? In order to design curriculum one must understand what it is you want the student to be able to accomplish upon graduation. In our curriculum development we use these roles were used as surrogates for positions and mapped to knowledge areas. Knowledge areas represent the specific knowledge needed for each role, and when paired with a multi-level mastery model like Bloom s taxonomy [21], can be used to identify the level of depth of knowledge for each role. For example, a CISO may need great breadth of knowledge, but not as much depth of knowledge in an area as a technician would. The challenge is to completely map and verify the roles, knowledge areas, and levels of mastery needed. Knowledge areas can be obtained from key indices like certifications [27], and from training standards and models [28]. Knowledge areas in InfoSec are many and can be very technical but, there is an agreed upon way to discuss them. Many programs take the short cut and jump straight to the certifications an information security professional could earn like: CISSP, SSCP, GIAC, SCP, TruSecure CSA/CSE, Security+, CISA/CISM. However, programs are hesitant to implement coursework that is focused on a specific applied output. Universities in general prefer to focus more on the true knowledge areas that these certificates test, rather than the specifics of these exams. However if we examine the content of some of the key certifications we can begin to glimpse some of the knowledge areas we would need to integrate with our coursework. The following excerpt from Management of Information Security provides additional detail on the leading certifications in Information Security Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 12

13 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2011 Update: The NICE Definitions of Security Roles and Responsibilities In 2011, a new major initiative has been promoted by a joint group of Federal agencies: NIST, NSA & DHS to name a few. The National Initiative for Cybersecurity Education will have far-reaching implications for information security education in the very near future. What was once referred to as Information Assurance in the federal sector is now referred to as Cybersecurity. According the NIST web site (http://csrc.nist.gov/nice/aboutus.htm): [The following section is directly copied from the referred Web site]: The National Initiative for Cybersecurity Education (NICE) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation s security. The National Institute of Standards and Technology (NIST) is leading the NICE initiative, comprised of over 20 federal departments and agencies, to ensure coordination, cooperation, focus, public engagement, technology transfer and sustainability. Many NICE activities are already underway and NIST will highlight these activities, engage various stakeholder groups and create forums for sharing information and leveraging best practices. NIST will also be looking for gaps in the initiative -- areas of the overarching mission that are not addressed by ongoing activities. The National Initiative for Cybersecurity Education (NICE) will be represented by four Components: Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) The National Cybersecurity Awareness Component is being led by the Department of Homeland Security. To boost national cybersecurity awareness, DHS will use public service campaigns to promote cybersecurity and responsible use of the Internet, and make cybersecurity a popular educational and career pursuit for older students. Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) The Department of Education and the National Science Foundation (NSF) are leading the Formal Cybersecurity Education Component Their mission is to bolster formal cybersecurity education programs encompassing kindergarten through 12th grade, higher education and vocational programs, with a focus on the science, technology, engineering and math disciplines to provide a pipeline of skilled workers for the private sector and government. Component 3: Cybersecurity Workforce Structure Lead: DHS Cybersecurity Workforce Structure goal to define cybersecurity jobs, attraction, recruitment, retention, career path strategies. This component is being lead by DHS and supported by the Office of Personnel Management (OPM). This component contains the following Sub- Component Areas (SCAs): SCA1 Federal Workforce: lead by OPM SCA2 Government Workforce (non-federal): lead by DHS 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 13

14 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance SCA3 Private Sector Workforce: lead by Small Business Administration, Department of Labor, and NIST. Component 4: Cybersecurity Workforce Training and Professional Development Tri- Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS). The Cybersecurity Workforce Training and Professional Development Component is led by the Department of Defense, the Office of the Director of National Intelligence and the Department of Homeland Security. Its mission is to intensify training and professional development programs for existing federal cybersecurity workforce. This Component is divided into four functional areas that cover: Functional Area 1: General IT Use (Co-Leads: DHS, Federal CIO Council) Functional Area 2: IT Infrastructure, Operations, Maintenance, and Information Assurance (Co-Leads: DoD, DHS) Functional Area 3: Domestic Law Enforcement and Counterintelligence (Lead: NCIX, DOD/DC3, DOJ, DHS/USSS) Functional Area 4: Specialized Cybersecurity Operations (Lead: NSA) [End Direct Quote] According to the NICE framework, seven distinct functional areas are defined, with corresponding jobs identified within each functional area (or domain) [40]: From this same document the following provides information on these functional areas and workforce specifications: I. Securely Provision Securely Provision consists of those specialty areas concerned with conceptualizing, designing, and building secure IT systems. In other words, each of the roles within the Securely Provision category is responsible for some aspect of the systems development process. Information Assurance Compliance Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization s IA requirements. Ensures compliance from internal and external perspectives. Sample Job Titles: Accreditor; Auditor; Authorizing Official Designated Representative; Certification Agent; Certifying Official; Compliance Manager;Designated Accrediting Authority; IA Compliance Analyst/Manager; IA Manager; IA Officer; Portfolio Manager; Risk/Vulnerability Analyst; Security Control Assessor; Validator Software Engineering Develops, creates, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs. Sample Job Titles: Analyst Programmer, Computer Programmer,Configuration Manager, IA Engineer, IA Software Developer, IA Software Engineer, R&D Engineer, Secure Software Engineer, Security Engineer, Software Developer, Systems Analyst, Web Application Developer 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 14

15 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Enterprise Architecture Develops the systems concepts and works on the capabilities phases of the systems development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into system and security designs and processes. Sample Job Titles: IA Architect; Information Security Architect; Information Systems Security Engineer; Network Security Analyst; R&D Engineer; Security Architect; Security Engineer; Security Solutions Architect; Systems Engineer; Systems Security Analyst. Technology Demonstration Conducts technology assessment and integration processes; provides and supports a prototype capability and evaluates its utility. Sample Job Titles: - Capabilities and Development Specialist, R&D Engineer Systems Requirements Planning Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provides guidance to customers about applicability of information systems to meet business needs. Sample Job Titles: Business Analyst, Business Process Analyst, Computer Systems Analyst, Contracting Officer, Contracting Officer s Technical Representative (COTR), Human Factors Engineer, Requirements Analyst, Solutions Architect, Systems Consultant, Systems Engineer Test and Evaluation Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating IT. (Example job titles: Application Security Tester; Information Systems Security Engineer; Quality Assurance Tester; R&D Engineer; Systems Engineer; Testing and Evaluation Specialist). Systems Development Works on the development phases of the systems development lifecycle. (Example job titles: IA Developer; IA Engineer; Information Systems Security Engineer; Program Developer; Security Engineer; Systems Engineer II. Operate and Maintain Operate and Maintain includes those specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. Data Administration Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data. Sample Job Titles: Content Staging Specialist, Data Architect, Data Manager, Data Warehouse Specialist, Database Administrator, Database Developer, Information Dissemination Manager, Systems Operations Personnel 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 15

16 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Information Systems Security Management Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., ISSO). Sample Job Titles: Information Assurance Manager, Information Assurance Program Manager, Information Assurance Security Officer, Information Security Program Manager, Information Systems Security Manager, Information Systems Security Officer (ISSO) Knowledge Management Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content. Sample Job Titles: Business Analyst, Business Intelligence Manager, Content Administrator, Document Steward, Freedom of Information Act Official, Information Manager, Information Owner, Information Resources Manager Customer Service and Technical Support Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support). Sample Job Titles: Computer Support Specialist, Customer Support, Help Desk Representative, Service Desk Operator, Systems Administrator, Technical Support Specialist Network Services Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. Sample Job Titles: Cabling Technician, Converged Network Engineer, Network Administrator, Network Analyst, Network Designer, Network Engineer, Network Systems and Data Communications Analyst, Telecommunications Engineer/Personnel/Specialist System Administration Installs, configures, troubleshoots, and maintains server configurations (hardware and software) to ensure their confidentiality, integrity, and availability. Also manages accounts, firewalls, and patches. Responsible for access control, passwords, and account creation and administration. Sample Job Titles: LAN Administrator, Platform Specialist, Security Administrator, Server Administrator, System Operations Personnel, Systems Administrator, Website Administrator Systems Security Analysis Conducts the integration/testing, operations, and maintenance of systems security. Sample Job Titles: IA Operational Engineer, Information Assurance Security Officer, Information Security Analyst/Administrator, Information Systems Security Engineer, Information Systems Security Manager, Platform Specialist, Security Administrator, Security Analyst, Security Control Assessor, Security Engineer 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 16

17 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance III. Protect and Defend Protect and Defend includes specialty areas primarily responsible for the identification, analysis, and mitigation of threats to IT systems and networks. Specialty areas in the Protect and Defend category are closely aligned to computer network defense service provider organizations and responsibilities. Computer Network Defense Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats. Sample Job Titles: CND Analyst (Cryptologic), Cyber Security Intelligence Analyst, Focused Operations Analyst, Incident Analyst, Network Defense Technician, Security Analyst, Security Operator, Sensor Analyst Incident Response Responds to crisis or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness, and response and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security. Investigates and analyzes all relevant response activities. Sample Job Titles: Computer Crime Investigator, Incident Handler, Incident Responder, Intrusion Analyst Computer Network Defense Infrastructure Support Tests, implements, deploys, maintains, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities. Sample Job Titles: IDS Administrator, IDS Engineer, IDS Technician, Information Systems Security Engineer, Network Administrator, Network Analyst, Network Security Engineer, Network Security Specialist, Security Analyst, Security Engineer, Security Specialist, Systems Security Security Program Management Manages relevant security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., CISO). Sample Job Titles: Chief Information Security Officer (CISO), Common Control Provider, Cyber Security Officer, Enterprise Security Officer, Facility Security Officer, IT Director, Principal Security Architect, Risk Executive, Security Domain Specialist, Senior Agency Information Security Officer (SAIS) Vulnerability Assessment and Management Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. Sample Job Titles: Blue Team Technician, Close Access Technician, CND Auditor, Compliance Manager, Ethical Hacker, Governance Manager, Internal Enterprise Auditor, Penetration Tester, Red Team Technician, Reverse Engineer, Risk/Vulnerability Analyst, Vulnerability Manager 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 17

18 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance IV. Investigate Investigate specialty areas are responsible for the investigation of cyber events or crimes which occur within IT systems or networks, as well as the processing and use of digital evidence. Digital Forensics Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations. Sample Job Titles: Computer Network Defense Forensic Analyst; Digital Forensic Examiner; Digital Media Collector; Forensic Analyst; Forensic Analyst (Cryptologic); Forensic Technician; Network Forensic Examiner) Investigation Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, countersurveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering. Sample Job Titles: Computer Crime Investigator, Special Agent V. Operate and Collect Operate and Collect includes specialty areas that have responsibility for the highly specialized collection of cybersecurity information that may be used to develop intelligence. Collection Operations Executes collection using appropriate collection strategies and within the priorities established through the collection management process. Cyber Operations Planning Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operationallevel planning across the full range of operations for integrated information and cyberspace operations. Cyber Operations Uses automated tools to manage, monitor, and/or execute large-scale cyber operations in response to national and tactical requirements. VI. Analyze Analyze consists of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence. Although not part of the core set of specialty areas, there is also a category of specialty areas that have been determined critical to the support of the primary cybersecurity categories. Cyber Threat Analysis Identifies and assesses the capabilities and activities of cyber criminals or foreign intelligence entities; produces findings to help initialize or support law enforcement and counterintelligence investigations or activities Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 18

19 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Exploitation Analysis Analyzes collected information to identify vulnerabilities and potential for exploitation. Targets Applies current knowledge of one or more regions, countries, non-state entities, and/or technologies. All Source Intelligence Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications. VII. Support Support category includes specialty areas that provide critical support so that others may effectively conduct their cybersecurity work. Legal Advice and Advocacy Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates legal and policy changes, and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings. Sample Job Titles: Legal Advisor/SJA Strategic Planning and Policy Development Applies knowledge of priorities to define an entity s direction, determine how to allocate resources, and identify programs or infrastructure that are required to achieve desired goals within domain of interest. Develops policy or advocates for changes in policy that will support new initiatives or required changes/enhancements. Sample Job Titles: Chief Information Officer (CIO), Command IO, Information Security Policy Analyst, Information Security Policy Manager, Policy Writer and Strategist Education and Training Conducts training of personnel within pertinent subject domain. Develops, plans, coordinates, and evaluates training courses, methods, and techniques as appropriate. Sample Job Titles: Cyber Trainer, Information Security Trainer, Security Training Coordinator (The preceding material was taken directly from [40]). Each of these areas has already had a draft Committee on National Security Systems draft Training standard under development. As such the bulk of our curriculum design from 2011 forward will focus on this material. Throughout this document we will first refer to our historical experiences in development curriculum, then transition to our perspective moving forward Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 19

20 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2013 Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense In 2013, the CAEIAE office at NSA announced that the program was being completely overhauled, most likely in response to the release of the new NICE standards. The overhaul will require all CAE s to re-designate to new criteria in order to earn the new NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. Little is known about the details of the new program, most likely because it s still under development. The NSA is hosting workshops where participants discuss what the new program will entail. According to the NSA web site: Coming soon information on NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. The Published CAEIAE/CD FAQ for CAEs to transition to the new designation reads as follows: Transition to the NSA/DHS Center of Academic Excellence in Information Assurance/Cyber Defense (IA/CD) Designations Frequently Asked Questions 1. My current CAE in IA designation expires in June 2013, will this designation be extended? Yes, your current CAE in IA designation will be extended to October The expected launch date for the new program is May 1, (2013 re-designation submissions will be accepted between 1 June 2013 and 31 July 2013.) 2. My current CAE in IA designation expires after June 2013; will it still be honored until its expiration date? All current CAE in IA designations will need to transition to the new CAE in IA/CD designation by December Current designations will be honored until then. We are developing a schedule based on current expiration dates, and school locations to reduce travel costs, as a site visit is now part of the designation process. 3. How long will we have to achieve the new CAE in IA/CD designation? The transition of current CAE in IA designees to the new CAE in IA/CD designation will be completed by December We will work on a schedule based on current expiration dates, and dates of nearby schools to reduce travel costs. 4. Why should we apply for the new designation? After December 2014 the current NSA/DHS CAE in IA designation will no longer be recognized. In order to continue to be designated as a NSA/DHS CAE in IA/CD you must meet the requirements for the new program. 5. We are not a current CAE in IA, when can we apply for the CAE in IA/CD designation? New applications will be accepted beginning June 1, 2013 and will be evaluated based on NIETP resources. 6. How long will we have to complete the CAE in IA/CD application? For CAEs scheduled to re-designate in 2013, the submission window will be June 1 - July 31, For 2005 Kennesaw State University Center for Information Security Education (http://infosec.kennesaw.edu / 20

A Draft Model Curriculum for Programs of Study in Information Security and Assurance

A Draft Model Curriculum for Programs of Study in Information Security and Assurance A Draft Model Curriculum for Programs of Study in Information Security and Assurance Michael E. Whitman, Ph.D., CISSP & Herbert J. Mattord, CISSP Abstract As Information Security and Assurance programs

More information

THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK. USER GUIDE Employers

THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK. USER GUIDE Employers THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK USER GUIDE Employers Workforce Framework User Guide Welcome to the User Guide! The Workforce Framework helps Employers to recruit from a larger pool of more

More information

Introduction to NICE Cybersecurity Workforce Framework

Introduction to NICE Cybersecurity Workforce Framework Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,

More information

NICE and Framework Overview

NICE and Framework Overview NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to

More information

securely provision analyze

securely provision analyze introduction The ability of academia and public and private employers to prepare, educate, recruit, train, develop, and retain a diverse, to our nation s security and prosperity. [full text version] defining

More information

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide How to use the National Cybersecurity Workforce Framework Your Implementation Guide A NATIONAL PROBLEM The Nation needs greater cybersecurity awareness. The US workforce lacks cybersecurity experts. Many

More information

MEETING THE NATION S INFORMATION SECURITY CHALLENGES

MEETING THE NATION S INFORMATION SECURITY CHALLENGES MEETING THE NATION S INFORMATION SECURITY CHALLENGES TO ADDRESS SKILLS AND WORKFORCE SHORTAGES IN THE INFORMATION SECURITY INDUSTRY, THE NATIONAL SECURITY AGENCY AND THE DEPARTMENT OF HOMELAND SECURITY

More information

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the

More information

National Initiative for Cyber Security Education

National Initiative for Cyber Security Education 2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women

More information

NICE Cybersecurity Workforce Framework Tutorial

NICE Cybersecurity Workforce Framework Tutorial NICE Cybersecurity Workforce Framework Tutorial Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy, DHS Outline

More information

FedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

FedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov FedVTE Training Catalog SPRING 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk here or email the

More information

FedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

FedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov FedVTE Training Catalog SUMMER 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please

More information

Actions and Recommendations (A/R) Summary

Actions and Recommendations (A/R) Summary Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry

More information

Cyber Security at NSU

Cyber Security at NSU Cyber Security at NSU Aurelia T. Williams, Ph.D. Chair, Department of Computer Science Associate Professor of Computer Science June 9, 2015 Background Undergraduate computer science degree program began

More information

workforce operate and maintain protect and defend securely provision support investigate analyze operate and collect CYBERSECURITY framework

workforce operate and maintain protect and defend securely provision support investigate analyze operate and collect CYBERSECURITY framework introduction The National Initiative for Cybersecurity Education (NICE) is a nationally coordinated effort focused on cybersecurity awareness, education, training, and professional development. Two Executive

More information

The Comprehensive National Cybersecurity Initiative

The Comprehensive National Cybersecurity Initiative The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

More information

Priority III: A National Cyberspace Security Awareness and Training Program

Priority III: A National Cyberspace Security Awareness and Training Program Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.

More information

Interdisciplinary Program in Information Security and Assurance. By Kossi Edoh NC A&T State University Greensboro

Interdisciplinary Program in Information Security and Assurance. By Kossi Edoh NC A&T State University Greensboro Interdisciplinary Program in Information Security and Assurance By Kossi Edoh NC A&T State University Greensboro Information Assurance The protection of electronic information and infrastructures that

More information

Forensic Certifications

Forensic Certifications Forensic Certifications Mayuri Shakamuri CS 489-02 Digital Forensics October 31, 2006 New Mexico Tech Executive Summary Digital Forensics is rapidly growing and evolving to become a scientific practice

More information

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense Cyber Investigations Data Management Systems Security Data Security Analysis Digital Forensics Health Care Security Industrial

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

Access FedVTE online at: fedvte.usalearning.gov

Access FedVTE online at: fedvte.usalearning.gov FALL 2015 Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk her e or email the Help Desk at support@usalearning.net. To speak with a Help Desk

More information

Appendix A-2 Generic Job Titles for respective categories

Appendix A-2 Generic Job Titles for respective categories Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide

More information

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing

More information

In Response to Section 942 of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113-66) Terry Halvorsen DoD CIO

In Response to Section 942 of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113-66) Terry Halvorsen DoD CIO A Department of Defense Report on the National Security Agency and Department of Homeland Security Program for the National Centers of Academic Excellence in Information Assurance Education Matters In

More information

UNM Information Assurance Scholarship for Service (SFS) Program

UNM Information Assurance Scholarship for Service (SFS) Program UNM Information Assurance Scholarship for Service (SFS) Program What is Information Assurance? Committee on National Security Systems (CNSS) defines information assurance (IA): Measures that protect and

More information

MS Information Security (MSIS)

MS Information Security (MSIS) MS Information Security (MSIS) Riphah Institute of Systems Engineering (RISE) Riphah International University, Islamabad, Pakistan 1. Program Overview: The program aims to develop core competencies in

More information

CYBER SECURITY TRAINING SAFE AND SECURE

CYBER SECURITY TRAINING SAFE AND SECURE CYBER SECURITY TRAINING KEEPING YOU SAFE AND SECURE Experts in Cyber Security training. Hardly a day goes by without a cyber attack being reported. With this ever-increasing threat there is a growing need

More information

Department of Defense Information Assurance Scholarship Program. Sponsored by the. DoD Chief Information Officer

Department of Defense Information Assurance Scholarship Program. Sponsored by the. DoD Chief Information Officer Department of Defense Information Assurance Scholarship Program Sponsored by the DoD Chief Information Officer SOLICITATION FOR PROPOSALS From Universities Designated by the National Security Agency (NSA)

More information

Information Assurance Curricula and Certifications

Information Assurance Curricula and Certifications Information Assurance Curricula and Certifications Abstract Victor Piotrowski Department of Mathematics and Computer Science University of Wisconsin-Superior vpiotrow@uwsuper.edu Although there have been

More information

TURNING THE RISING TIDE OF CYBERSECURITY THREATS

TURNING THE RISING TIDE OF CYBERSECURITY THREATS TURNING THE RISING TIDE OF CYBERSECURITY THREATS With cyber attacks on the rise, there s a growing need for digital forensic professionals with the knowledge and skills to investigate technology crimes

More information

The National Cybersecurity Workforce Framework. 2015 Delaware Cyber Security Workshop September 29, 2015

The National Cybersecurity Workforce Framework. 2015 Delaware Cyber Security Workshop September 29, 2015 The National Cybersecurity Workforce Framework 2015 Delaware Cyber Security Workshop September 29, 2015 Bill Newhouse NICE Program Office at the National Institute of Standards and Technology NICE is a

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

An Overview of Large US Military Cybersecurity Organizations

An Overview of Large US Military Cybersecurity Organizations An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United

More information

Information Security Specialist Training on the Basis of ISO/IEC 27002

Information Security Specialist Training on the Basis of ISO/IEC 27002 Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

Cyber Defense Operations Graduate Certificate

Cyber Defense Operations Graduate Certificate The SANS Technology Institute makes shorter groups of courses available to students who are unable to commit to a full master s degree program. These certificate programs will augment your skills, provide

More information

Cybersecurity Definitions and Academic Landscape

Cybersecurity Definitions and Academic Landscape Cybersecurity Definitions and Academic Landscape Balkrishnan Dasarathy, PhD Program Director, Information Assurance Graduate School University of Maryland University College (UMUC) Email: Balakrishnan.Dasarathy@umuc.edu

More information

Sabbatical Leave Application

Sabbatical Leave Application LOS RIOS COMMUNITY COLLEGE DISTRICT Sabbatical Leave Application Name Lance Parks College: CRC Present Assignment: CIS Type of Leave Requested: A. Type A One Semester: Fall Spring X Entire Year Will you

More information

APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS

APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS Section 5123 of the Clinger-Cohen Act requires that the Department establish goals for improving the efficiency and effectiveness of agency operations

More information

MARYLAND. Cyber Security White Paper. Defining the Role of State Government to Secure Maryland s Cyber Infrastructure.

MARYLAND. Cyber Security White Paper. Defining the Role of State Government to Secure Maryland s Cyber Infrastructure. MARYLAND Cyber Security White Paper Defining the Role of State Government to Secure Maryland s Cyber Infrastructure November 1, 2006 Robert L. Ehrlich, Jr., Governor Michael S. Steele, Lt. Governor Message

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

Preventing and Defending Against Cyber Attacks October 2011

Preventing and Defending Against Cyber Attacks October 2011 Preventing and Defending Against Cyber Attacks October 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their

More information

Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute

Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute Certifications and Standards in Academia Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute Accreditation What is it? Why is it important? How is it attained? The National Centers

More information

Information Systems Security Certificate Program

Information Systems Security Certificate Program Information Technologies Programs Information Systems Security Certificate Program Accelerate Your Career extension.uci.edu/infosec University of California, Irvine Extension s professional certificate

More information

Course Title: ITAP 3471: Web Server Management

Course Title: ITAP 3471: Web Server Management Course Title: ITAP 3471: Web Server Management Semester Credit Hours: 4 (3,1) I. Course Overview The primary objective of this course is to give students a comprehensive overview of the tools and techniques

More information

Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid

Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid Which is it? Cyber Security ~or~ Cybersecurity? Dr. Ernie Lara President Presenters Estrella Mountain Community College Dr.

More information

CYBER SECURITY WORKFORCE

CYBER SECURITY WORKFORCE Department of the Navy CYBER SECURITY WORKFORCE SCHEDULE A HIRING AUTHORITY FINAL IMPLEMENTING GUIDANCE Prepared by: DONCIO USMC SPAWAR NAVY CYBER FORCES FFC OCHR HRO HRSC 1 Table of Contents I. Introduction

More information

DoD Strategy for Defending Networks, Systems, and Data

DoD Strategy for Defending Networks, Systems, and Data DoD Strategy for Defending Networks, Systems, and Data November 13, 2013 Department DoDD of Defense Chief Information Officer DoD Strategy for Defending Networks, Systems, and Data Introduction In July

More information

2 Gabi Siboni, 1 Senior Research Fellow and Director,

2 Gabi Siboni, 1 Senior Research Fellow and Director, Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

CyberSecurity Solutions. Delivering

CyberSecurity Solutions. Delivering CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative (U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative (U) Presidential Directive NSPD 54/HSPD 23, Cybersecurity Policy, established United States policy, strategy, guidelines,

More information

Preventing and Defending Against Cyber Attacks June 2011

Preventing and Defending Against Cyber Attacks June 2011 Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified

More information

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications

More information

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE Department of Defense DIRECTIVE NUMBER 8140.01 August 11, 2015 DoD CIO SUBJECT: Cyberspace Workforce Management References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues and renumbers DoD Directive

More information

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing Department of Defense INSTRUCTION NUMBER 8560.01 October 9, 2007 ASD(NII)/DoD CIO SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing References: (a) DoD

More information

Security Transcends Technology

Security Transcends Technology INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com

More information

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,

More information

[STAFF WORKING DRAFT]

[STAFF WORKING DRAFT] S:\LEGCNSL\LEXA\DOR\OI\PARTIAL\CyberWD..xml [STAFF WORKING DRAFT] JULY, 0 SECTION. TABLE OF CONTENTS. The table of contents of this Act is as follows: Sec.. Table of contents. Sec.. Definitions. TITLE

More information

An Information Assurance and Security Curriculum Implementation

An Information Assurance and Security Curriculum Implementation Issues in Informing Science and Information Technology Volume 3, 2006 An Information Assurance and Security Curriculum Implementation Samuel P. Liles and Reza Kamali Purdue University Calumet, Hammond,

More information

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL BY 2 In enterprise IT, there is a single point where everything that matters in information, technology and business converges: Cybersecurity Nexus

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY-274 Privacy, Ethics & Computer Forensics I. Basic Course Information A. Course Number & Title: CISY-274 - Privacy, Ethics, & Computer Forensics B. New

More information

Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com

Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com Ultimate Knowledge Institute ultimateknowledge.com Social Media Security Training and Certifications Social Media Security Professional (SMSP) Social Media Engineering & Forensics Professional (SMEFP)

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Cybersecurity AAS Program

Cybersecurity AAS Program Cybersecurity AAS Program New Program Proposal State Submission Steve Buchholz, Dean of Accreditation and Advancement July 2015 TABLE OF CONTENTS Executive Summary... 2 Identification and Description of

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

Cyber R &D Research Roundtable

Cyber R &D Research Roundtable Cyber R &D Research Roundtable 2 May 2013 N A T I O N A L S E C U R I T Y E N E R G Y & E N V I R O N M E N T H E A L T H C Y B E R S E C U R I T Y Changing Environment Rapidly Evolving Threat Changes

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008 U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking Appendix A: Gap Analysis Spreadsheet Competency and Skill List Competency Critical Thinking Data Collection & Examination Communication & Collaboration Technical Exploitation Information Security Computing

More information

KEY TRENDS AND DRIVERS OF SECURITY

KEY TRENDS AND DRIVERS OF SECURITY CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures

More information

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies: Cyber Incident Annex Coordinating Agencies: Department of Defense Department of Homeland Security/Information Analysis and Infrastructure Protection/National Cyber Security Division Department of Justice

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Computer Security and Investigations

Computer Security and Investigations Computer Security and Investigations Program Locations: Program Code: Coordinator: Credential: Peterborough CSI Blair Brown Ontario College Advanced Diploma Start Dates: September 06, 2016 January 09,

More information

Five-Year Strategic Plan

Five-Year Strategic Plan U.S. Department of Education Office of Inspector General Five-Year Strategic Plan Fiscal Years 2014 2018 Promoting the efficiency, effectiveness, and integrity of the Department s programs and operations

More information

National Initiative for Cybersecurity Education

National Initiative for Cybersecurity Education ISACA National Capital Area Chapter March 25, 2014 National Initiative for Cybersecurity Education Montana Williams, Branch Chief Benjamin Scribner, Program Director Department of Homeland Security (DHS)

More information

ISACA S CYBERSECURITY NEXUS (CSX) October 2015

ISACA S CYBERSECURITY NEXUS (CSX) October 2015 ISACA S CYBERSECURITY NEXUS (CSX) October 2015 DO2 EXECUTIVE OVERVIEW Will you be a Cyber defender? ISACA launched the Cybersecurity Nexus (CSX) program earlier this year. CSX, developed in collaboration

More information

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 275 UNIX and Linux Security Management

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 275 UNIX and Linux Security Management RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY 275 UNIX and Linux Security Management I. Basic Course Information A. Course Number & Title: CISY-275 - UNIX and Linux Security Management B. Date of

More information

IT Security Management 100 Success Secrets

IT Security Management 100 Success Secrets IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management

More information

Department of Homeland Security Federal Government Offerings, Products, and Services

Department of Homeland Security Federal Government Offerings, Products, and Services Department of Homeland Security Federal Government Offerings, Products, and Services The Department of Homeland Security (DHS) partners with the public and private sectors to improve the cybersecurity

More information

National Initiative for Cybersecurity Education

National Initiative for Cybersecurity Education THE NICE VISION National Initiative for Cybersecurity Education a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY PRINCIPLES AND PRACTICE OF INFORMATION SECURITY Protecting Computers from Hackers and Lawyers Linda Volonino, Ph.D. Canisius College Stephen R. Robinson Verity Partners, LLC with contributions by Charles

More information

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 Class Code(s): 0117 0118 SCOPE OF WORK: INFORMATION SYSTEMS SECURITY ANALYST Work involves the completion of technical

More information

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,

More information

Cyber threats are growing.

Cyber threats are growing. Cyber threats are growing. So are your career opportunities. Put the future of your cybersecurity career in the hands of a respected online education leader. Everything you need to succeed. Excelsior College

More information

Certification and Training

Certification and Training Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel

More information

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience

More information