Transcription
Information SystemsSecurity D1
Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification SpecificsUNCLASSIFIED2
Systems Security EngineeringDefinitionThe art and science ofdiscovering users security needs anddesigning and making,makingwith economy and elegance,elegance(information) systemsso that they can safely resist theforces to which they may be subjected.subjected23-Dec-03UNCLASSIFIED3
Systems Security Engineering ProcessASSESSEFFECTIVENESSDISCOVERNEEDSPLAN 3-Dec-03UNCLASSIFIED4
Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification SpecificsUNCLASSIFIED5
Why was the ISSEP created Enhance the field of informationsystems security engineering Promote a common process NSA/IAD has committed itself topromoting this certification to itsemployees and vendors23-Dec-03UNCLASSIFIED6
Why was the ISSEP created(continued) Fill a need that NSA has identified torecommend and use approvedcontractors to support our customers While a specific policy statement has notbeen issued at this time, it is not known ifthe NSA/IAD will require, or simplyprefer, individuals with the ISSEP inconnection with certain informationassurance projects23-Dec-03UNCLASSIFIED7
Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification SpecificsUNCLASSIFIED8
Development of the ISSEP Joint effort with NSA/IAD andInternational Information SystemsSecurity Certification Consortium, Inc.(ISC)2 Initiated in April 2002 Test development started in October2002 First exam available in June 200323-Dec-03UNCLASSIFIED9
NSA’s Role NSA/IAD provides the SubjectMatter Experts– Motivation and justificationfor this project is found inNSD 42 and the FederalTechnology Transfer Act of1986(15 U.S.C. Section 3710A)23-Dec-03UNCLASSIFIED10
(ISC)2’s Role (ISC)2 will own and manage thecertification– The development ofconcentration examinationsis a direct response to(ISC)² research indicatingthat these needs ofinformation securityprofessionals were not beingmet.23-Dec-03UNCLASSIFIED11
Candidates for the ISSEP Candidates for the ISSEP will have tosuccessfully complete the CertifiedInformation Systems SecurityProfessional (CISSP) exam and be ingood standing The Common Body of Knowledge(CBK) covered by the 10 domains isconsidered foundational to the role ofthe ISSE23-Dec-03UNCLASSIFIED12
CISSP Domains Security Management PracticesSecurity Architecture and ModelsAccess Control Systems & MethodologyApplication Development SecurityOperations SecurityPhysical SecurityCryptographyTelecommunications, Network, &Internet Security Business Continuity Planning Law, Investigations, & Ethics23-Dec-03UNCLASSIFIED13
Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification SpecificsUNCLASSIFIED14
What the ISSEP Covers The ISSEP exam will include theadditional domains of:– Systems Security Engineering– Certification and Accreditation– Technical Management– U.S. Government InformationAssurance Regulations23-Dec-03UNCLASSIFIED15
Systems Security Engineering ProcessDescribe the Information Systems SecurityEngineering (ISSE) process as documented in theInformation Assurance Technical Framework(IATF). (Knowledge)2. Describe systems engineering processes ingeneral and infer how security engineeringintegrates with these processes. (Comprehension)3. Construct network architectures according to theprinciple of Defense-in-Depth. (Application)4. Construct proper documentation for each phase ofthe ISSE process. (Application)1.23-Dec-03UNCLASSIFIED16
Certification and AccreditationSub-Domains1. Definitions2. Applicability to U.S. Government agencies3. NIACAP, DITSCAP, Risk Management/Assessment1. Describe the National Information Assurance C&AProcess (NIACAP) and the Department of DefenseInformation Technology Security C&A Process(DITSCAP). (Knowledge)2. Explain key roles in the C&A process.(Comprehension)3. Differentiate the applicability of U.S. Governmentregulations with respect to C&A. (Analysis)23-Dec-03UNCLASSIFIED17
Technical ManagementSub-Domains1.Plan technical effort2.Manage technical effort1. Identify the responsibilities of a programmanager. (Knowledge)2. Describe processes and tools used to managetechnical efforts. (Knowledge)3. Predict personnel, funding, and other needsbased on the level of effort and technicalcomplexity of the project. (Comprehension)23-Dec-03UNCLASSIFIED18
U.S. Government IA RegulationsSub-Domains1. National policies – Committee on NationalSecurity Systems (CNSS)2. Civil agency policies3. Defense agency policies1. Define common IA terminology used by theU.S. Government. (Knowledge)2. Interpret all regulations dictating IArequirements for civil and defense agencies.(Application)23-Dec-03UNCLASSIFIED19
Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification SpecificsUNCLASSIFIED20
Training Availability Training is available The course is two days andcovers the four new domainareas23-Dec-03UNCLASSIFIED21
When and Where the ISSEP Examis Available As of 1 June 2003, candidatescan request to take the ISSEPexam on a space available basiswherever the CISSP exam isbeing administered23-Dec-03UNCLASSIFIED22
Cost of the Exam and Credential The introductory cost of the exam is 295.00 The annual maintenance fee for thecredential is 35.00 There are no additional ContinuingProfessional Education (CPE) requirements,but 20 of your 120 required CPEs must be inthe new domain areas23-Dec-03UNCLASSIFIED23
For More Information (ISC)2 website for the study guideand test dates and locations– www.isc2.org NSA website for more information onefforts of the Information AssuranceDirectorate– www.nsa.gov23-Dec-03UNCLASSIFIED24
Systems Security Engineering Process 1. Describe the Information Systems Security Engineering (ISSE) process as documented in the Information Assurance Technical Framework (IATF). (Knowledge) 2. Describe systems engineering processes in general and infer how security engine
