WIXLIB

National Information AssuranceEducation and Training x.htmSherry Borror s.borror@radium.ncsc.mil

INFOSEC Training and Education Documented Need Partnerships address long time problem NSA’s Response: NIETP NIST-CNSS-NSALinkage/Partnerships Future Initiatives

Let’s Take Advantage of Work Already Done, andWork In Progress.

Many full/part-time personnel nottrained for the job they hold.– Self Taught. . . . .– One the Job Training. . . . .– Peer-to-peer exchange. . . . .– Conferences, Vendor, andGovt. .Courses .“You Figure it out”“Learn by mistake”“Security Guides andINFOSEC Lore”“If funds Available”

To Demonstrate Existence of a Career Fieldh 1. Distinct Body of KnowledgeEDACUMS have documentedh 2. Body of LiteratureNat’l Conference & UC-Davis Projecth 3. Career ProgressionAlready exists in several agenciesProposed in NCSC Pub #27h4. Sufficient Numbers of Personnel(Dedicated to that Profession)OPM study nearly completed

INFOSEC/IA PersonnelShortfalls Many security tasks not being adequatelyperformed due to lack of personnel,training, and tools Critical security responsibilities assigned asadditional duties Lack of comprehensive, consistent trainingfor ISSOs security engineers, certifiers,accreditors

NSTISSC 1993 report– INFOSEC Education and Training listed in topthree priorities

“Education, training, and awareness arecountermeasures that effectively reduceexposure to a variety of known risks. Inorder to achieve this end, it is essentialto have a federal work force that is awareof, and educated about, the problems ofinformation systems security(INFOSEC).”Charles A. Hawkins, Jr.Acting Chairman, NSTISSC25 Feb. 1993

Redefining Security 1994 report– “Uniformity in skills and knowledge taughtsecurity professionals is needed not only to ensurethe quality of work, but also to foster a commonunderstanding and implementation of securitypolicies and procedures.”

OTA 1994 Report– To be comprehensive,however, the generallyaccepted practices must bedefined at several levels ofdetail, and different sets ofthe standards would applyto different users andapplications.”

CONTINUED“Some experts estimate that over one-half of the totalfinancial and productivity losses in informationsystems is the result of human errors ”Information Security and Privacy in Network EnvironmentsOffice of Technology Assessment. Sept. 1994

President’s Commission on CriticalInfrastructure Protection– “NIST, NSA, and the U.S. Department of Education work incollaboration with the private sector to develop programsfor education and training of information assurancespecialists and for the continuing education as technologieschange. This effort should also support “training thetrainers” to provide an adequate cadre of qualifiedinstructors to teach technicians.”Critical Foundations: Protecting America’s Infrastructures. The report of the President’scommission on Critical Infrastructure Protection. Oct., 1997. P71.(http://www.pccip.gov/)

MissionBe a leading advocate for improving informationsystem security (INFOSEC) education and trainingnationwide.

NIETP Activities Related to PDD63Highlights at a glance National INFOSEC Education & Training Program(NIETP) .htm)––––––––National Training StandardsNational Colloquium for Information Systems Security EducationCenters of Academic Excellence in Information Assurance EducationCourseware Evaluation Program for CertificationSupport to Military ServicesAcademic OutreachProductsSupport to President’s Critical Infrastructure Protection Board

PARTNERSHIPSINFOSECEducation & VEGOFORCEesaB

NSA Designated ExecutiveAgentAssistant Secretary of DefenseCommand, Control, Communications and IntelligenceMEMO Dated July 2, 2001“I hereby delegate to the Director, NationalSecurity Agency, the authorities andresponsibilities of the Secretary of Defenseunder the following statute:Public Law 106-398Department of Defense Scholarships for Service Program

NSTISSC redesignated CNSSCommittee on National Security Systems“The CNSS provides a forum for discussion of policy issues, sets nationalpolicy, and promulgates direction, operational procedures, and guidance forthe security of national security systems through the CNSS issuance system”.

E DACUMElectronicDevelopACurriculumA method of involvement and consensus buildingto determine training needs as identified by skilledworkers and professionals.A joint NSA and ISU venturefor producing CNSSTraining Standards

EDACUMA consortium of over 1000 INFOSEC CATIONCOMMERCEHHSTREASURYHouse of RepsAcademiaIndustryISIISSAISCARCAMISRockwellIdaho State UniversityNavy PGSNCS

Strength Through Managers/SupervisorsEducatorsStakeholders and Partners in Change

KNOWLEDGE: Broad comprehension of asubject that cannot necessarily be applied SKILL: Comprehension of a subject thatis/can be specifically applied to a job ATTRIBUTE (ABILITY): Personalitycharacteristics which are/can be developedto enhance job performance

8KSA– “Password Protection”8PERFORMANCE ITEM– “Construct password protection schema”8BEHAVIORAL OBJECTIVE– CONDITION: “Given password protectionalgorithm”– BEHAVIORAL: “Construct password instruction setfor a Windows NT network”– STANDARD: “Which provides minimum 6 lettercharacter and 30 day expiration date per new password”

Audit Function (Entry Level)Work Closely with ISSO to ensure the AIS or network is used securely Policy and Procedures– Explain the purpose of a system audit– State logging policies– Reproduce documentation required in event of adetected intrusion to the system– Explain Electronic Records Management policy bymonitoring notification– Describe the need for separation of duties– Explain Audit– State audit trails and logging policies– Reproduce documentation

Example INFOSEC StandardSystem Administrator:Competency # 2: Access ControlKSA # 2.a Policies/Administration (*9)Performance Item # 2.a.1“Use network access change controls as designed”Competency # 4: AuditKSA # 4.c Tools (*7)Performance Item # 4.c.6“Identify two intrusion detection systems”* Number of associate Behavioral KSAsTotal # KSAs for Systems Admin 292

INFOSEC Electronic DACUMs to dateDACUM I: Establishing the basics- Aug ‘92: Define A, T, & E levels/produce awareness materials.DACUM II: Creation of new AT&E Matrix- Aug ‘93: Build Nat’l. AT& E ModelDACUM III: Unified Taxonomy for ISS Professors- Nov ‘93: Define and categorize KSAs.DACUM IV: From Theory to Instruction- Apr ‘94: Defined 3 operational level training Reqs.DACUM V: National Training Standards- Sept ‘94: Producing 3 draft NSTISSI 40XX.DACUM VI: System Certifier Standard- June ‘95: Define Trng. Std. for Certifier.

INFOSEC Electronic DACUMs to dateCont.DACUM VII: Completing A Picture- June ‘98; Integrating DITSCAPDACUM VIII: Defining Risk Analyst- March ‘99: An emerging careerDACUM IX: Updating the Previous Work- June 2000, Transforming standards from INFOSEC to IADACUM X: Putting IA into all of the standards-March 2002 – Using Govt., Industry and Academia totransform the standards.

National Training nformation Systems Security Professionals - No. 4011Designated Approving Authority - No. 4012System Administrators (INFOSEC) - No. 4013Information Systems Security Officers - No. 4014System Certifiers - No. 4015Risk Analyst - No. 4016

Quality of Training

NSTISSI - 4014NSTISSI - 4015NSTISSI - 4016NSTISSI - 4011NSTISSI - 4012NSTISSI - encies &InstitutionsInformation AssuranceCourseware EvaluationProjectCertifiedTrainingProvider

Electronically Submit to WebACADEMIAGOVERNMENTCOMMERCIAL

100%MAPPINGNational StandardsCurriculumCertification

Certified OrganizationsAIR FORCE INSTITUTE OF TECHNOLOGY - 4011ARC INFORMATION ASSURANCE INSTITUTE – 4011, 4012, 4015GEORGE MASON UNIVERSITY – 4011GEORGE WASHINGTON UNIVERSITY - 4011FLORIDA STATE UNIVERSITY – 4011IDAHO STATE UNIVERSITY – 4011, 4013, 4014, 4015INDIANA UNIVERSITY OF PENNSYLVANIA - 4011INFORMATION RESOURCES MANAGEMENT COLLEGE – 4011IOWA STATE UNIVERSITY – 4011JOHN HOPKINS UNIVERSITY - 4011NAVAL POST GRADUATE SCHOOL – 4011NORWICH UNIVERSITY – 4011, 4014

Certified OrganizationsNEW MEXICO TECH - 4011NORTHEASTERN UNIVERSITY - 4011PURDUE UNIVERSITY - 4011STATE UNIVERSITY OF NEW YORK AT BUFFALO – 4011STATE UNIVERSITY OF NEW YORK AT STONY BROOK - 4011TOWSON UNIVERSITY - 4011UNIVERSITY OF CALIFORNIA, DAVIS - 4011UNIVERSITY OF IDAHO – 4011UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE – 4011UNIVERSITY OF NEBRASKA AT OMAHA – 4011UNIVERSITY OF TEXAS AT SAN ANTONIO - 4011UNIVERSITY OF TULSA – 4011, 4012, 4013, 4014, 4015

Certified OrganizationsSANS INSTITUTE – 4013UNIVERSITY OF WISCONSIN, MILWAUKEE - 4011UNIVERSITY OF FINDLAY - 4011

ACADEMIA

Emerging Role of Academia The number of colleges teaching INFOSECis increasing. Integrated & stand alone courses. Whole degree programs. Good geo-locations.

The Not So Good News*News Today there are only four declared, dedicated computersecurity research centers in degree granting departmentsat universities in the United States Over the past five years, approximately 5,500 PhDs incomputer science and engineering were awarded byuniversities in the US. Only 16 of those were awardedfor security-related research at these major centers(only 8 of the 16 were U.S. Nationals)Dr. Eugene SpaffordTestimony to House Science Comm.Feb. 11, 1997

Defending America’s Cyberspace“In developing the Federal Cyber Service initiative, we canleverage existing Federal education, training and awarenessprograms. In education, the NSA has a program to designateuniversities as Centers of Academic Excellence in InformationAssurance Education based on established criteria rootedin the National Security Telecommunications and InformationSystems Security Committee (NSTISSC) training standards.”

Partnerships with AcademiaCenters of Academic Excellence inInformation Assurance EducationReducing the vulnerability of ourNII by promoting higher educationin information assurance, andproducing a growing number ofprofessionals with IA expertisein various e/index.htm

Centers Of Academic Excellence inInformation Assurance Education(Graduate and Undergraduate Levels)Criteria for oeiae/measure.htm1. Use of NSTISSC Training Standards2. I A treated as multidisciplinary3. Demonstration of use of IA within the university4. Encourages research in IA5. IA curriculum reaches beyond normal geographic borders6. Faculty active in IA research and practice7. State of the art IA reference system/materials8. Declared concentrations in IA9. Declared center for I A education10. More than one faculty member

NSA-Designated Centers of Academic Excellence inInformation Assurance EducationPartnership for Critical Infrastructure SecurityGeo location is very good.CentersCenters ofof AcademicAcademic ExcellenceExcellence inin IAIA EducationEducation

Centers of Academic Excellence inInformation Assurance EducationAcademic Years 1999-2002James Madison UniversityGeorge Mason UniversityIdaho State UniversityIowa State UniversityPurdue UniversityUniversity of California at DavisUniversity of IdahoAcademic Years 2000-2003Carnegie Mellon UniversityFlorida State UniversityInformation Resources ManagementCollege, National Defense UniversityNaval Postgraduate SchoolStanford UniversityUniversity of Illinois at Urbana ChampaignUniversity of TulsaAcademic Years 2001-2004Drexel UniversityUnited States Military Academy, West PointGeorgia Institute of TechnologyUniversity of Maryland, Baltimore CountyMississippi State UniversityUniversity of North Carolina, CharlotteNorwich UniversityWest Virginia UniversitySyracuse University