250 likes | 265 Views
Explore the importance of IT security training standards and evaluation tools for improved personnel management and career advancement in information assurance. Learn about existing and emerging training standards in the field.
E N D
FISSEA Effective IT Security Training Strategies Emerging NSTISSC IA Training Standards and Evaluation Tools 16 March 00
DOCUMENTED NEED • Redefining Security 1994 report • “Uniformity in skills and knowledge taught security professionals is needed not only to ensure the quality of work, but also to foster a common understanding and implementation of security policies and procedures.” Redefining Security: Joint Security Commission Report, Feb. 28, 1994, p124
DOCUMENTED NEED • OTA 1994 Report • To be comprehensive, however, the generally accepted practices must be defined at several levels of detail, and different sets of the standards would apply to different users and applications.” Information Security and Privacy in Network Environments. Office of Technology Assessment, Sept., 1994
DOCUMENTED NEED • OASD Information Assurance 1997 Report • The DoD still needs to; • Have a personnel management infrastructure to identify IA-skilled personnel • Verify IA-trained personnel are properly assigned and utilized. • Make IA career advancement opportunities available, and • Provide opportunities for IA specialists to maintain and enhance their technical skills through continuing education and training Improving Information Assurance: A general assessment and Comprehensive Approach to an Integrated IA Program for the Dept. of Defense. ASDC3I, March 28, 1997, p2b.
DOCUMENTED NEED • Secrecy • “Agencies should be prepared to refocus existing resources on the training needed to create information security specialists. This direction must come from the top for creating a career path as an incentive for improving the quality of the computer security force expertise.” • “The commission recommends developing an information systems security career path across government.” Secrecy. Report of the Commission on Protecting and Reducing government Secrecy. 103 congress, 1997.p. 111. (http://www.access.gpo.gov/int)
DOCUMENTED NEED • President’s Commission on Critical Infrastructure Protection • “NIST, NSA, and the U.S. Department of Education work in collaboration with the private sector to develop programs for education and training of information assurance specialists and for the continuing education as technologies change. This effort should also support “training the trainers” to provide an adequate cadre of qualified instructors to teach technicians.” Critical Foundations: Protecting America’s Infrastructures. The report of thePresident’s commission on Critical Infrastructure Protection. Oct., 1997. P71. (http://www.pccip.gov/)
A Critical Component of The National Plan Within the Federal Government, the lack of skilled information system security personnel amounts to a crisis. This shortfall of workers reflects a scarcity of university graduate and undergraduate information security programs. In addressing these problems, we will leverage the ongoing efforts made by the Defense Department, The National Security Agency, CIO council,and various Federal Agencies. National Plan for Information Systems Protection: An Invitation to a Dialogue The White House. January, 2000.
Resources • Some observations about resources and needs in the I A arena • people: • Critical shortage of faculty • equipment: • Already competition on campus for use • support & outside services: • Major infusion of funds/adjuncts required • market: • Exists and will grow
“The NSTISSC provides a forum for discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems through the NSTISSC issuance system”. Within the national security community, steps are underway to define Information Assurance training requirements. http://www.nstissc.gov/
EXISTING NSTISSI TRAINING STANDARDS NSTISSI 4011 National Training Standard for INFOSEC Professionals NSTISSI 4012 National Training Standard for Designated Approving Authorities NSTISSI 4013 National Training Standard for System Administrators in INFOSEC NSTISSI 4014 National Training Standard for Information System Security Officers Topical Performance-Based
EMERGING NSTISSI TRAINING STANDARDS NSTISSI 4015 (Draft) National Training Standard for System Certifier - currently being reviewed by Committee NSTISSI 4016 (in development) National Training Standard for Risk Analyst - Validation Study completed
System Certifier EDACUM Major Competencies • Certification Evaluation • Develop Recommendation to the DAA • Perform Certification Analysis • Prepare the SSAA • Compliance Validation • Change Management • Perform Negotiation • System Development Activities • Maintenance of the SSAA • Conduct Registration • System Operation • Document Mission Need
System Certifier:Sample Training Standard Item • Competency: Compliance Validation • KSA: Continuity Planning • Performance Item: The certifier reviews the continuity plan tests conducted during system development to ensure appropriate recovery procedures can be executed Note: implied concomitant knowledge and skills. • Test plan documentation • Error code correction • System buffer capacity
BUT! Where do I go? Whom do I trust?
Background: Information Assurance Courseware Evaluation (IACE) Working Group • established by the Education, Training and • Awareness Issue Group, January 1999 • tasked to develop a process to evaluate courseware
Benefits • NSTISSC • Identifies sources for specified training • Community • Raises the bar for quality and uniform training • Supports PDD 63 Training Initiatives • Participants • Recognition, market, creditability
National Training Standard for: Information Systems Security Professionals - NSTISSI No. 4011 Designated Training Authority - NSTISSI No. 4012 System Administrators - NSTISSI No. 4013 Information Systems Security Officers - NSTISSI No. 4014 System Certifiers - NSTISSI No. 4015 Risk Analyst - NSTISSI No. 4016 Draft Under Development
NSTISSI - 4011 NSTISSI - 4012 NSTISSI - 4013 NSTISSI - 4014 NSTISSI - 4015 NSTISSI - 4016 Certification Notification Departments & Agencies Certified Training Provider Delivery
Working Group Members: NSA - Sara Piechowiak, Co-Chair DOS - Cari Eggspeuhler, Co-Chair Treasury - Patti Black DOE - Ray Holmer NSA - Doug von Lindenberg Justice - Donald Basham Pulse Engineering, Inc. - Ken Danckaert
Status: Nov 1999 - Software development initiated Dec 1999 - Software development completed 09 Dec 1999 - Process approved by ETAIG • Jan 2000 - Beta testing complete Feb 2000 - Full Operational Capability Apr 2000 - Target Certification Awards at Conference
Current Activities: • NSA Project Office Established • Project Manager named • Initial submissions against 4011 • IACEWG representatives are initial Reviewers
Future Activities: • Resolve resource issues • Explore stand-alone capability • Revise and update current NSTISSI • standards • Add new NSTISSI standards, • once /approved • Market the program • Disband Working Group
James Madison University IA Courseware IA Courseware Centers of Academic Centers of Academic National National University University Evaluation Evaluation Excellence Excellence Colloquium Colloquium Outreach Outreach National INFOSEC Education & Training Program National INFOSEC Education & Training Program The Future
Simulated Courseware Demonstration