1 / 25

Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison

VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA ‘04. Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison. Agenda. Background Objectives Program Elements.

oshin
Download Presentation

Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VA ISO Infrastructure Development Office of Cyber and Information SecurityCyber Security Professionalization (CSP) Program:It’s ALL About People! FISSEA ‘04 Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison

  2. Agenda • Background • Objectives • Program Elements

  3. Background: VA“. . .for them who shall have borne the battle. . .” • VA: Largest Civilian Department • 230,000 Employees, plus Contractors, Volunteers, Students. . . • Health Services, Benefits, Memorial Services, and supporting Staff Offices for 26 Million Veterans, Plus Beneficiaries. • Spend $60 Billion Annually • COG, National Infrastructure, Emergency Preparedness

  4. Background: VA Cyber Security • Responsible for Cyber Security for entire Department. • Bruce A. Brody, ADAS for Cyber and Information Security (Within OI&T, direct report to CIO) • Recently Consolidated. • TEAP (Training, Education, Awareness, and Professionalization) VA InfoSec Conferences, Universal Awareness, CISSP, National LMS

  5. Background: Official Story • June 2002: Promise to Congress (Congressman Buyer, Chairman, Subcommittee on Oversight and Investigations) Implement a “rigorous qualifications and certification program for ISOs…” • September 2002: Information Security Officer (ISO) Infrastructure Development Support contract awarded.

  6. Background: The Back Story • Unflattering Congressional “Report Cards”. • Persistent OIG Material Weakness • Rampant Internet Worms • Et Cetera. [Fill in you own Cyber Nightmares.] • Incomplete transition to unified IT organizational structure. • No direct line authority to the VA field security community.

  7. Agenda • Background • Objectives • Program Elements

  8. Objectives of CSP Program • The training and certification is on current standards and best practices established by: • VA cyber security program • VA cyber security policies and procedures • National Institute of Standards and Technology (NIST) • The program targets the core body of knowledge (CBK) required to perform the requisite duties of a CSP [Available on demand. . .just ask!]

  9. Agenda • Background • Objectives • Program Elements

  10. Program Elements • Directive and Handbook • Position Descriptions (PDs) • Career Paths • Certification Program • Training • Incentive Program • Credential Program

  11. Program Elements Directive and Handbook • Describes the sub-elements of the program • Types of Cyber Security Practitioners • Certification • Credential • Incentive

  12. InformationSecurityManager (ISM) InformationSecurityOfficer(ISO) TechnicalSecurityOfficer (TSO) Program Elements Types of Cyber Security Practitioners (CSP) ISMmanage the departmental cyber security program ISOmanage/implement security program elements that are not hardware or software related TSOmanage/implement security program elements that are system (e.g., hardware/ software) related

  13. Program Elements Position Descriptions–Purpose • Generic position descriptions (PDs) • Related performance standards • Performance metrics • Rating factors • Flexibility to assign resources more effectively • Ability to establish a career path with both vertical and horizontal progression • Ability to accommodate IT personnel who wish to transition to the security field • PDs to Human Resources Classifiers • Available on demand. . .just ask!

  14. Program Elements 7 Categories of PDs POSITION Info. Sec. Manager (ISM)Regional ISO Regional TSO ISO TSO Sr. Staff ISO Staff ISO GRADE SES GS-15, and GS-14 GS-13/14 GS-13/14 GS-12/13/14 GS-13/14 GS-13/14 GS-12/13/14 GS-13/14 GS-13/14 GS-12/13/14 GS-13/14 GS-13/14 GS-12/13/14 GS-12/13 GS-11 GS-7/9 ROLE Manage Departmental Cyber Security Program Supervise Team Lead Staff Supervise Team Lead Staff Supervise Team Lead Staff Supervise Team Lead Staff Sr. Staff Team Lead Staff SupervisePerforms annual review, hire/fire Team LeadAllows a GS-n to provide work direction to another GS-n StaffImplements policy/procedure

  15. Program Elements Career Paths–Purpose • Identify movement for CSPs • Within and between local VA facilities • From local VA facilities to OCS regional support centers • Between and within OCS regional support centers • From OCS regional support centers to VACO • Within VACO OCS • Identify sources of CSPs to fill openings

  16. Program Elements Career Paths–Approach • Will be developed after the PDs are written and the level structure of the ISO positions has been completed • Will clearly identify options for vertical and horizontal movement • E III  Within E III • E II  Within E II • E I Within E I • Critical for retention of certified staff • Essential for recruiting highly qualified cyber security practitioners

  17. Program Elements Certification Program–Purpose • The certification program for VA information security professionals will establish a realistic standard for information security practitioners • The certification program is composed of successful completion of specific training including completion of certification quizzes throughout the training • Once CSP’s have successfully completed training and testing certifications will be awarded. • The objective was to have 320 Full-time CSPs certified by 10/01/03; Achieved / Moving On.

  18. Program Elements Certification Program–Approach • Develop a framework to allow for flexibility and growth • Provide training to initiate the certification program • Provide quizzes throughout the training that ensure CSPs have the minimum level of knowledge required on each subject to perform the duties of their position • Provide guidance on additional training and certifications that can provide growth within the framework

  19. Program Elements Certification Program–Training • Training tailored to VA, limited Federal policy and basic security concepts • Objectives directly linked to source documents for tracking purposes • Pre-test and training target the same objectives and can be used for self-assessment and training evaluation (non-attributable score) • Delivery by Web as well as some stand-up at InfoSec Conference

  20. Program Elements Core Body of Knowledge (CBK) InfoSec Concepts Networking Concepts Major ISO Tasks 1.InfoSec Concepts 2. VA’s IT security programs 3. VA’s IT security policies and procedures 4. Risk management 5. System development life cycle 6. System environment 7. System Interconnections (physical) 8. Information sharing (logical) 9. Defense in depth at VA 10. Risk assessment 11. Security plans 12. Certification and accreditation 13. Technical controls 14. Operational controls 15. Incident Management 16. Security Awareness and Training 17. Internal audit 18. External audit

  21. Program Elements Incentive Program • Work with representatives from VA HR, OCS, OI&T and with OPM to develop appropriate reward/retention options in draft form Options may include: • Compensation • Advance payment for new hires • Recruitment and relocation bonuses • Retention allowances • Superior qualification appointments • Training • Career development • Vertical movement • Horizontal movement • Flexible work arrangements

  22. Program Elements Credential Program • One credential for all Cyber Security Practitioners (e.g., ISM, ISO, and TSO) • Credentialing criteria • Successful completion of ISO training course=certification • Experience • Ascribe to code of ethics • Satisfactory background investigation • Having no extant cyber security related adverse actions • Credential identifies CSPs and gives them authority to act for the CIO in reporting security incidents and assisting in investigations as required

  23. What Do We Want You to Leave With? • VA is on it’s way. • The whole Department is watching! • Battles Fought / Victories Gained. • Battles Fought / Lessons Learned / Scars Earned. • Find Partners / Leverage Benefits. • Introduce Ourselves.

  24. Contact Us Terri Cinnamon, Team Leader TEAP 304-262-7314 terri.cinnamon@med.va.gov Michael Arant, Cyber Security Liaison 304-262-7326 michael.arant@mail.va.gov VA Office of Cyber and Information Security

  25. VA ISO Infrastructure Development Office of Cyber and Information SecurityCyber Security Professionalization (CSP) Program:It’s ALL About People! FISSEA ‘04 Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison

More Related