1 / 25

FISSEA Effective IT Security Training Strategies

Explore the importance of IT security training standards and evaluation tools for improved personnel management and career advancement in information assurance. Learn about existing and emerging training standards in the field.

katkins
Download Presentation

FISSEA Effective IT Security Training Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FISSEA Effective IT Security Training Strategies Emerging NSTISSC IA Training Standards and Evaluation Tools 16 March 00

  2. Why training standards?

  3. DOCUMENTED NEED • Redefining Security 1994 report • “Uniformity in skills and knowledge taught security professionals is needed not only to ensure the quality of work, but also to foster a common understanding and implementation of security policies and procedures.” Redefining Security: Joint Security Commission Report, Feb. 28, 1994, p124

  4. DOCUMENTED NEED • OTA 1994 Report • To be comprehensive, however, the generally accepted practices must be defined at several levels of detail, and different sets of the standards would apply to different users and applications.” Information Security and Privacy in Network Environments. Office of Technology Assessment, Sept., 1994

  5. DOCUMENTED NEED • OASD Information Assurance 1997 Report • The DoD still needs to; • Have a personnel management infrastructure to identify IA-skilled personnel • Verify IA-trained personnel are properly assigned and utilized. • Make IA career advancement opportunities available, and • Provide opportunities for IA specialists to maintain and enhance their technical skills through continuing education and training Improving Information Assurance: A general assessment and Comprehensive Approach to an Integrated IA Program for the Dept. of Defense. ASDC3I, March 28, 1997, p2b.

  6. DOCUMENTED NEED • Secrecy • “Agencies should be prepared to refocus existing resources on the training needed to create information security specialists. This direction must come from the top for creating a career path as an incentive for improving the quality of the computer security force expertise.” • “The commission recommends developing an information systems security career path across government.” Secrecy. Report of the Commission on Protecting and Reducing government Secrecy. 103 congress, 1997.p. 111. (http://www.access.gpo.gov/int)

  7. DOCUMENTED NEED • President’s Commission on Critical Infrastructure Protection • “NIST, NSA, and the U.S. Department of Education work in collaboration with the private sector to develop programs for education and training of information assurance specialists and for the continuing education as technologies change. This effort should also support “training the trainers” to provide an adequate cadre of qualified instructors to teach technicians.” Critical Foundations: Protecting America’s Infrastructures. The report of thePresident’s commission on Critical Infrastructure Protection. Oct., 1997. P71. (http://www.pccip.gov/)

  8. A Critical Component of The National Plan Within the Federal Government, the lack of skilled information system security personnel amounts to a crisis. This shortfall of workers reflects a scarcity of university graduate and undergraduate information security programs. In addressing these problems, we will leverage the ongoing efforts made by the Defense Department, The National Security Agency, CIO council,and various Federal Agencies. National Plan for Information Systems Protection: An Invitation to a Dialogue The White House. January, 2000.

  9. Resources • Some observations about resources and needs in the I A arena • people: • Critical shortage of faculty • equipment: • Already competition on campus for use • support & outside services: • Major infusion of funds/adjuncts required • market: • Exists and will grow

  10. “The NSTISSC provides a forum for discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems through the NSTISSC issuance system”. Within the national security community, steps are underway to define Information Assurance training requirements. http://www.nstissc.gov/

  11. EXISTING NSTISSI TRAINING STANDARDS NSTISSI 4011 National Training Standard for INFOSEC Professionals NSTISSI 4012 National Training Standard for Designated Approving Authorities NSTISSI 4013 National Training Standard for System Administrators in INFOSEC NSTISSI 4014 National Training Standard for Information System Security Officers Topical Performance-Based

  12. EMERGING NSTISSI TRAINING STANDARDS NSTISSI 4015 (Draft) National Training Standard for System Certifier - currently being reviewed by Committee NSTISSI 4016 (in development) National Training Standard for Risk Analyst - Validation Study completed

  13. System Certifier EDACUM Major Competencies • Certification Evaluation • Develop Recommendation to the DAA • Perform Certification Analysis • Prepare the SSAA • Compliance Validation • Change Management • Perform Negotiation • System Development Activities • Maintenance of the SSAA • Conduct Registration • System Operation • Document Mission Need

  14. System Certifier:Sample Training Standard Item • Competency: Compliance Validation • KSA: Continuity Planning • Performance Item: The certifier reviews the continuity plan tests conducted during system development to ensure appropriate recovery procedures can be executed Note: implied concomitant knowledge and skills. • Test plan documentation • Error code correction • System buffer capacity

  15. BUT! Where do I go? Whom do I trust?

  16. Background: Information Assurance Courseware Evaluation (IACE) Working Group • established by the Education, Training and • Awareness Issue Group, January 1999 • tasked to develop a process to evaluate courseware

  17. Benefits • NSTISSC • Identifies sources for specified training • Community • Raises the bar for quality and uniform training • Supports PDD 63 Training Initiatives • Participants • Recognition, market, creditability

  18. National Training Standard for: Information Systems Security Professionals - NSTISSI No. 4011 Designated Training Authority - NSTISSI No. 4012 System Administrators - NSTISSI No. 4013 Information Systems Security Officers - NSTISSI No. 4014 System Certifiers - NSTISSI No. 4015 Risk Analyst - NSTISSI No. 4016 Draft Under Development

  19. NSTISSI - 4011 NSTISSI - 4012 NSTISSI - 4013 NSTISSI - 4014 NSTISSI - 4015 NSTISSI - 4016 Certification Notification Departments & Agencies Certified Training Provider Delivery

  20. Working Group Members: NSA - Sara Piechowiak, Co-Chair DOS - Cari Eggspeuhler, Co-Chair Treasury - Patti Black DOE - Ray Holmer NSA - Doug von Lindenberg Justice - Donald Basham Pulse Engineering, Inc. - Ken Danckaert

  21. Status: Nov 1999 - Software development initiated Dec 1999 - Software development completed 09 Dec 1999 - Process approved by ETAIG • Jan 2000 - Beta testing complete Feb 2000 - Full Operational Capability Apr 2000 - Target Certification Awards at Conference

  22. Current Activities: • NSA Project Office Established • Project Manager named • Initial submissions against 4011 • IACEWG representatives are initial Reviewers

  23. Future Activities: • Resolve resource issues • Explore stand-alone capability • Revise and update current NSTISSI • standards • Add new NSTISSI standards, • once /approved • Market the program • Disband Working Group

  24. James Madison University IA Courseware IA Courseware Centers of Academic Centers of Academic National National University University Evaluation Evaluation Excellence Excellence Colloquium Colloquium Outreach Outreach National INFOSEC Education & Training Program National INFOSEC Education & Training Program The Future

  25. Simulated Courseware Demonstration

More Related