in Information Security and Assurance

Transcription

1 [DRAFT] A Model Curriculum for Programs of Study A Model Curriculum for Programs of Study in Information Security and Assurance in Information Security and Assurance v. 6.0 February 2013 [DRAFT] Michael E. Whitman, Ph.D., CISM, CISSP Herbert J. Mattord, Ph.D., CISM, CISSP KSU Center for Information Security the Coles College of Business Kennesaw State University 1000 Chastain Rd. MS 1101 Kennesaw, GA (770) infosec@kennesaw.edu *A limited use license is granted to adopt parts of this curriculum for use in your institution. Specific permission is required to reproduced or republish this content. Contact the authors for additional details.

2 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Note: Kennesaw State University was designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security in 2004, 2007 and Contents Introduction... 6 Statement of the Problem... 6 Goals and Objectives... 8 Approaches to Implementing Information Security Curricula... 8 Preliminary Work Completed Information Security Position and Roles CISO Security Managers Security Administrators and Analysts Security Technicians Security Staffer or Watchstander Update: The NICE Definitions of Security Roles and Responsibilities Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) Component 3: Cybersecurity Workforce Structure Lead: DHS Component 4: Cybersecurity Workforce Training and Professional Development Tri-Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS) I. Securely Provision II. Operate and Maintain III. Protect and Defend IV. Investigate V. Operate and Collect VI. Analyze VII. Support Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense Information Security Professional Certifications Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) Global Information Assurance Certification (GIAC) Security Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 2

3 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) Certified Forensics Investigator Certifications Established Standards, Models And Practices ISO/IEC 27002/17799/BS Mapping Positions and Roles to Knowledge Areas Mapping the CISSP Common Body of Knowledge NSTISSC Training Standards Mapping the CISSP Common Body of Knowledge to NICE {Additional Material to be added here as the NICE framework continues to evolve and disseminate}defining the Focus of the Program Managerial InfoSec Program Technical InfoSec Program Balanced InfoSec Program Levels of Mastery Determining Numbers of Courses Needed Mapping Mastery Depth to Courses Pilot study Principles of Information Security & Assurance Technical Applications in Information Security & Assurance The Draft Curriculum Model Implementation of the Draft Curriculum Model Number of Course the Institution can Implement in InfoSec Certificate in Information Security and Assurance (ISA) ISA 3100 Principles of Information Security and Assurance ISA 3200 Technical Applications in Information Security and Assurance ISA 3300 Policy and Administration in Information Security and Assurance Project Presentations Bachelor of Science in Information Security and Assurance Program Objectives General Program Learning Objectives Specific Program Learning Objectives Major Electives Business Electives: Criminal Justice Electives: CSIS Electives: Information Security Electives: Information Technology Electives: Sample Programs of Study Development of the Degree Program Textbooks used in the program: ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec) Introduction to Information Security The Need for Security Legal, Ethical, and Professional Issues in Information Security Risk Management Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 3

4 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 5. Planning for Security Security Technology: Firewalls, VPNs, and Wireless Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools Cryptography Physical Security Implementing Information Security Security and Personnel Information Security Maintenance and ediscovery ISA 3200: Network Security (Technical InfoSec) ISA 3300: Management of Information Security in a Global Environment ISA 4330: Incident Response and Disaster Recovery 2 nd ed ISA 4350: Computer Forensics Lab Manual used for a variety of ISA courses: If you would like additional information on these books (i.e. how well they worked in the class, or what support materials are included) please contact us. All Course Technology texts include instructor s ancillaries including PowerPoint slide shows, text banks, and instructor s guides.2011 and the Bachelor of Business Administration in Information Security and Assurance Program Description: Program Curriculum: Program Goals and Objectives Note Goals 1-4 are common to all BBA programs: Minor in Information Security and Assurance Minor Curriculum: Revision of Pilot Model Broader Impacts of This Proposal Evaluation Plan Academic Information Security Peer Review External Practitioner Review DISSEMINATION ) Proceedings of the upcoming academic conferences ) Inclusion in PIs texts ) Course University and Working Connections Series ) Publication through Educational Portals: ) Posting on Regional Security Web Sites ) Recognition through NSA ) Publication in regional and national venues How you can help Appendix: Information Security Curriculum Development Procedures and Forms for use at your institution: 126 I. Determine interest, scope and intent of the program II. Determine stakeholder interest and guidance III. Form the curriculum development committee IV. Map desired positions to knowledge areas V. Discuss the following constraints on the program VI. Define program objectives VII. Determine the level of mastery desired in the program Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 4

5 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance VIII. Determine the number of courses to offer IX. Determine the Prerequisite knowledge areas necessary to support the desired classes X. Develop specific course learning objectives XI. Define laboratory components and required resources XII. Pilot test key courses XIII. Refine and revise as needed Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 5

6 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Introduction Greetings! We would like to take this opportunity to thank you for allowing us to share our lessons learned in the development of Information Security Curriculum. As part of our ongoing commitment to Information Security education, we have decided to formally compile our information into a single packet and provide it to any who seek it, without any requirements, associated costs or restrictions. As a courtesy we would like to ask that if you like what you see, and would like to adopt the contents in whole or in part, that you send us a letter indicating your intent. This is to allow us to maintain a contact within institutions that are adopting our curriculum and to gather feedback on its feasibility and use. This document begins with pieces of the overall curriculum model as defined in an NSF proposal. We then continue through a discussion of the specific courses and programs implemented at Kennesaw State University, along with accompanying course materials. We then conclude with the intended next steps in the development of this curriculum. We invite you to participate in this process by forwarding suggestions, constructive criticisms, and ideas to us at the address above or by to infosec@kenneaw.edu. The following sections overview our experiences and findings in developing security curriculum. At the end of this discussion an abbreviated copy of our methodology is repeated with blank worksheet so that you may duplicate our process yourself. Statement of the Problem One of the continuing challenges facing society is the security and protection of information assets. Advances in information security (InfoSec) have been unable to keep pace with advances in computing in general [1]. Daily, press accounts of dramatic computer theft, fraud and abuse are reported as leading to extensive economic loss. Continuous attacks on the American IT Infrastructure have highlighted the need for information security [2]. The annual CSI/FBI Computer Security survey highlights the high levels of respondents detected computer security breaches (usually in the 80-90% range), with the majority reporting significant financial losses due to these computer breaches. According to Dr. Joseph Bordogna, Deputy Director, National Science Foundation in remarks at a June 2002 NSF Workshop The events of September 11 only accelerated longstanding concerns about the threat of cyberterrorism and the vulnerability of the nation s information systems and communications networks [ ] Questions about the adequacy of the U.S. science, engineering, and technology workforce are also rising to a chorus. Reported shortages of skilled workers in the IT sector are only one example. The need we all recognize, for a cadre of professions in computer security and information assurance, is right at the top of the list [4]. Education in information security prepares IT students to recognize and combat information system threats and vulnerabilities [5]. The article Integrating Security into the Curriculum argues an educational system that cultivates an appropriate knowledge of computer security will increase the likelihood that the next generation of IT workers will have the background needed to design and develop systems that are engineered to be reliable and secure [6]. The need is so great that the President of the US issued Presidential Decision Directive 63, the Policy on Critical Infrastructure Protection in May 1998, which prompted the National Security Agency to established outreach programs like the Centers of Academic Excellence in Information Assurance Education (CAEIAE). This program s goal is to reduce vulnerabilities in our National Information Infrastructure by promoting higher education in 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 6

7 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance information assurance, and producing a growing number of professionals with IA expertise [7]. According to the US Government document The National Strategy to Secure Cyberspace, Education and outreach play an important role in making users and operators of cyberspace sensitive to security needs. These activities are an important part of the solution for almost all of the issues discussed in the National Strategy to Secure Cyberspace [8]. Even as part of the more recent National strategies: U.S. International Strategy for Cyberspace (May 2011) and the Comprehensive National Cybersecurity Initiative (May 2009), there is a recognized national goal To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace [39]. There are two dominant technology curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards. The IS version of the standard specifies the need for an IS Environment: 15 semester hours which must be a cohesive body of knowledge to prepare the student to function effectively as an IS professional in the IS environment as well as 12 semester hours of advanced IS coursework [20]. The CS standard similarly provides for 16 hours of advanced CS course work. These courses could be used for InfoSec courses or programs. The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest professional technology organizations: Association for Computing Machinery (ACM), Association for Information Systems (AIS) and Association for Information Technology Professional (AITP). IS 2002 is a model curriculum for undergraduate degree programs in Information Systems and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an academic field, encompasses two broad areas: (1) acquisition, deployment, and management of information technology resources and services (the IS function); and (2) development and evolution of technology infrastructures and systems for use in organizational processes (systems development). It also includes a detailed set of course descriptions and advice to [those] who have a stake in the achievement of quality IS degree programs [21]. The IS 2002 (and IS guiding principles have been adopted and revised for this curriculum model development: 1) The model curriculum should represent a consensus from the InfoSec community. 2) The model curriculum should be designed to help InfoSec faculty produce competent and confident entry level graduates well suited to work-place responsibilities. 3) The model curriculum should guide but not prescribe. Using the model curriculum guidelines, faculty can design their own courses. 4) The model curriculum should be based on sound educational methodologies and make appropriate recommendations for consideration by InfoSec faculty. 5) The model curriculum should be flexible and adaptable to most IS/CS programs [21]. Existing courses have been predominantly designed for graduate-level coursework [9,10], for computer science and engineering specific programs [5,11,24], or as pure practitioner-level training programs [12,13,14]. Even established curriculum bodies, like the Association for Computing Machinery (ACM) and the Accreditation Board for Engineering and Technology Computing Accreditation Council (ABET-CAC), do not have formal models established for curriculum in Information Security at the fouryear level. The only recommendation that does exist resulted from a workshop sponsored by the NSF and the American Association of Community Colleges, resulting in the draft recommendation 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 7

8 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Protecting Information: the Role of Community Colleges in Cybersecurity Education [15]. This report serves as both a starting point for two-year institutions and as a reference for this project. The report provides details for community colleges to design curriculum focused on providing technical skills through training for the security technician, and hinges on the role of certification as an assessment tool. While supportive of the two-year institution s mission, this level of approach is inadequate for the mission of the four-year institution. The proposed model is designed to allow undergraduate Information Systems (IS) and Computer Science (CS) majors to move toward career fields that include and evolve through technical knowledge areas and into the management of information security, an area not usually addressed at the two-year level. Goals and Objectives This project is designed to increase the quality of baccalaureate-level information security education by creating a curriculum model in information security that provides students with technical and managerial skills needed for the IT workforce. The curriculum can be adopted by other institutions with undergraduate technology degree programs as individual courses, minors or concentrations in information security. It is intended to provide adopters of the curriculum with the means to deliver a quality education with breadth and depth of the information security common body of knowledge. The curriculum will adapt current national standards for security training. Standards for training programs do presently exist, but there are no baccalaureate education models. The closest work available to support a standardized baccalaureate curriculum is in The Role of Community Colleges described earlier. There is a clear lack of managerial and administrative education that this project will identify and develop. Approaches to Implementing Information Security Curricula There are five approaches to implementing information security curricula: 1. Elements added to existing courses. In this option, a number of existing courses can have an information security module added to reinforce the need to address information security at all junctures of organizational effort. This is a preferred technique and can be used in conjunction with other approaches. It is important to thread information security through a course, rather than adding it as a single module at the end. The following table provides examples of how information security could be integrated in existing courses Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 8

9 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Existing Course Programming Principles Networking/ Data Communications Systems Analysis & Design Database Principles Operating Systems Information Security Topics Software Assurance (see Applied cryptography Network security principles Use of security tools (firewalls, IDS systems) Security in the SDLC Developing secure database structures Security tools for data management Privacy topics OS Hardening Configuration management 2. Elements added to a capstone course or courses. In this second approach to adding security content, specific modules are added to specific capstone experiences or courses. In our program for example students have two classes that represent their capstone experience. In the first, they are exposed to strategic policy and planning in IT, and presented with a number of guest speakers on various topics. In the second they are required to develop a system to solve a business problem, incorporating all aspects of learning to that point including database, data communications, programming, project management etc. By addressing strategic Information Security planning in the first course and having at least one speaker on an InfoSec topic, we integrate security into this course. By requiring the student teams to demonstrate how they used secure development techniques in the second we reinforce the concepts there. 3. Independent information security courses. The third approach to implementing information security is to create single security courses. This is the approach most commonly used today. Many programs develop one or two classes in security. Unfortunately many of the classes labeled as security classes fail to address the overall comprehensive breadth and scope of what is information security. A class in theoretical cryptography, while interesting does not provide much value to an information security professional-to-be. This requires faculty to develop courses in the manner described in detail the subsequent sections, rather than implementing classes that would be fun to teach. Also indicated in subsequent sections are suggestions for topics and components of individual security classes. 4. Information security certificates / minors. Continually increasing in frequency, the fourth option is to implement a cohesive set of classes, under the title of minor, concentration, specialization, or certificate. This requires detailed planning based on the desired focus and outcome of the program. In our case, we made a conscious decision to focus more on managerial information security, and less on technical information security. While we have courses in the technical arena, the bulk of the foundational courses are on the roles and responsibilities of an information security professional manager, rather than technical. This is purely a choice based on our strengths. There are many institutions out there that could, and should, consider implementing technical programs, if they have 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 9

10 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance the resources and support to do so. 5. Information security degree programs. In our mind, the ultimate goal for enhanced information security curriculum is the baccalaureate-level information security program. As indicated in the statement of the problem, there are several programs in the field that list bachelors in information security degree. When you take a close look, however it is more of a concentration or minor. Nothing wrong with that, but it tends to be misleading to the students. It takes a great deal of effort and support to create enough courses to populate a program of this magnitude, and even more resources to offer it. It does represent the pinnacle of InfoSec education at the baccalaureate level. Which of these approaches should you consider? First one must examine the available resources, time, faculty, money, technology and student demand. It may help to begin with the first two approaches and then slowly roll out additional approaches as demand presents itself. Or just jump in. No pain, no gain. Preliminary Work Completed Education is recognized as a critical component to improve information security throughout the nation [5]. The development of a curriculum model would provide direct benefit to the various academic, business, and governmental agencies, to support formal education efforts. During the initial analysis phase, we, the authors, examined existing literature, reviewed other programs of interest and their implementations. We also examined current and emerging national and international standards and guidelines for the training of InfoSec professionals [15,17,18], instructional methods and materials from programs recognized as NSA centers of excellence across the country [7,19], and general recommendations and constraints from curriculum supporting organizations such as ACM and ABET. In developing the curriculum for our pilot project, we used the Backward Curriculum Design Process [22] a well-known approach to curriculum design that begins with the desired outcomes and goals and works backward to learning objectives grouped into courses. The curriculum model seeks to answer the following question: What should an information security person who graduates from a particular program be qualified to do, and what positions should they expect to be able to hold? Information Security Position and Roles As position descriptions are not sufficiently descriptive of the roles the individuals play in the information security function, the next step was to identify the roles information security professionals assume and then map them to the positions an individual should hold. The following sections are from the text Management of Information Security, 3 rd ed 2010 Course Technology. A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that positions can be classified into one of three types: those that define, those that build and those that administer. Definers provide the policies, guidelines and standards They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth. Then you have the builders. They're the real techies, who create and install security solutions Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 10

11 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance... Finally, you have the people who operate and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. [...] What I find is we often try to use the same people for all of these roles. We use builders all the time... If you break your InfoSec professionals into these three groups, you can recruit them more efficiently, with the policy people being the more senior people, the builders being more technical and the operating people being those you can train to do a specific task [30]. A typical organization has a number of individuals with information security responsibilities. While the titles used within any specific organization may be different from one organization to the next, most of the job functions fit one of the following categories: Chief information security officer (CISO) Security managers Security administrators and analysts Security technicians Security staffer CISO The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization s information. The CISO may also be called the Manager for Security, the Security Administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations one or more layers of management may exist between the two officers. Security Managers Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives identified by the CISO, to whom they report as shown in Figure 5-11, and resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise. Managing technology requires an understanding of it, but not necessarily a technical mastery in its configuration, operation, and fault resolution. Within the information security community, there may be team leaders or project managers responsible for management-like functions, such as scheduling, setting priorities, or administering any number of procedural tasks, but who are not necessarily held accountable for making a particular technology function. The accountability for the actions of others is the hallmark of a true manager. The accountability found in true management roles can be used to differentiate between actual managers and other roles that may include the word manager in their job titles but in fact to not have such accountability. Security Administrators and Analysts The security administrator is a hybrid between a security technician (see below) and the security manager, described in the previous section. These individuals have both technical knowledge and managerial skill. They are frequently called upon to manage the day-to-day operations of security technology, as well as assist in the development and conduct of training programs, policy and the like. The security analyst is a specialized security administrator. In traditional IT, the security administrator corresponds to a systems administrator or database administrator, and the security analyst to a systems analyst. The systems analyst, in addition to security administration duties, also must analyze and design security solutions within a specific domain (firewall, IDS, antivirus). Systems analysts must be able to 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 11

12 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance identify the users needs, as well as understand the technological complexities and capabilities of the security systems they design. Security Technicians Security technicians are the technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented. A security technician is usually an entry-level position; however, some technical skills are required, which can make it difficult for those new to the field. It is difficult to get a job without experience, and experience comes with a job. Just as in networking, security technicians tend to be specialized, focusing on one major security technology group (firewalls, IDS, servers, routers, or software), and further specializing in one particular software or hardware package within the group, like Checkpoint firewalls, Nokia firewalls, or Tripwire IDS. These technologies are sufficiently complex to warrant a high level of specialization. Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general, organizational issues of information security, as well as all technical areas. Security Staffer or Watchstander This is a catchall title that applies to the individuals who perform routine watch standing activities. It encompasses the people that watch intrusion consoles, monitor accounts, and perform other routine-yet-critical roles that support the mission of the information Security Department. Why is it important to understand these roles? In order to design curriculum one must understand what it is you want the student to be able to accomplish upon graduation. In our curriculum development we use these roles were used as surrogates for positions and mapped to knowledge areas. Knowledge areas represent the specific knowledge needed for each role, and when paired with a multi-level mastery model like Bloom s taxonomy [21], can be used to identify the level of depth of knowledge for each role. For example, a CISO may need great breadth of knowledge, but not as much depth of knowledge in an area as a technician would. The challenge is to completely map and verify the roles, knowledge areas, and levels of mastery needed. Knowledge areas can be obtained from key indices like certifications [27], and from training standards and models [28]. Knowledge areas in InfoSec are many and can be very technical but, there is an agreed upon way to discuss them. Many programs take the short cut and jump straight to the certifications an information security professional could earn like: CISSP, SSCP, GIAC, SCP, TruSecure CSA/CSE, Security+, CISA/CISM. However, programs are hesitant to implement coursework that is focused on a specific applied output. Universities in general prefer to focus more on the true knowledge areas that these certificates test, rather than the specifics of these exams. However if we examine the content of some of the key certifications we can begin to glimpse some of the knowledge areas we would need to integrate with our coursework. The following excerpt from Management of Information Security provides additional detail on the leading certifications in Information Security Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 12

13 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2011 Update: The NICE Definitions of Security Roles and Responsibilities In 2011, a new major initiative has been promoted by a joint group of Federal agencies: NIST, NSA & DHS to name a few. The National Initiative for Cybersecurity Education will have far-reaching implications for information security education in the very near future. What was once referred to as Information Assurance in the federal sector is now referred to as Cybersecurity. According the NIST web site ( [The following section is directly copied from the referred Web site]: The National Initiative for Cybersecurity Education (NICE) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation s security. The National Institute of Standards and Technology (NIST) is leading the NICE initiative, comprised of over 20 federal departments and agencies, to ensure coordination, cooperation, focus, public engagement, technology transfer and sustainability. Many NICE activities are already underway and NIST will highlight these activities, engage various stakeholder groups and create forums for sharing information and leveraging best practices. NIST will also be looking for gaps in the initiative -- areas of the overarching mission that are not addressed by ongoing activities. The National Initiative for Cybersecurity Education (NICE) will be represented by four Components: Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) The National Cybersecurity Awareness Component is being led by the Department of Homeland Security. To boost national cybersecurity awareness, DHS will use public service campaigns to promote cybersecurity and responsible use of the Internet, and make cybersecurity a popular educational and career pursuit for older students. Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) The Department of Education and the National Science Foundation (NSF) are leading the Formal Cybersecurity Education Component Their mission is to bolster formal cybersecurity education programs encompassing kindergarten through 12th grade, higher education and vocational programs, with a focus on the science, technology, engineering and math disciplines to provide a pipeline of skilled workers for the private sector and government. Component 3: Cybersecurity Workforce Structure Lead: DHS Cybersecurity Workforce Structure goal to define cybersecurity jobs, attraction, recruitment, retention, career path strategies. This component is being lead by DHS and supported by the Office of Personnel Management (OPM). This component contains the following Sub- Component Areas (SCAs): SCA1 Federal Workforce: lead by OPM SCA2 Government Workforce (non-federal): lead by DHS 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 13

14 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance SCA3 Private Sector Workforce: lead by Small Business Administration, Department of Labor, and NIST. Component 4: Cybersecurity Workforce Training and Professional Development Tri- Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS). The Cybersecurity Workforce Training and Professional Development Component is led by the Department of Defense, the Office of the Director of National Intelligence and the Department of Homeland Security. Its mission is to intensify training and professional development programs for existing federal cybersecurity workforce. This Component is divided into four functional areas that cover: Functional Area 1: General IT Use (Co-Leads: DHS, Federal CIO Council) Functional Area 2: IT Infrastructure, Operations, Maintenance, and Information Assurance (Co-Leads: DoD, DHS) Functional Area 3: Domestic Law Enforcement and Counterintelligence (Lead: NCIX, DOD/DC3, DOJ, DHS/USSS) Functional Area 4: Specialized Cybersecurity Operations (Lead: NSA) [End Direct Quote] According to the NICE framework, seven distinct functional areas are defined, with corresponding jobs identified within each functional area (or domain) [40]: From this same document the following provides information on these functional areas and workforce specifications: I. Securely Provision Securely Provision consists of those specialty areas concerned with conceptualizing, designing, and building secure IT systems. In other words, each of the roles within the Securely Provision category is responsible for some aspect of the systems development process. Information Assurance Compliance Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization s IA requirements. Ensures compliance from internal and external perspectives. Sample Job Titles: Accreditor; Auditor; Authorizing Official Designated Representative; Certification Agent; Certifying Official; Compliance Manager;Designated Accrediting Authority; IA Compliance Analyst/Manager; IA Manager; IA Officer; Portfolio Manager; Risk/Vulnerability Analyst; Security Control Assessor; Validator Software Engineering Develops, creates, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs. Sample Job Titles: Analyst Programmer, Computer Programmer,Configuration Manager, IA Engineer, IA Software Developer, IA Software Engineer, R&D Engineer, Secure Software Engineer, Security Engineer, Software Developer, Systems Analyst, Web Application Developer 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 14

15 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Enterprise Architecture Develops the systems concepts and works on the capabilities phases of the systems development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into system and security designs and processes. Sample Job Titles: IA Architect; Information Security Architect; Information Systems Security Engineer; Network Security Analyst; R&D Engineer; Security Architect; Security Engineer; Security Solutions Architect; Systems Engineer; Systems Security Analyst. Technology Demonstration Conducts technology assessment and integration processes; provides and supports a prototype capability and evaluates its utility. Sample Job Titles: - Capabilities and Development Specialist, R&D Engineer Systems Requirements Planning Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provides guidance to customers about applicability of information systems to meet business needs. Sample Job Titles: Business Analyst, Business Process Analyst, Computer Systems Analyst, Contracting Officer, Contracting Officer s Technical Representative (COTR), Human Factors Engineer, Requirements Analyst, Solutions Architect, Systems Consultant, Systems Engineer Test and Evaluation Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating IT. (Example job titles: Application Security Tester; Information Systems Security Engineer; Quality Assurance Tester; R&D Engineer; Systems Engineer; Testing and Evaluation Specialist). Systems Development Works on the development phases of the systems development lifecycle. (Example job titles: IA Developer; IA Engineer; Information Systems Security Engineer; Program Developer; Security Engineer; Systems Engineer II. Operate and Maintain Operate and Maintain includes those specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. Data Administration Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data. Sample Job Titles: Content Staging Specialist, Data Architect, Data Manager, Data Warehouse Specialist, Database Administrator, Database Developer, Information Dissemination Manager, Systems Operations Personnel 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 15

16 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Information Systems Security Management Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., ISSO). Sample Job Titles: Information Assurance Manager, Information Assurance Program Manager, Information Assurance Security Officer, Information Security Program Manager, Information Systems Security Manager, Information Systems Security Officer (ISSO) Knowledge Management Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content. Sample Job Titles: Business Analyst, Business Intelligence Manager, Content Administrator, Document Steward, Freedom of Information Act Official, Information Manager, Information Owner, Information Resources Manager Customer Service and Technical Support Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support). Sample Job Titles: Computer Support Specialist, Customer Support, Help Desk Representative, Service Desk Operator, Systems Administrator, Technical Support Specialist Network Services Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. Sample Job Titles: Cabling Technician, Converged Network Engineer, Network Administrator, Network Analyst, Network Designer, Network Engineer, Network Systems and Data Communications Analyst, Telecommunications Engineer/Personnel/Specialist System Administration Installs, configures, troubleshoots, and maintains server configurations (hardware and software) to ensure their confidentiality, integrity, and availability. Also manages accounts, firewalls, and patches. Responsible for access control, passwords, and account creation and administration. Sample Job Titles: LAN Administrator, Platform Specialist, Security Administrator, Server Administrator, System Operations Personnel, Systems Administrator, Website Administrator Systems Security Analysis Conducts the integration/testing, operations, and maintenance of systems security. Sample Job Titles: IA Operational Engineer, Information Assurance Security Officer, Information Security Analyst/Administrator, Information Systems Security Engineer, Information Systems Security Manager, Platform Specialist, Security Administrator, Security Analyst, Security Control Assessor, Security Engineer 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 16

17 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance III. Protect and Defend Protect and Defend includes specialty areas primarily responsible for the identification, analysis, and mitigation of threats to IT systems and networks. Specialty areas in the Protect and Defend category are closely aligned to computer network defense service provider organizations and responsibilities. Computer Network Defense Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats. Sample Job Titles: CND Analyst (Cryptologic), Cyber Security Intelligence Analyst, Focused Operations Analyst, Incident Analyst, Network Defense Technician, Security Analyst, Security Operator, Sensor Analyst Incident Response Responds to crisis or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness, and response and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security. Investigates and analyzes all relevant response activities. Sample Job Titles: Computer Crime Investigator, Incident Handler, Incident Responder, Intrusion Analyst Computer Network Defense Infrastructure Support Tests, implements, deploys, maintains, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities. Sample Job Titles: IDS Administrator, IDS Engineer, IDS Technician, Information Systems Security Engineer, Network Administrator, Network Analyst, Network Security Engineer, Network Security Specialist, Security Analyst, Security Engineer, Security Specialist, Systems Security Security Program Management Manages relevant security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., CISO). Sample Job Titles: Chief Information Security Officer (CISO), Common Control Provider, Cyber Security Officer, Enterprise Security Officer, Facility Security Officer, IT Director, Principal Security Architect, Risk Executive, Security Domain Specialist, Senior Agency Information Security Officer (SAIS) Vulnerability Assessment and Management Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. Sample Job Titles: Blue Team Technician, Close Access Technician, CND Auditor, Compliance Manager, Ethical Hacker, Governance Manager, Internal Enterprise Auditor, Penetration Tester, Red Team Technician, Reverse Engineer, Risk/Vulnerability Analyst, Vulnerability Manager 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 17

18 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance IV. Investigate Investigate specialty areas are responsible for the investigation of cyber events or crimes which occur within IT systems or networks, as well as the processing and use of digital evidence. Digital Forensics Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations. Sample Job Titles: Computer Network Defense Forensic Analyst; Digital Forensic Examiner; Digital Media Collector; Forensic Analyst; Forensic Analyst (Cryptologic); Forensic Technician; Network Forensic Examiner) Investigation Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, countersurveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering. Sample Job Titles: Computer Crime Investigator, Special Agent V. Operate and Collect Operate and Collect includes specialty areas that have responsibility for the highly specialized collection of cybersecurity information that may be used to develop intelligence. Collection Operations Executes collection using appropriate collection strategies and within the priorities established through the collection management process. Cyber Operations Planning Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operationallevel planning across the full range of operations for integrated information and cyberspace operations. Cyber Operations Uses automated tools to manage, monitor, and/or execute large-scale cyber operations in response to national and tactical requirements. VI. Analyze Analyze consists of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence. Although not part of the core set of specialty areas, there is also a category of specialty areas that have been determined critical to the support of the primary cybersecurity categories. Cyber Threat Analysis Identifies and assesses the capabilities and activities of cyber criminals or foreign intelligence entities; produces findings to help initialize or support law enforcement and counterintelligence investigations or activities Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 18

19 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Exploitation Analysis Analyzes collected information to identify vulnerabilities and potential for exploitation. Targets Applies current knowledge of one or more regions, countries, non-state entities, and/or technologies. All Source Intelligence Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications. VII. Support Support category includes specialty areas that provide critical support so that others may effectively conduct their cybersecurity work. Legal Advice and Advocacy Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates legal and policy changes, and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings. Sample Job Titles: Legal Advisor/SJA Strategic Planning and Policy Development Applies knowledge of priorities to define an entity s direction, determine how to allocate resources, and identify programs or infrastructure that are required to achieve desired goals within domain of interest. Develops policy or advocates for changes in policy that will support new initiatives or required changes/enhancements. Sample Job Titles: Chief Information Officer (CIO), Command IO, Information Security Policy Analyst, Information Security Policy Manager, Policy Writer and Strategist Education and Training Conducts training of personnel within pertinent subject domain. Develops, plans, coordinates, and evaluates training courses, methods, and techniques as appropriate. Sample Job Titles: Cyber Trainer, Information Security Trainer, Security Training Coordinator (The preceding material was taken directly from [40]). Each of these areas has already had a draft Committee on National Security Systems draft Training standard under development. As such the bulk of our curriculum design from 2011 forward will focus on this material. Throughout this document we will first refer to our historical experiences in development curriculum, then transition to our perspective moving forward Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 19

20 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2013 Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense In 2013, the CAEIAE office at NSA announced that the program was being completely overhauled, most likely in response to the release of the new NICE standards. The overhaul will require all CAE s to re-designate to new criteria in order to earn the new NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. Little is known about the details of the new program, most likely because it s still under development. The NSA is hosting workshops where participants discuss what the new program will entail. According to the NSA web site: Coming soon information on NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. The Published CAEIAE/CD FAQ for CAEs to transition to the new designation reads as follows: Transition to the NSA/DHS Center of Academic Excellence in Information Assurance/Cyber Defense (IA/CD) Designations Frequently Asked Questions 1. My current CAE in IA designation expires in June 2013, will this designation be extended? Yes, your current CAE in IA designation will be extended to October The expected launch date for the new program is May 1, (2013 re-designation submissions will be accepted between 1 June 2013 and 31 July 2013.) 2. My current CAE in IA designation expires after June 2013; will it still be honored until its expiration date? All current CAE in IA designations will need to transition to the new CAE in IA/CD designation by December Current designations will be honored until then. We are developing a schedule based on current expiration dates, and school locations to reduce travel costs, as a site visit is now part of the designation process. 3. How long will we have to achieve the new CAE in IA/CD designation? The transition of current CAE in IA designees to the new CAE in IA/CD designation will be completed by December We will work on a schedule based on current expiration dates, and dates of nearby schools to reduce travel costs. 4. Why should we apply for the new designation? After December 2014 the current NSA/DHS CAE in IA designation will no longer be recognized. In order to continue to be designated as a NSA/DHS CAE in IA/CD you must meet the requirements for the new program. 5. We are not a current CAE in IA, when can we apply for the CAE in IA/CD designation? New applications will be accepted beginning June 1, 2013 and will be evaluated based on NIETP resources. 6. How long will we have to complete the CAE in IA/CD application? For CAEs scheduled to re-designate in 2013, the submission window will be June 1 - July 31, For 2005 Kennesaw State University Center for Information Security Education ( / infosec@kenneaw.edu) 20