Teaching Information Security to Engineering Managers



Similar documents
Establishing and Maintaining a Cybersecurity Program: The GWU EMSE Experience

Introduction to Cyber Security / Information Security

Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute


Critical Controls for Cyber Security.

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Altius IT Policy Collection Compliance and Standards Matrix

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Cyber Education triangle clarifying the fog of cyber security through targeted training

Interdisciplinary Program in Information Security and Assurance. By Kossi Edoh NC A&T State University Greensboro

Bellevue University Cybersecurity Programs & Courses

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Computer Security and Investigations

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

Minnesota State Community and Technical College Detroit Lakes Campus

UNM Information Assurance Scholarship for Service (SFS) Program

How To Protect Your Data From Being Stolen

Computer Security: Principles and Practice

Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Department of Information Systems and Cyber Security

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Information Security Policy

Networking and Information Security

Principle of Information Security. Asst. Prof. Kemathat Vibhatavanij Ph.D.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cisco Network Specialist CCNA

Middle Class Economics: Cybersecurity Updated August 7, 2015

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

The Protection Mission a constant endeavor

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

MS Information Security (MSIS)

Certified Cyber Security Analyst VS-1160

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Trends

The Information Security Problem

Legal Issues / Estonia Cyber Incident

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

ICT Barriers, High Tech Crime, and Police

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

Actions and Recommendations (A/R) Summary

<Insert Picture Here> How to protect sensitive data, challenges & risks

Security Controls What Works. Southside Virginia Community College: Security Awareness

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

InfoSec Academy Application & Secure Code Track

U. S. Attorney Office Northern District of Texas March 2013

Chairman Johnson, Ranking Member Carper, and Members of the committee:

(Instructor-led; 3 Days)

VeilMail Penetration Test Executive Summary PRESENTED TO: GREG ROAKE, CEO.TURNER TECHNOLOGIES LTD - VEILMAIL STEVE BYRNE, DIRECTOR.

Compliance Risk Management IT Governance Assurance

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Principles of Information Assurance Syllabus

Cybersecurity Definitions and Academic Landscape

Microsoft Technologies

Centers of Academic Excellence in Cyber Security (CAE-C) Knowledge Units Review

Bachelor of Applied Information Science (Information Systems Security)

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Department of Computer Science and Information Systems

INFORMATION SECURITY FOR YOUR AGENCY

Internet threats: steps to security for your small business

Information Systems Security Certificate Program

External Supplier Control Requirements

Contrasting CS and SE. The CS/SE Continuum

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Enterprise Security Architecture Concepts and Practice

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Information Security Services

Basics of Internet Security

TUSKEGEE CYBER SECURITY PATH FORWARD

Certification and Training

BSA-ISSA Information Security Study Online Survey of ISSA Members

Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Ohio Supercomputer Center

Transcription:

Teaching Information Security to Engineering Managers Julie Ryan Assistant Professor The George Washington University Washington, DC http://www.seas.gwu.edu/~infosec/ 1

Why Bother? Lots of CS and EE programs in security Excellent technical approach to the problem A needed but not sufficient contribution to the problem space 1970 Defense Science Board Report: Providing satisfactory security controls in a computer system is in itself a system design problem [requiring a] combination of hardware, software, communication, physical, personnel, and administrative-procedural safeguards. [1] Condoleeza Rice, 2001: Today, the cyber economy is the economy. Corrupt those networks and you disrupt this nation. [2] [1] Ware, Willis H. Security Controls for Computer Systems: Report of the Defense Science Board Task Force on Computer Security. The RAND Corp: 1970. [2] Joint Economic Committee, US Congress. Security in the Information Age: New Challenges, New Strategies. http://www.house.gov/jec/security.pdf, May 2002 http://www.seas.gwu.edu/~infosec/ 2

The First Question What s an IA Professional? The IA field is very complex Analogous to medical professional Whole range of doctors Pathologists to pediatricians to brain surgeons Whole range of nurses LPNs, RNs, Nurse-anesthetists, etc Whole range of other specialities Pharmacists, lab technicians, etc Medical administrators From insurance claims processors to hospital managers Bottom line: An IA Professional can be a lot of different people http://www.seas.gwu.edu/~infosec/ 3

Given That. To build an IA Workforce, must address each area Opportunities for education Technical education From electrons to data structures Practical training From configuring firewalls to patch management Legal education From law enforcement to intellectual property law Engineering education From systems engineering to security architectures Management education From policy development to resource allocation http://www.seas.gwu.edu/~infosec/ 4

A complete IA workforce needs all those elements And they all need to work together And they need to be managed appropriately http://www.seas.gwu.edu/~infosec/ 5

Challenges Not all employers recognize the needs Students are biased By previous education By effects of the go-go 90s By perceptions about what an IA professional is Educational institutions are biased By lack of understanding/knowledge By perception that anyone can teach security http://www.seas.gwu.edu/~infosec/ 6

Our Approach Nine Schools/Colleges GWU BPA Law etc SEAS CCAS Medical Intellectual Property Criminal Justice Forensics (CyberCrime) ME ECE CS EMSE CE Grad Cert in CompSec (4 courses) M.S. in Computer Science D.Sc. in Computer Science Grad Cert in InfoSec Mgmt (6 courses) M.S. in EMSE (Concentration Infosec) D.Sc. in EMSE (Concentration Infosec) http://www.seas.gwu.edu/~infosec/ 7

The EMSE Approach The Graduate Education Certificate (also the MS Core) EMSE 218: Intro & Overview Everything at a micron deep EMSE 315: Law Contracts, Case law, torts, ethics, etc EMSE 312: Protect (minus Crypto) Personnel, Physical, Ops, Computer, Network, etc EMSE 313: Crypto All crypto, all the time EMSE 314: Detect Audit, monitor, IDS, etc EMSE 316: React/Correct Biz continuity, crisis mgmt, recovery The MS Electives (2 of ) EMSE 317: Cybercrime Criminal law, forensics processes EMSE 318: Info Ops Effect of global economy on security EMSE 319: Emerging Issues Wireless security EMSE 320: E-Commerce How to, how to secure The EMSE Core requirements for all MS tracks EMSE 212: Mgt of Tech Orgs EMSE 260: F&A for Engr Mgrs EMSE 269: Decision Theory EMSE 283: Systems Engineering http://www.seas.gwu.edu/~infosec/ 8

Topics Covered The short list: Threats Vulnerability assessments Risk management Secure computing Operational security Admin security Policy Law Ethics Network security Life cycle management Personnel security History of computer security History of comms security Crypto, crypto, crypto And more. Common Criteria Rainbow series Auditing Monitoring Intrusion detection systems Crisis management Business continuity planning Resource allocation Security engineering Malicious software Trust Passwords Authentication Access control And still more http://www.seas.gwu.edu/~infosec/ 9

What We Don t Teach Computer Science Not a single line of code generated Not a single algorithm developed Electrical Engineering Not a single circuit analyzed Hands on skills Not a single firewall configured Not a single system administrated Hacking Cover the theory in advanced classes but forbid them to do it BUT! Computer Science Dept does this Electrical & Computer Engineering Dept does this We do teach them why each and every element of those specialties is a critical component of security engineering and management http://www.seas.gwu.edu/~infosec/ 10

Why? The demand is there Huge requirement for education of non-computer science types Weapons acquisition managers Program managers of all other sorts The other engineers increasingly required to work with IT Senior executives forced to deal with security issues Business types in the IT workforce with no computer science background Strongly believe in the systems engineering approach to security in operational environments Solution in real world is not a computer science problem http://www.seas.gwu.edu/~infosec/ 11

Student Outcomes Who Hires Our Graduates? The government Defense contractors Large corporations Demand is driven by: Demographics of the DC metro area Requirement for knowledge to apply to large systems http://www.seas.gwu.edu/~infosec/ 12

Contact Information Julie J.C.H. Ryan, D.Sc. 1776 G. Street NW #110 Washington DC, 20052 jjchryan@gwu.edu http://www.seas.gwu.edu/~infosec/ The George Washington University is an NSA Certified Center of Academic Excellence in Information Assurance Education. We offer Graduate Certificate, Master s, and Doctoral level education in Information Security Management for professionals from all educational backgrounds. GWU is located in the heart of Washington DC very near the White House and other government offices. http://www.seas.gwu.edu/~infosec/ 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information