An Introduction to Teaching

1

• An Introduction to Teaching Developing
  Information Security Curriculum
• Michael E. Whitman, Ph.D., CISSP
• Kennesaw State University

InfoSec Support Programs
2
Information Assurance Curriculum Evaluation
Program

• The goal of the Information Assurance Courseware
  Evaluation (IACE) Program is to ensure compliance
  with national standards for information assurance
  education and training throughout the nation. The
  Committee on National Security Systems (CNSS)
  sets these standards.

3
Information Assurance Curriculum Evaluation
Program

• The IACE Program is a major step in meeting the
  national requirements for IA education and
  training. IACE is a systematic assessment of the
  degree to which the courseware from commercial,
  government, and academic sources maps to the
  national standards.
• When the institution has met all the elements of
  a specific standard, then it receives formal
  certification. The certification process does not
  judge the quality of the presentation of the
  material within the courseware it simply ensures
  that all of the elements of a specific standard
  are covered.

4
Information Assurance Curriculum Evaluation
Program

• Certified institutions meet the minimum national
  training and education standards for the duties
  and responsibilities of several career fields
• Information Assurance Professional
• Designated Approving Authority
• System Administration in Information Systems
  Security
• Information Systems Security Officer
• System Certifier

5
CNSS Standards

• NSTISSI-4011 - National Training Standard for
  Information Systems Security (INFOSEC)
  Professionals, dated 20 June 1994
• CNSSI-4012 - National Information Assurance
  Training Standard for Senior Systems Managers,
  dated June 2004 Supersedes NSTISSI No. 4012,
  dated August 1997
• CNSSI-4013 - National Information Assurance
  Training Standard For System Administrators (SA),
  dated March 2004
• CNSSI-4014 - Information Assurance Training
  Standard for Information Systems Security
  Officers, dated April 2004
• NSTISSI-4015 - National Training Standard for
  Systems Certifiers, dated December 2000

6
Centers of Academic Excellence

• The National Centers of Academic Excellence in
  Information Assurance Education (CAEIAE) Program
  is an outreach program designed and operated by
  the NSA in support of PDD 63, National Policy on
  Critical Infrastructure Protection, May 1998.
• The program is now jointly sponsored by the NSA
  and the Department of Homeland Security (DHS) in
  support of the President's National Strategy to
  Secure Cyberspace, February 2003. The goal of the
  program is to reduce vulnerability in our
  national information infrastructure by promoting
  higher education in information assurance (IA),
  and producing a growing number of professionals
  with IA expertise in various disciplines.

7
CAEIAE Criteria
8
Criteria 1 Partnerships in IA Education

• Provide evidence of partnerships in IA education
  with minority colleges and universities, 2-year
  community colleges and technical schools.
  (Example of evidence memorandum of agreement
  between both parties)
• Shared curriculum (Example IA teaching materials
  provided)
• Shared faculty (Example Faculty on curriculum
  development committee and/or teaching IA at
  minority institutions)
• Reciprocity of credits (Example Accepting
  academic credit in IA courses from minority
  institutions)

9
Criteria 2 IA Treated as a Multidisciplinary
Science

• The academic program demonstrates that IA is not
  treated as a separate discipline, but as a
  multidisciplinary science with the body of IA
  knowledge incorporated into various disciplines.
• Evidence that IA is taught as modules in existing
  courses and that non-technical/non-IA students
  are being introduced to IA, i.e., courses for
  managers/leaders. (Example Law school provides
  instruction on security countermeasures IT
  systems to help assure privacy)
• A concentration programs require non-technical
  courses of study, i.e., ethics, policy, legal,
  human performance, math, business. (Example
  Computer Science/IA majors take business
  law/ethics courses.)

10
Criteria 3 University Encourages the Practice
of IA

• The academic program demonstrates how the
  university encourages the practice of IA, not
  merely that IA is taught.
• Copy of university or departmental IA security
  plan.
• Evidence of IA Awareness Program for faculty and
  students. (Example Computer Based training
  required on-line tutorial, etc.)
• University appointed Information Systems Security
  Officer.

11
Criteria 4 Academic Program Encourages Research
in IA

• The academic program encourages research in IA.
  Provide examples.
• Program with IA concentrations have thesis,
  dissertation, or project requirements.
  Concentrations include declared majors, declared
  minors, established certificates of study within
  a major and produce research. Provide titles of
  thesis, dissertation, or projects in IA.
• Individual IA courses require research paper(s)
  or project(s). Provide titles of thesis,
  dissertation, or projects in IA.
• Non-IA courses encourage papers in IA topics or
  projects. Provide titles of thesis, dissertation,
  or projects in IA. (Example Criminal Justice
  encourages Forensics as a paper topic)

12
Criteria 5 IA Curriculum Reaches Beyond
Geographic Borders

• The IA curriculum reaches beyond the normal
  geographic borders of the university (Website for
  sharing IA resources and/or Internet classes
  outside normal borders.)
• A curriculum web site.
• Use of distance education technology and
  techniques to deliver IA courses.
• Sponsorship of regional or national IA curriculum
  workshops, colloquia, etc.
• Professional studies program leading to
  certificate in IA. (Example Students can engage
  in graduate studies in IA without completing a
  Masters Degree)

13
Criteria 6 Faculty Active in IA Practice
Research Contribute to IA Literature

• It is clearly demonstrated that the faculty is
  active in current IA practice and research, and
  contributes to IA literature. Substantiate depth
  and length of faculty expertise through
  submission of biographies.
• Published papers on IA topics within refereed
  journals or peer reviewed conference proceedings.
  Provide abstracts, dates, and identify where
  published.
• Faculty awarded grants for IA education and/or
  research development. Provide synopsis of IA
  related grants and dates.
• Faculty and/or student presentations on IA topics
  at regional or national conferences. Provide
  abstracts, dates, identify conferences, and
  distinguish faculty vs. student presentations.

14
Criteria 7 State-of-the-Art IA Resources

• The university library and reference
  systems/materials and/or the IA Center maintain
  state-of-the-art IA resources.
• Evidence of access to current INFOSEC educational
  text books, monographs, reports, and journals,
  including those in supporting areas such as Audit
  and Control.
• Evidence of archive or access to historical IA
  documents.

15
Criteria 8 Declared Concentrations

• Academic program, within a nationally or
  regionally accredited 4-year college or
  graduate-level university, has declared
  concentrations in IA. Identify the courses
  required for each concentration, provide
  syllabus, enrollment data for current academic
  year (not projected) and actual graduation data
  (not projected) for the past two academic years.
• Declared Concentrations
• 1. Concentration on IA at the BS level. (Enrolled
  Graduated)
• 2. Concentration on IA at the MS level. (Enrolled
  Graduated)
• 3. Concentration on IA at the PhD level.
  (Enrolled Graduated)

16
Criteria 9 Declared Center for IA Education or
Research

• The university has a declared center for IA
  education or a center for IA research from which
  IA curriculum is emerging. The center may be
  school or university-based.
• Provide documentation of the designation.
• (Example The Computer Science Department has an
  officially designated "Center for IA Studies"
  with a clear link to and sponsorship by the
  College of Engineering Sciences, with a charter
  signed at least at the College of Engineering
  level.

17
Criteria 10 Full-time IA Faculty

• University IA faculty consists of more than one
  individual devoted full time to IA. Includes
  shared and cross-departmental appointments for
  part-time and adjunct faculty.
• This may include institutional agreements for
  cooperative use/exchange of adjunct faculty
  from/between universities.
• Identify by name the full-time faculty member
  working full time in IA with overall
  responsibility for the IA Program.
• Additional full-time faculty member working full
  time in IA
• Shared faculty (e.g. intra or inter departmental,
  or other 4-year graduate university)
• Each adjunct/part-time faculty

18
CAEIAE

• CAEIAEs receive formal recognition from the U.S.
  government, as well as opportunities for prestige
  and publicity, for their role in securing our
  nation's information systems.
• Students attending CAEIAE schools are eligible to
  apply for scholarships and grants through the
  Department of Defense Information Assurance
  Scholarship Program and the Federal Cyber Service
  Scholarship for Service Program (SFS).
  Designation as a Center does not carry a
  commitment for funding from the NSA or the DHS.

19
NSA SEAL and Internship Program

• Each National Center of Academic Excellence in IA
  Education is assigned a Senior Executive Academic
  Liaison (SEAL) from the Information Assurance
  Directorate of the National Security Agency.
• The SEAL Program is intended to promote on-going
  dialog, identify areas of mutual interest, and
  enable the government and universities to work in
  collaboration for the benefit of the Nation.
  Identifying potential employees as well as
  sources for research and development is of great
  interest.
• The SEAL will provide additional information on
  available internship opportunities within the NSA

20
Department of Defense Information Assurance
Scholarship Program

• DoD has issued a grant solicitation inviting the
  non-DoD NSA CAEs to submit proposals for
  establishing an IA Scholarship Program on their
  campuses during Academic Year 2005-2006, or for
  continuing a program initiated in a prior year.
  The grant competition also allows CAEs to request
  support for capacity-building activities and for
  establishing a partnership with the Information
  Resources Management College (IRMC) to permit DoD
  civilian employees and military officers to
  transfer from IRMC to CAEs to complete IA
  master's and doctoral degree programs.
• Capacity building activities may include
  research, faculty development, curriculum
  development and improvements to laboratory
  facilities underpinning the IA Scholarship
  program.

21
Federal Cyber Service Scholarship for Service
Program (SFS).

• This program seeks to increase the number of
  qualified students entering the fields of
  information assurance and computer security and
  to increase the capacity of the United States
  higher education enterprise to continue to
  produce professionals in these fields.
• The Scholarship Track provides funding to
  colleges and universities to award scholarships
  in information assurance and computer security
  fields. Scholarship recipients will become part
  of the Federal Cyber Service of IT specialists
  who ensure the protection of the U.S.
  Government's information infrastructure.  
• The Capacity Building Track provides funds to
  colleges and universities to improve the quality
  and increase the production of information
  assurance and computer security professionals
  through professional development of information
  assurance faculty, the development of academic
  programs, and other activities.

22
Other NSF Security Programs

• Cyber Trust - Directorate for Computer and
  Information Science and Engineering (CISE)
• Networked computers reside at the heart of
  systems on which people now rely, both in
  critical national infrastructures and in their
  homes, cars, and offices. Today, many of these
  systems are far too vulnerable to cyber attacks
  that can inhibit their operation,
  corrupt valuable data, or expose private
  information

23
Technology and Professional Development Grants

• Microsoft Developers Academic Alliance
• IBM Scholars Program
• Shareware Hackerware
• Cisco Grants Program
• Cisco Faculty Development Bootcamp
• Purdues CERIAS Faculty Development
• KSUs Information Security Professional
  Development Program
• KSUs Information Security Curriculum Development
  Conference

24
First Steps

• Develop Curriculum
• Have Curriculum IACE Certified
• Establish Academic Partners
• Get CAEIAE recognition
• Pursue FCSSFS Capacity Building Grant
• Pursue SEAL NSA Internships
• Pursue FCSSFS Scholarship Grants
• Pursue DoD Scholarship Grants