280 likes | 558 Views
Information Assurance Education and the IS Curriculum. By Kevin Lee Elder Dennis Strouble Dave Bouvin Air Force Institute of Technology Wright-Patterson AFB, Ohio.
E N D
Information Assurance Education and the IS Curriculum By Kevin Lee Elder Dennis Strouble Dave Bouvin Air Force Institute of Technology Wright-Patterson AFB, Ohio Information Assurance Education and the IS Curriculum
The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the US Government. Information Assurance Education and the IS Curriculum
Outline for Today • Introduction • Background of Information Assurance • NSA Centers of Excellence in Information Assurance Education • IRM Program Description • Information Assurance Track • Conclusion Information Assurance Education and the IS Curriculum
Introduction • Air Force Institute of Technology • Graduate School of Engineering and Management • Information Resource Management Degree • Information Assurance Track • NSA Certification Information Assurance Education and the IS Curriculum
Information Assurance The National Security Agency’s (NSA) Information Security Assessment Model (IAM) identifies 18 baseline categories that should be included as components of the Information Assurance (IA) posture of any organization Information Assurance Education and the IS Curriculum
Baseline for IA • IA Documentation • IA Roles and Responsibilities • Identification & Authentication • Account Management • Session controls • External Connectivity • Telecommunications • Auditing • Virus Protection Hurd, 2001 Information Assurance Education and the IS Curriculum
Baseline for IA cont. • Contingency Planning • Maintenance • Configuration Management • Back-Ups • Labeling • Media Sanitization/Disposal • Physical Environment • Personnel Security • Training and Awareness Hurd, 2001 Information Assurance Education and the IS Curriculum
Information Assurance Model • McCumber model is used to appropriately organize the 18 baseline categories for analysis and to address possible threats to automated systems. • Dimensions • Information States • Security Services • Security Countermeasures • Maconachy et al. expanded the model to include • Idea of current information intensive environment • Time as a fourth dimension Hurd, 2001 Information Assurance Education and the IS Curriculum
Information Assurance Model Maconachy et al, 2001 Information Assurance Education and the IS Curriculum
Model and Mapping Information Assurance Education and the IS Curriculum
Model and Mapping cont. Information Assurance Education and the IS Curriculum
Standards • National Security Telecommunications and Information Systems Security Committee (NSTICC) has been designated, by the President, as the Committee on National Security Systems (CNSS) • Standing Committee of the Critical Infrastructure Protection Board, chaired by the Department of Defense Information Assurance Education and the IS Curriculum
Standards • National Security Telecommunications and Information Systems Security Committee (NSTICC) • 4011 National Training Standard for Information Systems Security (INFOSEC) Professionals • 4012 National Training Standard for Designated Approving Authority (DAA) • 4013 National Training Standard for System Administration in Information Systems Security • 4014 National Training Standard for Information Systems Security Officers (ISSO) • 4015 National Training Standard for Systems Certifiers • 4016 National Training Standard for Risk Analyst (In Development) Information Assurance Education and the IS Curriculum
NIETP • National Information Assurance Education and Training Program (NIETP)9800 Savage RoadFort Meade, MD 20755-6744ATTN: I02E, Suite 6744 • Phone: 410-854-6206 • Fax: 410-854-7043 • http://niatec.info/nsacoe.htm Information Assurance Education and the IS Curriculum
NSA Centers 60 centers nationally Primarily Computer Science Faculty (45 out of 60) Only 15 out of 60 primarily utilize faculty from outside of Computer Science in Information oriented programs. Information Assurance Education and the IS Curriculum
NSA Centers cont. Only 22 of the 60 centers offer the NSA 4012 certification. Furthermore, only 8 of those 22 centers offer the 4012 certification with a curriculum taught from an Information program. Additionally, almost all of those eight centers build the 4012 off of the 4011 certification. Information Assurance Education and the IS Curriculum
NSA 4012 Certification • Designated Approving Authority (DAA) as defined in NSTISSI no. 4012 • Core areas defined for coverage in the certification • Mapped to Knowledge clusters in IRM IA sequence of 3 courses Information Assurance Education and the IS Curriculum
INFOSEC functions of DAA • Granting final approval to operate an IS or network in a specified security mode; • Reviewing the accreditation documentation to confirm that the residual risk is within acceptable limits; • verifying that each IS complies with the IS security requirements, as reported by the Information Systems Security Officer (ISSO); • ensuring the establishment, administration, and coordination of security for systems that agency, service, or command personnel or contractors operate; • ensuring that the Program Manager (PM) defines the system security requirements for acquisitions • assigning INFOSEC responsibilities to the individuals reporting directly to the DAA; • approving the classification level required for applications implemented in a network environment; • approving additional security services necessary to interconnect to external systems (e.g. encryption and non-repudiation); • reviewing the accreditation plan and sign the accreditation statement for the network and each IS; Information Assurance Education and the IS Curriculum
INFOSEC Functions of DAA cont. • defining the criticality and sensitivity levels of each IS; • reviewing the documentation to ensure each IS supports the security requirements as defined in the IS and network security programs; • allocating resources to achieve an acceptable level of security and to remedy security deficiencies; • establishing working groups, when necessary, to resolve issues regarding those systems requiring multiple or joint accreditation. This may require documentation of conditions or agreements in Memoranda of Agreement (MOA); and • ensuring that when classified or sensitive but unclassified information is exchanged between logically connected components, the content of this communication is protected from unauthorized observation by acceptable means, such as cryptography, and Protected Distribution Systems (PDS). Information Assurance Education and the IS Curriculum
AFIT Graduate IRM • Graduate Eng. & Mgt. School • IRM Program • Built off of MSIS 2000 Model • Required Core Classes • Required Specialty Sequence • Required Thesis Information Assurance Education and the IS Curriculum
CORE IRM Courses • ORSC 542 Managerial Behavior in Organizations • EMGT 530 Contract Management • IMGT 530 Conceptual Foundations of IRM • IMGT 580 Enterprise Information Architecture • IMGT 561 Database Management • IMGT 651 Systems Analysis and Design • IMGT 657 Data Communications • IMGT 690 Capstone Seminar in IRM. Information Assurance Education and the IS Curriculum
IA Track IMGT 684 Strategic Information Management IMGT 688 Security and Ethics in the Information Age IMGT 687 Managerial Aspects of Information Warfare. Information Assurance Education and the IS Curriculum
Electives • CSCE 525 Intro to Information Warfare • CSCE 625 Info Sys Security, Assurance and Analysis I • CSCE 725 Info Sys Security, Assurance and Analysis II • IMGT 570 E-Business • IMGT 680 Knowledge Management • SENG 530 Introduction to Space Operation • ORSC 638 Seminar in Contemporary Leadership • ORSC 647 Organizational Policy and Strategic Mgt. Information Assurance Education and the IS Curriculum
Graduate IA Program(Computer Science) • Core • CSCE 544 Data Security • CSCE 625 Information Systems Security, Assurance and Analysis I • CSCE 654 Computer Networks • CSCE 689 Distributed Software Systems • CSCE 725 Information Systems Security, Assurance and Analysis II • Mathematics Requirement (4 quarter hours) • STAT 583 Probability and Statistics for Computer Science • Encouraged (Discrete Math, Finite Automata, Queuing Theory) Information Assurance Education and the IS Curriculum
Graduate IA Program • IA Depth (12 quarter hours) • CSCE 526 Secure Software Development (4) • CSCE 527 Cyber Forensics (4) • CSCE 528 Cyber Defense and Exploitation I (4) • CSCE 628 Cyber Defense and Exploitation II (2) • IMGT 684 Role of the Chief Information Officer (3) • IMGT 688 Security and Ethics in the Information Age (3) Information Assurance Education and the IS Curriculum
IRM Knowledge Clusters Information Assurance Education and the IS Curriculum
Conclusion • This paper described the unique Masters program(s) at a Midwestern United States school that primarily serves a specific student body made up of Department of Defense employees. • With a program in place for many years in Information Assurance (IA) we have now created this new program with a decidedly IRM focus to IA. • It is the authors hope that other schools can use this information to review their own program(s) and incorporate the concepts presented here as appropriate. • While these concepts are somewhat unique to the DoD, we feel other schools could benefit from there inclusion into the curriculum. • The concept of Information Assurance is now popping up in many schools while it has been in the DoD for many more years. Information Assurance Education and the IS Curriculum
Questions • ?????? Information Assurance Education and the IS Curriculum