Title: Kevin Lee Elder
1Information Assurance Education and the IS
Curriculum
- By
- Kevin Lee Elder
- Dennis Strouble
- Dave Bouvin
- Air Force Institute of Technology
- Wright-Patterson AFB, Ohio
2- The views expressed in this article are those of
the authors and do not reflect the official
policy or position of the United States Air
Force, Department of Defense, or the US
Government.
3Outline for Today
- Introduction
- Background of Information Assurance
- NSA Centers of Excellence in Information
Assurance Education - IRM Program Description
- Information Assurance Track
- Conclusion
4Introduction
- Air Force Institute of Technology
- Graduate School of Engineering and Management
- Information Resource Management Degree
- Information Assurance Track
- NSA Certification
5Information Assurance
- The National Security Agencys (NSA) Information
Security Assessment Model (IAM) identifies 18
baseline categories that should be included as
components of the Information Assurance (IA)
posture of any organization
6Baseline for IA
- IA Documentation
- IA Roles and Responsibilities
- Identification Authentication
- Account Management
- Session controls
- External Connectivity
- Telecommunications
- Auditing
- Virus Protection
Hurd, 2001
7Baseline for IA cont.
- Contingency Planning
- Maintenance
- Configuration Management
- Back-Ups
- Labeling
- Media Sanitization/Disposal
- Physical Environment
- Personnel Security
- Training and Awareness
Hurd, 2001
8Information Assurance Model
- McCumber model is used to appropriately organize
the 18 baseline categories for analysis and to
address possible threats to automated systems. - Dimensions
- Information States
- Security Services
- Security Countermeasures
- Maconachy et al. expanded the model to include
- Idea of current information intensive environment
- Time as a fourth dimension
Hurd, 2001
9Information Assurance Model
Maconachy et al, 2001
10Model and Mapping
IA Model Dimensions NSA IAM Baseline Categories
Information States
Transmission External Connectivity
Storage Back-Ups Disposal
Processing Auditing Session Controls
11Model and Mapping cont.
IA Model Dimensions NSA IAM Baseline Categories
Security Counter Measures
Technology MaintenanceTelecommunicationsVirus Protection
Policies and Practices Account ManagementConfiguration ManagementContingency PlanningIA DocumentationIA Roles ResponsibilitiesMedia Sanitization
People AwarenessPersonnel SecurityPhysical SecurityTraining
12Standards
- National Security Telecommunications and
Information Systems Security Committee (NSTICC)
has been designated, by the President, as the
Committee on National Security Systems (CNSS) - Standing Committee of the Critical Infrastructure
Protection Board, chaired by the Department of
Defense
13Standards
- National Security Telecommunications and
Information Systems Security Committee (NSTICC) - 4011 National Training Standard for Information
Systems Security (INFOSEC) Professionals - 4012 National Training Standard for Designated
Approving Authority (DAA) - 4013 National Training Standard for System
Administration in Information Systems Security - 4014 National Training Standard for Information
Systems Security Officers (ISSO) - 4015 National Training Standard for Systems
Certifiers - 4016 National Training Standard for Risk Analyst
(In Development)
14NIETP
- National Information Assurance Education and
Training Program (NIETP)9800 Savage RoadFort
Meade, MD 20755-6744ATTN I02E, Suite 6744 - Phone 410-854-6206
- Fax 410-854-7043
- http//niatec.info/nsacoe.htm
15NSA Centers
- 60 centers nationally
- Primarily Computer Science Faculty
- (45 out of 60)
- Only 15 out of 60 primarily utilize faculty from
outside of Computer Science in Information
oriented programs.
16NSA Centers cont.
- Only 22 of the 60 centers offer the NSA 4012
certification. - Furthermore, only 8 of those 22 centers offer the
4012 certification with a curriculum taught from
an Information program. - Additionally, almost all of those eight centers
build the 4012 off of the 4011 certification.
17NSA 4012 Certification
- Designated Approving Authority (DAA) as defined
in NSTISSI no. 4012 - Core areas defined for coverage in the
certification - Mapped to Knowledge clusters in IRM IA sequence
of 3 courses
18INFOSEC functions of DAA
- Granting final approval to operate an IS or
network in a specified security mode - Reviewing the accreditation documentation to
confirm that the residual risk is within
acceptable limits - verifying that each IS complies with the IS
security requirements, as reported by the
Information Systems Security Officer (ISSO) - ensuring the establishment, administration, and
coordination of security for systems that agency,
service, or command personnel or contractors
operate - ensuring that the Program Manager (PM) defines
the system security requirements for acquisitions - assigning INFOSEC responsibilities to the
individuals reporting directly to the DAA - approving the classification level required for
applications implemented in a network
environment - approving additional security services necessary
to interconnect to external systems (e.g.
encryption and non-repudiation) - reviewing the accreditation plan and sign the
accreditation statement for the network and each
IS
19INFOSEC Functions of DAA cont.
- defining the criticality and sensitivity levels
of each IS - reviewing the documentation to ensure each IS
supports the security requirements as defined in
the IS and network security programs - allocating resources to achieve an acceptable
level of security and to remedy security
deficiencies - establishing working groups, when necessary, to
resolve issues regarding those systems requiring
multiple or joint accreditation. This may
require documentation of conditions or agreements
in Memoranda of Agreement (MOA) and - ensuring that when classified or sensitive but
unclassified information is exchanged between
logically connected components, the content of
this communication is protected from unauthorized
observation by acceptable means, such as
cryptography, and Protected Distribution Systems
(PDS).
20AFIT Graduate IRM
- Graduate Eng. Mgt. School
- IRM Program
- Built off of MSIS 2000 Model
- Required Core Classes
- Required Specialty Sequence
- Required Thesis
21CORE IRM Courses
- ORSC 542 Managerial Behavior in Organizations
- EMGT 530 Contract Management
- IMGT 530 Conceptual Foundations of IRM
- IMGT 580 Enterprise Information Architecture
- IMGT 561 Database Management
- IMGT 651 Systems Analysis and Design
- IMGT 657 Data Communications
- IMGT 690 Capstone Seminar in IRM.
22IA Track
IMGT 684 Strategic Information Management IMGT
688 Security and Ethics in the Information
Age IMGT 687 Managerial Aspects of Information
Warfare.
23Electives
- CSCE 525 Intro to Information Warfare
- CSCE 625 Info Sys Security, Assurance and
Analysis I - CSCE 725 Info Sys Security, Assurance and
Analysis II - IMGT 570 E-Business
- IMGT 680 Knowledge Management
- SENG 530 Introduction to Space Operation
- ORSC 638 Seminar in Contemporary Leadership
- ORSC 647 Organizational Policy and Strategic Mgt.
24Graduate IA Program(Computer Science)
- Core
- CSCE 544 Data Security
- CSCE 625 Information Systems Security, Assurance
and Analysis I - CSCE 654 Computer Networks
- CSCE 689 Distributed Software Systems
- CSCE 725 Information Systems Security, Assurance
and Analysis II - Mathematics Requirement (4 quarter hours)
- STAT 583 Probability and Statistics for Computer
Science - Encouraged (Discrete Math, Finite Automata,
Queuing Theory)
25Graduate IA Program
- IA Depth (12 quarter hours)
- CSCE 526 Secure Software Development (4)
- CSCE 527 Cyber Forensics (4)
- CSCE 528 Cyber Defense and Exploitation I (4)
- CSCE 628 Cyber Defense and Exploitation II (2)
- IMGT 684 Role of the Chief Information Officer
(3) - IMGT 688 Security and Ethics in the Information
Age (3)
26IRM Knowledge Clusters
1 Legal Issues
2 Liability Issues
3 Crime Issues
4 Computer Security Policy
5 OMB Circular A-130
6 Electronic Records Management
7 Threats and Incidents
8 Threats and Vulnerabilities
9 Access
10 Administrative Responsibilities
11 COMSEC
12 Tempest
13 DAA Authority
14 Life Cycle Management
15 Continuity of Operations (COOP)
16 Risk Management
27Conclusion
- This paper described the unique Masters
program(s) at a Midwestern United States school
that primarily serves a specific student body
made up of Department of Defense employees. - With a program in place for many years in
Information Assurance (IA) we have now created
this new program with a decidedly IRM focus to
IA. - It is the authors hope that other schools can use
this information to review their own program(s)
and incorporate the concepts presented here as
appropriate. - While these concepts are somewhat unique to the
DoD, we feel other schools could benefit from
there inclusion into the curriculum. - The concept of Information Assurance is now
popping up in many schools while it has been in
the DoD for many more years.
28Questions