Information Security Workforce Development Matrix Initiative. FISSEA 23 rd Annual Conference March 23, 2010

Similar documents
GAO CYBERSECURITY HUMAN CAPITAL. Initiatives Need Better Planning and Coordination

CHIEF INFORMATION OFFICERS COUNCIL

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

National Initiative for Cyber Security Education

FITSP-Auditor Candidate Exam Guide

THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK. USER GUIDE Employers

TOPSECRETPROTECTION.COM (TSP)

NICE and Framework Overview

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

Compliance Risk Management IT Governance Assurance

2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report

Introduction to NICE Cybersecurity Workforce Framework

Publication Number: Third Draft Special Publication Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Security and Emergency Services Community of Interest 0080-Information/Personnel Security Administration Career Road Map

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

Federal Risk and Authorization Management Program (FedRAMP)

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

VA Office of Inspector General

I. U.S. Government Privacy Laws

Understanding the Federal IT Security Professional (FITSP) Certification

Certification and Training

APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS

A Role-Based Model for Federal Information Technology/ Cybersecurity Training

Security and Emergency Services Community of Interest 0089 Emergency Management Career Road Map

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Policy on Information Assurance Risk Management for National Security Systems

The HIPAA Security Rule: Theory and Practice

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

Executive Management of Information Security

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

ISACA S CYBERSECURITY NEXUS (CSX) October 2015

Department of Homeland Security

IT-CNP, Inc. Capability Statement

2.0 ROLES AND RESPONSIBILITIES

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

NOTICE: This publication is available at:

NASA OFFICE OF INSPECTOR GENERAL

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

NICE Cybersecurity Workforce Framework Tutorial

in Information Security and Assurance

GAO Information Security Issues

Seeing Though the Clouds

Identity and Access Management Initiatives in the United States Government

Small Business. Leveraging SBA IT resources to support America s small businesses

The National Cybersecurity Workforce Framework Delaware Cyber Security Workshop September 29, 2015

Report on CAP Cybersecurity November 5, 2015

Security Transcends Technology

Overview. FedRAMP CONOPS

The Government-wide Implementation of Biometrics for HSPD-12

Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

NISTIR 7359 Information Security Guide For Government Executives

Operationally Focused CYBER Training Framework

December 8, Security Authorization of Information Systems in Cloud Computing Environments

NIST Cyber Security Activities

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

State of South Carolina InfoSec and Privacy Career Path Model

INFORMATION SECURITY

United States Department of Health & Human Services Enterprise Architecture Program Management Office. HHS Enterprise Architecture Governance Plan

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

The Intersection of Internal Controls and Cyber Security

2012 Clinger-Cohen Core Competencies & Learning Objectives

Information Security Principles and Practices

How To Improve Federal Network Security

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

CMS Policy for Information Security and Privacy

Preventing and Defending Against Cyber Attacks June 2011

CYBER SECURITY WORKFORCE

Transcription:

Information Security Workforce Development Matrix Initiative FISSEA 23 rd Annual Conference March 23, 2010

Professionalization of the Workforce The CIO Council s IT Workforce Committee partnered with Booz Allen Hamilton to conduct research on the information security environment and to develop role-based information security workforce development matrices The matrices are intended to establish a baseline across the Federal Government for staff engaged in information security work Provides a government-wide perspective on the types of roles common in information security work and identifies a common framework describing competencies/skills, education, experience, credentials and training needed by performance level

Information Security Roles Identified (Mar 2010) 1. Chief Information Security Officer 2. Systems Operations & Maintenance Professional 3. Network Security Specialist 4. Digital Forensics & Incident Response Analyst 5. Information Security Assessor 6. Information Systems Security Officer 7. Security Architect 8. Vulnerability Analyst 9. Information Security Systems & Software Development Specialist 10. Chief Information Officer 11. Information Security Risk Analyst

Components of the IS Matrix (Matrix below is notional) INFORMATION SECURITY COMPLIANCE PROFESSIONAL: The Information Security Compliance Professional is responsible for overseeing, participating in evaluating, and supporting compliance issues pertinent to the organization. Individuals in this role perform a variety of activities that encompass compliance from internal and external perspectives. These include leading and conducting internal investigations, helping employees to comply with internal policies and procedures, and serving as a resource for external compliance officers during independent assessments. The Information Security Compliance Professional provides guidance and autonomous evaluation of the organization to management. Performance Suggested Learning & Development Description/Complexity Competencies/Skills Suggested Education & Experience Level Sources I: Entry Has a basic understanding of information security compliance with regard to the FISMA Act and its requirements, applicable laws and regulations (e.g., OMB directives, HSPD, HIPAA, Clinger-Cohen), organizational policies, and the information security compliance evaluation process (i.e., initial risk assessment, mitigation recommendations, controls, and applicable security compliance) Applies compliance knowledge, skills, and abilities with supervision on projects, programs, and initiatives with low threat and scope (i.e., inter-office) Performance levels are associated with recommended proficiency descriptors applicable to each of the relevant competency/skill models listed below. Competency/Skill Proficiency Descriptors I-Entry: Basic understanding of concepts addressed in relevant competency/skill models II-Intermediate: Working knowledge and application of relevant competency/skill models in work activities III-Advanced: Advanced application and mastery of relevant competency/skill 1-3 years experience involving work directly related to security control evaluation and implementation on information technology, systems, and programs Participation in Scholarship for Service program through a designated Center of Academic Excellence in Information Assurance Education (CAEIAE) 1.Development Resources: IT Workforce Roadmap (IT Roadmap) Graduate Programs, USDA IT Programs GoLearn Courses (www.golearn.gov) CIO Council (www.cio.gov) DoD DISA Training GSA s CIO university Program 1.University Information Security Programs: National Defense University- IRM College IS/IA Degree Programs- CAEIAE Private University Programs (e.g., GMU, MIT) II: Intermediate Applies an understanding of information security models Bachelors Degree (preferred areas of 1.OPM Development Center: The Federal compliance when reviewing systems and security documentation, explaining risks to Relevant Competency/Skill Models: OPM GS-2200 Job Family Standard study include Computer Science, Information Executive Institute and the Management Technology, Information Assurance/Security, Development Centers system owners, implementing risk mitigation Competencies Engineering, Business/Management, or 2.NIST SP 800-16: Key role-based controls, and enforcing information security Clinger-Cohen Core Competencies degrees from a designated CAEIAE); OR 3-5 information security body of knowledge policies Reviews security document artifacts and determines organizational compliance with information security laws and organizational policies Is responsible for contributing, with limited supervision, to projects, programs, and with an emphasis on Technical, Desktop Technology Tools, and IT Security/Information Assurance competency areas DHS EBK Competencies: Data Security Enterprise Continuity years experience involving work directly related to security control evaluation and implementation on information technology, systems, and programs Possession and demonstrated application of CISA or CISSP certifications topics and concepts including awareness, training, and education 3.DHS IT Security Essential Body of Knowledge: Information security key terms/concepts, functional perspectives, and role-based competencies 4.Participation in coaching/mentoring/job initiatives with medium-threat and moderate Incident Management shadowing programs scope (i.e., sub-organization wide) IT Systems Operations & Maintenance 5.Agency Requirements: organization and Network & Telecommunications business area training identified as III: Advanced Designs the organization s working compliance Graduate Degree (preferred areas of study Security required program and creates associated information include Computer Science, Information Personnel Security 6.Clinger-Cohen Core Competency-based security policies and programs Technology, Information Assurance/Security, Regulatory & Standards Compliance training sources and Capital Planning and Set expectations, determines appropriate Engineering, Business/Management, or Security Risk Management Investment Control (CPIC) mandate compliance measures to be used across the degrees from a designated CAEIAE); OR 5+ Strategic Security Management 7.Certifications: agency credentialing may department/agency, and maintains governance years of experience involving work directly System & Application include other criteria (e.g., DoD 8570-01- over the standards and methodologies for related to security control evaluation and NIST SP 800-37 C&A Process M), continuing education, or professional compliance reviews implementation on information technology, NIST SP 800-53 Control Set and SP society, industry, or vendor certifications Independently manages, plans, evaluates, and systems, and programs 800-53A Control Assessment Core: ISC² CAP (I); CISA, CISSP (II/III) advocates for information security compliance Demonstrated experience in Related: ISACA CISM, ISC² ISSMP, systems, plans, and functions, and is managing/supervising an Information CompTIA, SANS GIAC responsible for the management of complex Security/IA compliance group 1.Current and Emerging Legislation (e.g., projects, programs, and initiatives with high Possession and demonstrated application FISMA, NIST SP-800 series, National threat and large scope (i.e., agency-wide or CISA and CISSP certifications Cybersecurity Initiative, FIPS, OMB inter-governmental) directives, CNSSI No. 4012 ) Level: Categorizes the compliance professional role by proficiency levels required for the position Description/ Complexity: defines each proficiency level; provides descriptions of the scope of responsibility and experience required for the role at that level Competencies: Identifies set of measurable knowledge, skills, abilities, and behaviors needed to successfully perform work roles or occupational functions Suggested Experience: Identifies minimum years of experience required for role Suggested Education, Training and Development Sources: Provides resources to enhance or develop a job-related knowledge, skill, or ability; provides professional and career development opportunities for an individual in the role

Matrices May Be Used for: Recruitment Staffing Career Planning Learning and development Performance management Succession planning

Draft Matrices Developed to Date Information Security Assessor (changed title from Information Security Compliance Professional) ready to pilot Chief Information Security Officer ready to pilot Systems Operations & Maintenance Professional ready to pilot Digital Forensics & Incident Response Analyst still in development

Next Steps Working across the federal government with groups involved in competency efforts Spring 2010 - pilot matrices developed so far in several agencies to road test prior to implementation Post Pilot 2010 - development of additional matrices

Contact: Dagne Fulcher Consultant, IT Workforce Issues 703.999.7329 DagneFulcher@verizon.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information