CESG Certification of Cyber Security Training Courses

Similar documents
Certification of Master s Degrees Providing a General, Broad Foundation in Cyber Security

Certification of Masters Degrees Providing a General, Broad Foundation in Cyber Security

Certification of Integrated Master s Degrees in Computer Science and Cyber Security

External Supplier Control Requirements

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

(Instructor-led; 3 Days)

External Supplier Control Requirements

Application Guidance CCP Penetration Tester Role, Practitioner Level

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Bellevue University Cybersecurity Programs & Courses

Cyber Essentials Scheme

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Designing and Coding Secure Systems

GFSU Certified Cyber Crime Investigator GFSU-CCCI. Training Partner. Important dates for all batches

BM482E Introduction to Computer Security

Big Data, Big Risk, Big Rewards. Hussein Syed

Certification of Master s Degrees in Digital Forensics

Security Controls What Works. Southside Virginia Community College: Security Awareness

Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security

Unit 3 Cyber security

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Information Security Basic Concepts

Certification of Master s Degrees in Computer Science for Cyber Security

Lot 1 Service Specification MANAGED SECURITY SERVICES

Information security controls. Briefing for clients on Experian information security controls

developing your potential Cyber Security Training

Committees Date: Subject: Public Report of: For Information Summary

CYBER SECURITY TRAINING SAFE AND SECURE

The Education Fellowship Finance Centralisation IT Security Strategy

Specialist Cloud Services. Acumin Cloud Security Resourcing

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

INCIDENT RESPONSE CHECKLIST

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Projectplace: A Secure Project Collaboration Solution

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Cyber security standard

Growth Through Excellence

The Next Generation of Security Leaders

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

Protecting Your Organisation from Targeted Cyber Intrusion

Reducing the Cyber Risk in 10 Critical Areas

CompTIA Security+ (Exam SY0-410)

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

MS Information Security (MSIS)

InfoSec Academy Application & Secure Code Track

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

CREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved

Building Reference Security Architecture

Computer Security Literacy

InfoSec Academy Forensics Track

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

INFORMATION SECURITY TRAINING CATALOG (2015)

Cyber Essentials Scheme

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

How small and medium-sized enterprises can formulate an information security management system

IBX Business Network Platform Information Security Controls Document Classification [Public]

Bachelor of Information Technology (Network Security)

Security + Certification (ITSY 1076) Syllabus

Logging In: Auditing Cybersecurity in an Unsecure World

Cybersecurity and internal audit. August 15, 2014

Joseph Migga Kizza. A Guide to Computer Network Security. 4) Springer

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

BCS Certificate in Information Security Management Principles Syllabus

Cybersecurity The role of Internal Audit

Master of Science in Information Systems & Security Management. Courses Descriptions

The Protection Mission a constant endeavor

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

ABB s approach concerning IS Security for Automation Systems

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Western Australian Auditor General s Report. Information Systems Audit Report

Introduction to Cyber Security / Information Security

IT Networking and Security

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

How To Manage Security On A Networked Computer System

Certified Information Systems Auditor (CISA)

CloudDesk - Security in the Cloud INFORMATION

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

A Systems Engineering Approach to Developing Cyber Security Professionals

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Cyber security Building confidence in your digital future

ESKISP Conduct security testing, under supervision

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

CGI Cyber Risk Advisory and Management Services for Insurers

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Transcription:

CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security Professionals. All rights reserved. Document History Issue Date Comment 1.0 30 September 2014 First Issue The copyright of this document is reserved and vested in the Crown. Page: 1 of 13 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on 01242

Introduction Reflecting the aims of the National Cyber Security Programme, UK Government and its delivery partners are working to increase the UK's educational capability in all fields of Cyber Security. Together BIS, EPSRC, GCHQ, CPNI and OCSIA have developed a joint approach and strategy for reaching this goal. As part of that strategy, through the CESG Certified Training (CCT) scheme, GCHQ intends to certify cyber security training courses, which are available to anyone and not just the Public Sector. The CCT scheme is designed to provide confidence in cyber security training providers and the courses that they offer. Overview As part of the CCT scheme, each training course will be assessed against the nominated area(s) of the Institute of Information Security Professionals (IISP) Information Security Skills Framework. As part of the application process, applicants will be asked to identify which skill(s) group(s) the training course covers. This self-assessment will then be used as the basis for assessment. In support of this, CESG has provided indicative topic coverage for each of the IISP skills groups. The topic coverage provided is the same as that used by the assessment process for the GCHQ certification of masters degrees, which provide a general, broad foundation in cyber security. This is intentional as it provides a common baseline for cyber security capability from awareness and training, to that used at the highest levels of academic pursuit. Course Structure Training providers will be able to submit two types of courses for assessment: courses which provide a fundamental coverage of nominated area(s) of the IISP Skills Framework, or courses which provide in depth coverage. Training providers will be asked to indicate this as part their submission for assessment under the CCT scheme. Courses can provide either a fundamental or in depth coverage in one or more of the IISP skill(s) group(s). Eighty per cent of the learning time of the training course must cover the IISP skill(s) group(s) as nominated by the training provider in their self-assessment. It is expected that a training course at the Awareness Level will: Provide an introduction, awareness and overview of one or more of the nominated IISP skill(s) group(s) Be applicable for those who are taking up a new cyber security role or wishing to enter the profession Not require any training, professional or academic prerequisites Not have to include any self-study Not have to provide any practical/ hands-on learning Not have to include formal examination or assessment although this can be offered if required Page: 2 of 13 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on 01242

It is expected that a training course at the Application Level will: Provide a detailed insight and understanding of one or more of the nominated IISP skill(s) group(s) Be applicable for those who are already performing a cyber-security role and wish to further their professional capability Require training, professional or academic prerequisites Typically run for two or more days Include self-study Provide practical/ hands-on learning Include formal examination or assessment, which could form part of a professional certification The Assessment Process APM Group (APMG) will assess three distinct areas of course delivery. The quality management systems of the training provider will be checked to ensure the management of applicants, their personal details and the delivery of training is consistent, efficient and effective. The trainers will be assessed for their teaching ability and their technical knowledge in the IISP skill(s) group(s) covered by the course being assessed. The course materials will be assessed to ensure they deliver the expected level of learning to delegates, in a way that is effective such that it provides the best opportunity for the delegates to feel they have received a high quality training course. The course certificate will detail the IISP skill(s) group(s) covered and the type of training offered (awareness or practical), such that prospective applicants will have a full understanding of what to expect from the course. The marketing for the course will also be assessed to ensure it does not mislead potential applicants. Certifications of training courses by APMG will be subject to a set of terms and conditions (T&Cs) that all applicants will have to agree to as part of the application process. Page: 3 of 13 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on 01242

Page: 4 of 13 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on 01242

Topics that can be covered by Cyber Security Training Courses in Support of the CCT Scheme The Security Discipline Principles and Skills Groups that form part of the tables in this document are derived from the IISP Information Security Skills Framework and are copyright The Institute of Information Security Professionals. All rights reserved. The information within the tables is intended to provide an indicative mapping of potential topic coverage to the IISP Skills Framework 1. The tables are structured on the basis of Security Disciplines that lead to a series of Indicative Topics: a. The set of Security Disciplines and Principles has been taken from the IISP Skills Framework, along with summary versions of the associated Knowledge Requirements expressed in CESG s March 2014 document on Certification for IA Professionals. 23 b. The Skills Groups are based upon those expressed in the IISP framework, but with some of the groups having been merged together where appropriate (e.g. where Training Courses would be unlikely to be focusing their coverage or where the treatment of the Skills Groups would essentially encompass the same topics). A new Skills Group on Control Systems has been added to reflect the growing importance of this subject area. c. To help with later referral, the Skills Groups have been numbered i to xiv. The IISP Skills Groups to which they refer are also shown (e.g. A2, A5, etc.). d. The Indicative Topic Coverage highlights examples of the specific topics that one would expect to see represented within the syllabi of Training Courses in order for broad coverage of the related Skills Group to be achieved. Given that they are indicative topics, courses would not be required to cover all of them explicitly (and indeed other topics may additionally be relevant), but there would be expected to be sufficient weight of coverage within each area if the Skills Group was to be satisfactorily addressed. 1 IISP(Skills(Framework: https://www.iisp.org/imis15/iisp/accreditation/our_skills_framework/iisp/about_us/our_skills_framework.aspx?hkey=e 77a6f03f9498f423efaa7bf585381290ec4 2 CESG is the Information Security arm of GCHQ: http://www.cesg.gov.uk 3 CESG Certification for IA Professionals: http://www.cesg.gov.uk/awarenesstraining/certifiedprofessionals/pages/index.aspx Page: 5 of 13 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on 01242

A. Information Security Management Principle: Capable of determining, establishing and maintaining appropriate governance of (including processes, roles, awareness strategies, legal environment and responsibilities), delivery of (including polices, standards and guidelines), and cost-effective solutions (including impact of third parties) for information security within a given organisation). Management frameworks such as ISO 27000 series Legislation such as Data Protection Act Common management Frameworks such as ISO 9000 i. Governance, Policy, Strategy, Innovation, Awareness and Audit (A1, A2, A3, A4, A5, G1) ii. Legal & Regulatory Environment, Third Party Management (A6, A7) The role and function of security policy Types of security policy Security standards (e.g. ISO/IEC 27000) Security concepts and fundamentals Security roles and responsibilities Security professionalism Governance and compliance requirements in law Security culture Awareness raising methods Acceptable use policies Security standards and certifications Understanding auditability The internal audit process Methods for realising business benefit Risk managed business and operational processes Computer Misuse legislation Data Protection law Intellectual property and copyright Employment issues Regulation of security technologies Third party management Methods for establishing confidence in third parties Page: 6 of 13

B. Information Risk Management Principle: Capable of articulating the different forms of threat to, and vulnerabilities of, information systems and assets. Comprehending and managing the risks relating to information systems and assets. Threat, vulnerability and risk concepts Threat landscape, adversarial thinking Asset valuation and management Business impact of risk Risk analysis methodologies Handling risk and selecting countermeasures/controls to mitigate risk Understanding impacts and consequences Security economics iii. Risk Assessment and Management (B1, B2) Information risk management methodologies such as ISO 27005 - Information Security Risk Management Generic risk management methodologies such as ISO 31000 Risk Management; Principles & Guidelines Key concepts such as threats, vulnerabilities, business impacts, and risk tolerance Page: 7 of 13

C. Implementing Secure Systems Principle: Comprehends the common technical security controls available to prevent, detect and recover from security incidents and to mitigate risk. Capable of articulating security architectures relating to business needs and commercial product development that can be realised using available tools, products, standards and protocols, delivering systems assured to have met their security profile using accepted methods Security Architectures and Patterns Secure Development processes Business requirements Skills frameworks (e.g. SFIA) Architectural frameworks (e.g. The Open Group Architecture Framework TOGAF) Range of core security technologies (e.g. Access control models, encryption, Authentication techniques) and how to apply them iv. Security Architecture (C1) v. Secure Development (C2) vi. Control Systems Design and development considerations: trusted computing base, security architecture and patterns, security models and design principles (e.g., principle of least privilege, fail-safe defaults), software (program) security, emission security Selecting and applying core technologies: authentication, access control, privacy controls, security protocols Recognising security needs across platforms: operating system security, Web security, embedded security, cloud and virtualisation security, security as a service Cryptography: cipher and algorithm types, applications to confidentiality, integrity and authentication, PKI Network security: Internet security protocols, tunnelling, VPNs, network attack and defence, TLS Human factors: usable security, psychology of security, insider threat Security systems development: managing secure systems development, principles of secure programming, formal approaches, understanding implementation errors and exploits. SCADA and SMART Systems, cyber system of systems (from abstract to physical effect), non-ip protocols and standards (e.g., WiFi, Bluetooth, GSM, CAN, MODBUS), cyber-physical systems analysis, embedded systems, assurance of control systems hardware and software, design/implementation methodologies to minimise the risk of vulnerabilities, risk modelling and riskbased decision making Page: 8 of 13

D. Information Assurance Methodologies and Testing Principle: Develops and applies standards and strategies for verifying that measures taken mitigate identified risks. Assessment Methodologies (e.g. Common Criteria) Information Risk Management Frameworks, Assessment services or standards (e.g. CHECK) Governance aspects and Management responsibilities Testing strategies and methodologies (e.g., TEMPEST testing) vii. Information Assurance Methodologies (D1) viii. Security Testing (D2) Assessment methodologies (e.g. 27000 series and Common Criteria) Understanding security vulnerabilities and related mitigation measures System and software testing Penetration testing Security metrics Static and dynamic analysis of products and systems Page: 9 of 13

E. Operational Security Management Principle: Capable of managing all aspects of a security programme, including reacting to new threats and vulnerabilities, secure operational and service delivery consistent with security polices, standards and procedures, and handling security incidents of all types according to common principles and practices, consistent with legal constraints and obligations. Governance and Management responsibilities IT Service Management processes (e.g. ITIL) Existing and Emerging Vulnerabilities Use of penetration testing and vulnerability testing Risk Assessment and Monitoring Operating Procedures and accountability Continuous improvement ix. Secure Operations Management and Service Delivery (E1, E2) x. Vulnerability Assessment (E3) Internet threats: common attacks (human and technical), malicious code, situational awareness, threat trends, threat landscape, CERTs, adversarial thinking Cryptography: AES and RSA, key management, digital signatures Network security: networking fundamentals, firewalls and traffic filtering, intrusion detection and prevention systems, intrusion analysis, network monitoring, mobile and wireless network security System security: authentication (secrets, tokens, biometrics), access control (MAC, DAC, RBAC) and privilege management, mobile device security and BYOD, anti-virus technologies Application security: email, Web, social networks, DRM, database security, big data security, identity management Physical security: physical and environmental controls, physical protection of IT assets Malware analysis: static and dynamic analysis, detection techniques, host-based intrusion detection, kernel rootkits System and network-level vulnerabilities and their exploitation Vulnerability analysis and management Penetration testing Social Engineering Dependable/resilient/survivable systems Page: 10 of 13

F. Incident Management Principle: Capable of managing or investigating an information security incident at all levels. xi. Incident Management (F1) Intrusion detection methods Intrusion response Intrusion management Incident handling Intrusion analysis, monitoring and logging Secure Information Management (stakeholder management within organisational context) Incident detection techniques Incident response management (internal and external) Audit log management Forensics (e.g. Evidential standards, Tools, Impact assessment) xii. Investigation (F2) xiii. Forensics (F3) Understanding of legislation and legal constraints Evidence gathering rules and techniques Collecting, processing and preserving digital evidence Device forensics Memory forensics Network forensics Anti-forensic techniques Forensic report writing and expert testimony Page: 11 of 13

G. Audit, Assurance & Review Principle: Capable of defining and implementing the processes and techniques used in verifying compliance against security policies, standards, legal and regulatory requirements. Audit methodologies (e.g., Certified Information Systems Auditor - CISA) Vertical/horizontal auditing techniques Audit processes and techniques (e.g. HMG IA Maturity Model) The Audit and Review Skills Group (G1) has been incorporated into Skills Group i above The indicative topic coverage has been included in Skills Group i above Page: 12 of 13

H. Business Continuity Management Principle: Capable of defining the need for, and of implementing processes for, establishing business continuity. xiv. Business Continuity Planning and Management (H1, H2) Business continuity management lifecycle Business Impact Analysis process Related standards (e.g. ISO 22301, ISO 27001, BS 25999, BS 27031) I. Information Systems Research N/A Principle: Original investigation in order to gain knowledge and understanding relating to information security, including the invention and generation of ideas, performances and artefacts where these lead to new or substantially improved xv. Research (I2) N/A N/A insights; and the use of existing knowledge in experimental development to produce new or substantially improved devices, products and processes. J. Professional Skills N/A No IISP reference N/A N/A Continuity Planning Backup Disaster recovery Page: 13 of 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information