Transcription
DOE Essential Body of Knowledge (EBK)U.S. DEPARTMENT OF ENERGYEssential Body of Knowledge (EBK)A Competency and Functional FrameworkForCyber Security Workforce DevelopmentOffice of the Chief Information OfficerOffice of the Associate CIO for Cyber SecurityJune 2010June 20101
DOE Essential Body of Knowledge (EBK)Table of ContentsExecutive Summary . 4DOE Essential Body of Knowledge (EBK) . 51.1 Data Security . 51.1.1 Manage . 51.1.2 Design . 61.1.3 Implement . 61.1.4 Evaluate. 71.2 Enterprise Continuity . 71.2.1 Manage . 71.2.2 Design . 81.2.3 Implement . 81.2.4 Evaluate. 81.3 Incident Management . 91.3.1 Manage . 91.3.2 Design . 91.3.3 Implement . 101.3.4 Evaluate.111.4 Cyber Security Training and Awareness.111.4.1 Manage .111.4.2 Design . 121.4.3 Implement . 121.4.4 Evaluate. 121.5 IT Systems Operations and Maintenance . 121.5.1 Manage . 131.5.2 Design . 131.5.3 Implement . 141.5.4 Evaluate. 141.6 Network and Telecommunications Security and Remote Access . 151.6.1 Manage . 151.6.2 Design . 151.6.3 Implement . 161.6.4 Evaluate. 171.7 Personnel Security . 171.7.1 Manage . 171.7.2 Design . 171.7.3 Implement . 181.7.4 Evaluate. 181.8 Physical and Environmental Security. 181.8.1 Manage . 181.8.2 Design . 181.8.3 Implement . 191.8.4 Evaluate. 191.9 Procurement. 19June 20102
DOE Essential Body of Knowledge (EBK)1.9.1 Manage . 201.9.2 Design . 201.9.3 Implement . 201.9.4 Evaluate. 211.10 Regulatory and Standards Compliance . 211.10.1 Manage . 211.10.2 Design . 221.10.3 Implement . 221.10.4 Evaluate. 221.11 Security Risk Management . 221.11.1 Manage . 221.11.2 Design . 231.11.3 Implement . 231.11.4 Evaluate. 231.12 Strategic Security Management. 241.12.1 Manage . 241.12.2 Design . 251.12.3 Implement . 251.12.4 Evaluate. 251.13 System and Application Security . 251.13.1 Manage . 251.13.2 Design . 261.13.3 Implement . 261.13.4 Evaluate. 27Appendix 1: Cyber Security Role-Based EBK: Key Terms and Concepts . 28Appendix 2. The Cyber Security Role-Based EBK: Competency and FunctionalMatrix. 37Appendix 3: List of Acronyms . 39June 20103
DOE Essential Body of Knowledge (EBK)Executive SummaryThe Office of the Chief Information Officer (OCIO) utilized DOE cyber security policy,best practices and lessons learned, and comprehensive internal needs assessments toidentify fundamental cyber security functional roles and associated responsibilities to anddefine the essential body of knowledge (EBK) needed to support cyber securityresponsibilities and activities within the Department. Components of the EBK areassigned to each functional role, and customized curriculum is determined for each keyrole via core competency worksheets. The OCIO has determined the following roles tobe key functional cyber roles within the Department: Cyber Security Program Manager(CSPM), Designated Approval Authority (DAA), Designated Approving AuthorityRepresentative (DAAR), Information Systems Security Manager (ISSM), CertificationAgent (CA), System Owner, , and the Information System Security Officer (ISSO).The DHS National Cyber Security Division (NCSD) Information Technology (IT)Security Essential Body of Knowledge (EBK): A Competency and Functional Frameworkfor IT Security Workforce Development was used as the foundational document for theDOE-specific EBK. Additionally, the DOE EBK incorporates other established bodies ofknowledge and managerial, technical, assurance, and operational concepts andrequirements of DOE Directives and OCIO reference baselines.The EBK accomplishes two important Departmental training goals: 1) defining thebaseline knowledge, skills, and abilities required for cyber security functional roles, and2) providing the foundational objectives for the development, selection, and presentationof training. The competencies outlined in the EBK become the basis for training“modules” that can be fit into the specific curriculum for each of the Department-definedroles and can be presented independently to other staff with significant impact on thesecurity of information systems (e.g., Help Desk personnel, hardware technicians, andsoftware developers). Training can be delivered through a variety of methods, includingclassroom instruction, workshop/seminar, and online options and can be tailored to Basic,Intermediate, and Advanced levels.The DOE EBK and curriculum comply with required content identified by the Office ofManagement and Budget (OMB) Information Systems Security Line of Business(ISSLoB), align with the National Institute of Standards and Technology (NIST) SpecialPublications 800-16 and 800-50 guidance, and address the functional roles andresponsibilities discussed in Departmental cyber security Directives. The modules andcourses may be used by Senior DOE Management or Operating Unit Managers as a basefor supplemental Senior DOE Management 1 Program Cyber Security Plans (PCSPs) ororganization-specific training.1Senior DOE Management includes the DOE Under Secretaries, the NNSA Administrator, the EnergyInformation Administration, the Power Marketing Administrations, and the DOE Chief Information OfficerJune 20104
DOE Essential Body of Knowledge (EBK)DOE Essential Body of Knowledge (EBK)Information and system security is by its nature multidisciplinary, and it relies on aspectrum of knowledge and performance items/skill sets associated with systems security,operational security (OPSEC), TEMPEST, physical security, personnel security and othersecurity related areas. Cyber security professionals must have a command of their craft,both in core competencies, as well as performance items/skill sets associated with theirrespective functional roles.This section contains the 13 competency areas with defining functional statements, andall work functions categorized as Manage, Design, Implement, or Evaluate. Unlessotherwise noted, the following competencies apply to both unclassified and classifiedcomputing environments. Classified information technology systems are typicallyreferred to as National Security Systems, or NSS, throughout this appendix. The 13competencies are: Data SecurityContinuity of OperationsIncident ManagementCyber Security Training and AwarenessIT Systems Operations and MaintenanceNetwork and Telecommunications SecurityPersonal SecurityPhysical and Environmental SecurityProcurementRegulatory and Standards ComplianceRisk ManagementStrategic Security ManagementSystem and Application Security1.1 Data Secur ityRefers to application of the principles, policies, and procedures necessary to ensure theconfidentiality, integrity, availability, and privacy of data in all forms of media (electronicand hardcopy) throughout the data life cycle.1.1.1 Manage Ensure that data classification and data management policies and guidance areissued and updated Specify policy and coordinate review and approval Ensure compliance with data security policies and relevant legal and regulatoryrequirements in accordance with Departmental directives and applicable ProgramCyber Security Plans (PCSP) Ensure appropriate changes and improvement actions are implemented asrequiredJune 20105
DOE Essential Body of Knowledge (EBK) 1.1.2 1.1.3 June 2010Maintain current knowledge of authenticator management for unclassified andclassified systemsEnsure compliance with protection requirements, control procedures, incidentmanagement reporting, remote access requirements, and system management forall systems as well as use of encryption for protecting Sensitive UnclassifiedInformation (SUI) including Personally Identifiable Information (PII) andclassified information.DesignDevelop data security policies using data security standards, guidelines, andrequirements that include privacy, authentication, access control, retention,disposal, incident management, disaster recovery, and configurationIdentify and document the appropriate level of protection for data, including useof encryptionSpecify data and information classification, sensitivity, and need-to-knowrequirements by information type on a system in terms of its confidentiality,integrity, and availability. Utilize DOE M 205.1-5 to determine the informationimpacts for unclassified information and DOE M 205.1-4 to determine theConsequence of Loss for classified informationCreate authentication and authorization system for users to gain access to databased on assigned privileges and permissionsDevelop acceptable use (e.g., personal use of IT policy; waste, fraud, and abusepolicy, etc.) procedures in support of the data security policiesDevelop sensitive data collection and management procedures in accordance withDepartmental/PCSP standards, procedures, directives, policies, and regulations,and laws (statutes)Identify the minimum security controls based on the system categorization.Develop or identify additional security controls based on the Consequence ofLoss or Impact and the perceived risk of compromise to the data introduced by thedata’s logical, operational, or physical environmentDevelop security testing proceduresDevelop media sanitization (clearing, purging, or destroying) and reuseproceduresDevelop and document processes, procedures, and guidelines for complying withprotection requirements (e.g., e-mail labels, media labels, etc.), control procedures(e.g., discretionary access control, need-to-know sharing, etc.), incidentmanagement reporting, remote access requirements, system management and useof encryptionDevelop procedures for the release of non-system high information to systemsaccredited for lower information sensitivities (classified or unclassified)Develop procedures for securing approval to release unclassified information tothe public (DOE M 470.4-4, OPSEC).ImplementPerform the data access management process according to established guidelinesApply and verify data security access controls, privileges, and associated profiles6
DOE Essential Body of Knowledge (EBK) 1.1.4 Implement media control procedures, and continuously monitor for complianceImplement and verify data security access controls, and assign privilegesAddress all suspected incidents in accordance with Departmental directives andapplicable PCSPsApply and maintain confidentiality controls and processes in accordance withstandards, procedures, directives, policies, regulations, and laws (statutes)Implement authenticator generation and verification requirements and processesin accordance with standards, procedures, directives, policies, regulations, andlaws (statutes)Execute media sanitization (clearing, purging, or destroying) and reuse proceduresExecute processes and procedures for protecting SUI, including PII.EvaluateAssess the effectiveness of Departmental/PCSP data security policies, processes,and procedures against established standards, guidelines, and requirements, andsuggest changes where appropriateEvaluate the effectiveness of the sensitivity determination processes by assessingunclassified non-SUI data at rest for OPSEC issuesEvaluate the effectiveness of solutions implemented to provide the requiredprotection of data, including appropriate authenticator management andencryption controlsAssess data transmissions (e.g., email, file transfers, etc.) to evaluate theprotection mechanisms being utilized (e.g., sensitivity determinations, sensitivitylabels, encryption, etc.)Review alleged violations of data security and privacy breachesIdentify improvement actions required to maintain the appropriate level of dataprotectionEvaluate the effectiveness of the media sanitization (clearing, purging, ordestroying) and reuse processesEvaluate the effectiveness of the processes and procedures for protecting SUI,including PII.1.2 Enter pr ise ContinuityRefers to application of the principles, policies, and procedures used to ensure that anorganization continues to perform essential business functions within a definedaccreditation boundary after the occurrence of a wide range of potential catastrophicevents.1.2.1 Manage Coordinate with stakeholders to establish the organizational continuity ofoperations program Acquire necessary resources, including financial resources, to conduct aneffective continuity of operations program Define the continuity of operations organizational structure and staffing model Define emergency delegations of authority and orders of succession for keypositionsJune 20107
DOE Essential Body of Knowledge (EBK) 1.2.2 1.2.3 1.2.4 June 2010Direct contingency planning, operations, and programs to manage riskDefine the scope of the continuity of operations program to address businesscontinuity, business recovery, contingency planning, and disaster recovery/relatedactivitiesEnsure that each system is covered by a contingency planIntegrate organizational concept of operations activities with related contingencyplanning activitiesDefine overall contingency objectives and criteria required for activatingcontingency plansEstablish a continuity of operations performance measurement programIdentify and prioritize critical business functions to include Critical Infrastructureand Key ResourcesEnsure that appropriate changes and improvement actions are implemented asrequiredApply lessons learned from test, training and exercise, and crisis events.DesignDevelop a continuity of operations plan and related procedures in accordance withDepartmental directives and applicable PCSPsDevelop and maintain information system continuity of operations documentationsuch as contingency, business continuity, disaster recovery, and incidentmanagement plans and disaster recovery strategiesDevelop a process for conducting Business Impact Analyses (BIAs) to identifysystems providing critical services and facilitate the creation of disaster recoverystrategiesDevelop a comprehensive test, training, and exercise program to evaluate andvalidate the readiness of continuity of operations plans and contingency plans forinformation systemsPrepare internal and external continuity of operations communications proceduresand guidelines.ImplementExecute organization and information system continuity of operations and relatedcontingency plans and proceduresConduct testing of contingency plans for all organizational information systemsProvide contingency plan test reports on Critical Infrastructure and KeyResources to Senior DOE ManagementControl access to information assets during an incident in accordance withorganizational policy.EvaluateReview test, training, and exercise results to determine if information systems areavailable within organization or Senior DOE Management mission-requirementtime frames , and recommend changes as appropriateAssess the effectiveness of the continuity program, processes, and procedures, andmake recommendations for improvement8
DOE Essential Body of Knowledge (EBK) Continuously validate the organization against additional mandates, as developed,to ensure full complianceCollect and report performance measures and identify improvement actions.1.3 Incident ManagementRefers to knowledge and understanding of the process to prepare cyber security incidentreports and to prevent, detect, investigate, contain, eradicate, and recover from incidentsthat impact the organizational mission as directed by the DOE Cyber Incident ResponseCapability (CIRC). This competency includes the knowledge of digital investigation andanalysis techniques.1.3.1 Manage Coordinate with stakeholders to establish the incident management program Establish and coordinate activities of a Cyber Security Incident Response Team(CIRT) to perform digital and network incident management activities Establish relationships between the CIRT and internal individuals/groups (e.g.,DAA, classification/technical officer, Facility Security Officer, legal department,etc.) and external individuals/groups (e.g., CIRC, law enforcement agencies,vendors, and public relations professionals) Acquire and manage resources, including financial resources, for incidentmanagement functions Ensure users and incident management personnel are trained in incident reportingand handling procedures Ensure coordination between the CIRT and the security administration andtechnical support teams Provide adequate work space for the CIRT that at a minimum takes into accountthe electrical, thermal, acoustic, and privacy concerns (i.e., intellectual properties,classification, contraband) and security requirements (including access controland accountability) of equipment and personnel, and provide adequate reportwriting/administrative areas Apply lessons learned from information security incidents to improve incidentmanagement processes and procedures Ensure that appropriate changes and improvement actions are implemented asrequired Maintain current knowledge on network forensic tools and processes Establish an incident management measurement program.1.3.2 June 2010DesignDevelop the incident management policy, based on standards and procedures forthe organization to include impact assessments and incident categorizationrequirementsDevelop procedures for reporting INFOCON changes and security incidentsincluding incidents and potential incidents involving Personally IdentifiableInformation (PII) to CIRCIdentify services that the incident response team should provide9
DOE Essential Body of Knowledge (EBK) 1.3.3 June 2010Create an Incident Response Management Plan in accordance with DOE policiesand the applicable PCSPDevelop procedures for performing incident and INFOCON responses andmaintaining recordsDevelop procedures for handing information and cyber alerts disseminated by theDOE CIRCCreate incident response exercises and penetration testing activitiesSpecify incident response staffing and training requirements to include generalusers, system administrators, and other affected personnelEstablish an incident management measurement programDevelop policies for preservation of electronic evidence, data recovery andanalysis, and the reporting and archival requirements of examined material inaccordance with procedures set forth by the DOE CIRCAdopt or create chain of custody procedures that include disposal procedures and,when required, the return of media to its original owner in accordance withprocedures set forth by the DOE CIRC.ImplementApply response actions in reaction to security incidents, in accordance withestablished policies, plans, and procedures to include appropriate incidentcharacterization (i.e., Type 1 or Type 2) and categorization (i.e., low, media, high,or very high)Respond to and report incidents within mandated timeframes as required by theDOE CIRC and other federal agencies (e.g., Office of Health, Safety, andSecurity) as appropriatePerform assessments to determine the impact of the loss of confidentiality,integrity, and/or availabilityRespond proactively to information and alerts disseminated by the DOE CIRC toinclude performing consequence analyses and corrective actionsRespond proactively to changes in INFOCON levels as disseminated by SeniorDOE Management/DOE CIOAssist in collecting, processing, and preserving evidence according toDepartmental/PCSP standards, procedures, directives, policies, and regulationsand laws (statutes)Perform forensic analysis on networks and computer systems, and makerecommendations for remediationApply and maintain intrusion detection systems; intrusion prevention systems;network mapping software; and monitoring and logging systems; and analyzeresults to protect, detect, and correct information security-related vulnerabilitiesand eventsFollow proper chain-of-custody best practices in accordance with procedures setforth by the DOE CIRCCollect and retain audit data to support technical analysis relating to misuse,penetration, reconstruction, or other investigationsProvide audit data to appropriate law enforcement or other investigating agencies,to include Departmental security elements10
DOE Essential Body of Knowledge (EBK) 1.3.4 Report complete and accurate findings, and result of the analysis of digitalevidence, to appropriate resourcesExecute incident response plansExecute penetration testing activities and incidence response exercisesEnsure lessons learned from incidents are collected in a timely manner, and areincorporated into plan reviewsCollect, analyze, and report incident management measuresCoordinate, integrate, and lead team responses with internal and external groupsaccording to applicable policies and proceduresCoordinate, interface, and work under the direction of appropriate legal authority(e.g., Inspector General, FBI) regarding investigations or other legal requirementsincluding investigations that involve external governmental entities (e.g.,international, national, state, local).EvaluateAssess the efficiency and effectiveness of incident response program activities toinclude digital forensic investigations, and make improvement recommendationsExamine the effectiveness of penetration testing, incident response tests,INFOCON processes, training, and exercisesExamine penetration testing and vulnerability analysis results to identify risks andimplement patch managementAssess the effectiveness of communications between the CIRT and relatedinternal and external organizations, and implement changes where appropriateIdentify incident management and INFOCON improvement actions based onassessments of the effectiveness of incident management and INFOCONprocedures.1.4 Cyber Secur ity Tr aining and Awar enessRefers to the principles, practices, and methods required to raise employee awarenessabout basic information security and train individuals with information security roles toincrease their knowledge, skills, and abilities. Training activities are designed to instructworkers about their security responsibilities and teach them about information securityprocesses and procedures to enable duties to be performed optimally and securely withinrelated environments. Awareness activities present essential information securityconcepts to the workforce to influence user behavior.1.4.1 Manage Identify business requirements and establish PCSP and organizational policy forthe cyber security awareness and training program Acquire and manage necessary resources, including financial resources, tosupport the cyber security awareness and training program Set operational performance measures for training and delivery, and ensure thatthey are met Ensure the organization complies with cyber security awareness and trainingstandards and requirementsJune 201011
DOE Essential Body of Knowledge (EBK) 1.4.2 1.4.3 1.4.4 Ensure that appropriate changes and improvement actions are implemented asrequired.DesignDevelop the policy for the cyber security training and awareness programIncorporate requirements from the department cyber security training andawareness programDefine the goals and objectives of the cyber security awareness and trainingprogramWork with appropriate security SMEs to ensure completeness and accuracy of thesecurity training and awareness programEstablish a tracking and reporting strategy for cyber security training andawareness programEnsure currency
DOE Essential Body of Knowledge (EBK) June 2010 8 Direct contingency planning, operations, and programs to manage risk Define the scope of the continuity of operations program to address business cont
