Kevin Lee Elder - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Kevin Lee Elder

Description:

STAT 583 Probability and Statistics for Computer Science ... CSCE 527 Cyber Forensics (4) CSCE 528 Cyber Defense and Exploitation I (4) ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 29
Provided by: JBo480
Category:

less

Transcript and Presenter's Notes

Title: Kevin Lee Elder


1
Information Assurance Education and the IS
Curriculum
  • By
  • Kevin Lee Elder
  • Dennis Strouble
  • Dave Bouvin
  • Air Force Institute of Technology
  • Wright-Patterson AFB, Ohio

2
  • The views expressed in this article are those of
    the authors and do not reflect the official
    policy or position of the United States Air
    Force, Department of Defense, or the US
    Government.

3
Outline for Today
  • Introduction
  • Background of Information Assurance
  • NSA Centers of Excellence in Information
    Assurance Education
  • IRM Program Description
  • Information Assurance Track
  • Conclusion

4
Introduction
  • Air Force Institute of Technology
  • Graduate School of Engineering and Management
  • Information Resource Management Degree
  • Information Assurance Track
  • NSA Certification

5
Information Assurance
  • The National Security Agencys (NSA) Information
    Security Assessment Model (IAM) identifies 18
    baseline categories that should be included as
    components of the Information Assurance (IA)
    posture of any organization

6
Baseline for IA
  1. IA Documentation
  2. IA Roles and Responsibilities
  3. Identification Authentication
  4. Account Management
  5. Session controls
  6. External Connectivity
  7. Telecommunications
  8. Auditing
  9. Virus Protection

Hurd, 2001
7
Baseline for IA cont.
  1. Contingency Planning
  2. Maintenance
  3. Configuration Management
  4. Back-Ups
  5. Labeling
  6. Media Sanitization/Disposal
  7. Physical Environment
  8. Personnel Security
  9. Training and Awareness

Hurd, 2001
8
Information Assurance Model
  • McCumber model is used to appropriately organize
    the 18 baseline categories for analysis and to
    address possible threats to automated systems.
  • Dimensions
  • Information States
  • Security Services
  • Security Countermeasures
  • Maconachy et al. expanded the model to include
  • Idea of current information intensive environment
  • Time as a fourth dimension

Hurd, 2001
9
Information Assurance Model
Maconachy et al, 2001
10
Model and Mapping
IA Model Dimensions NSA IAM Baseline Categories
Information States  
Transmission External Connectivity
Storage Back-Ups Disposal
Processing Auditing Session Controls
11
Model and Mapping cont.
IA Model Dimensions NSA IAM Baseline Categories
Security Counter Measures  
Technology MaintenanceTelecommunicationsVirus Protection
Policies and Practices Account ManagementConfiguration ManagementContingency PlanningIA DocumentationIA Roles ResponsibilitiesMedia Sanitization
People AwarenessPersonnel SecurityPhysical SecurityTraining
12
Standards
  • National Security Telecommunications and
    Information Systems Security Committee (NSTICC)
    has been designated, by the President, as the
    Committee on National Security Systems (CNSS)
  • Standing Committee of the Critical Infrastructure
    Protection Board, chaired by the Department of
    Defense

13
Standards
  • National Security Telecommunications and
    Information Systems Security Committee (NSTICC)
  • 4011 National Training Standard for Information
    Systems Security (INFOSEC) Professionals
  • 4012 National Training Standard for Designated
    Approving Authority (DAA)
  • 4013 National Training Standard for System
    Administration in Information Systems Security
  • 4014 National Training Standard for Information
    Systems Security Officers (ISSO)
  • 4015 National Training Standard for Systems
    Certifiers
  • 4016 National Training Standard for Risk Analyst
    (In Development)

14
NIETP
  • National Information Assurance Education and
    Training Program (NIETP)9800 Savage RoadFort
    Meade, MD 20755-6744ATTN I02E, Suite 6744
  • Phone 410-854-6206
  • Fax 410-854-7043
  • http//niatec.info/nsacoe.htm

15
NSA Centers
  • 60 centers nationally
  • Primarily Computer Science Faculty
  • (45 out of 60)
  • Only 15 out of 60 primarily utilize faculty from
    outside of Computer Science in Information
    oriented programs.

16
NSA Centers cont.
  • Only 22 of the 60 centers offer the NSA 4012
    certification.
  • Furthermore, only 8 of those 22 centers offer the
    4012 certification with a curriculum taught from
    an Information program.
  • Additionally, almost all of those eight centers
    build the 4012 off of the 4011 certification.

17
NSA 4012 Certification
  • Designated Approving Authority (DAA) as defined
    in NSTISSI no. 4012
  • Core areas defined for coverage in the
    certification
  • Mapped to Knowledge clusters in IRM IA sequence
    of 3 courses

18
INFOSEC functions of DAA
  1. Granting final approval to operate an IS or
    network in a specified security mode
  2. Reviewing the accreditation documentation to
    confirm that the residual risk is within
    acceptable limits
  3. verifying that each IS complies with the IS
    security requirements, as reported by the
    Information Systems Security Officer (ISSO)
  4. ensuring the establishment, administration, and
    coordination of security for systems that agency,
    service, or command personnel or contractors
    operate
  5. ensuring that the Program Manager (PM) defines
    the system security requirements for acquisitions
  6. assigning INFOSEC responsibilities to the
    individuals reporting directly to the DAA
  7. approving the classification level required for
    applications implemented in a network
    environment
  8. approving additional security services necessary
    to interconnect to external systems (e.g.
    encryption and non-repudiation)
  9. reviewing the accreditation plan and sign the
    accreditation statement for the network and each
    IS

19
INFOSEC Functions of DAA cont.
  1. defining the criticality and sensitivity levels
    of each IS
  2. reviewing the documentation to ensure each IS
    supports the security requirements as defined in
    the IS and network security programs
  3. allocating resources to achieve an acceptable
    level of security and to remedy security
    deficiencies
  4. establishing working groups, when necessary, to
    resolve issues regarding those systems requiring
    multiple or joint accreditation. This may
    require documentation of conditions or agreements
    in Memoranda of Agreement (MOA) and
  5. ensuring that when classified or sensitive but
    unclassified information is exchanged between
    logically connected components, the content of
    this communication is protected from unauthorized
    observation by acceptable means, such as
    cryptography, and Protected Distribution Systems
    (PDS).

20
AFIT Graduate IRM
  • Graduate Eng. Mgt. School
  • IRM Program
  • Built off of MSIS 2000 Model
  • Required Core Classes
  • Required Specialty Sequence
  • Required Thesis

21
CORE IRM Courses
  • ORSC 542 Managerial Behavior in Organizations
  • EMGT 530 Contract Management
  • IMGT 530 Conceptual Foundations of IRM
  • IMGT 580 Enterprise Information Architecture
  • IMGT 561 Database Management
  • IMGT 651 Systems Analysis and Design
  • IMGT 657 Data Communications
  • IMGT 690 Capstone Seminar in IRM.

22
IA Track

IMGT 684 Strategic Information Management IMGT
688 Security and Ethics in the Information
Age IMGT 687 Managerial Aspects of Information
Warfare.
23
Electives
  • CSCE 525 Intro to Information Warfare
  • CSCE 625 Info Sys Security, Assurance and
    Analysis I
  • CSCE 725 Info Sys Security, Assurance and
    Analysis II
  • IMGT 570 E-Business
  • IMGT 680 Knowledge Management
  • SENG 530 Introduction to Space Operation
  • ORSC 638 Seminar in Contemporary Leadership
  • ORSC 647 Organizational Policy and Strategic Mgt.

24
Graduate IA Program(Computer Science)
  • Core
  • CSCE 544 Data Security
  • CSCE 625 Information Systems Security, Assurance
    and Analysis I
  • CSCE 654 Computer Networks
  • CSCE 689 Distributed Software Systems
  • CSCE 725 Information Systems Security, Assurance
    and Analysis II
  • Mathematics Requirement (4 quarter hours)
  • STAT 583 Probability and Statistics for Computer
    Science
  • Encouraged (Discrete Math, Finite Automata,
    Queuing Theory)

25
Graduate IA Program
  • IA Depth (12 quarter hours)
  • CSCE 526 Secure Software Development (4)
  • CSCE 527 Cyber Forensics (4)
  • CSCE 528 Cyber Defense and Exploitation I (4)
  • CSCE 628 Cyber Defense and Exploitation II (2)
  • IMGT 684 Role of the Chief Information Officer
    (3)
  • IMGT 688 Security and Ethics in the Information
    Age (3)

26
IRM Knowledge Clusters
1 Legal Issues
2 Liability Issues
3 Crime Issues
4 Computer Security Policy
5 OMB Circular A-130
6 Electronic Records Management
7 Threats and Incidents
8 Threats and Vulnerabilities
9 Access
10 Administrative Responsibilities
11 COMSEC
12 Tempest
13 DAA Authority
14 Life Cycle Management
15 Continuity of Operations (COOP)
16 Risk Management
27
Conclusion
  • This paper described the unique Masters
    program(s) at a Midwestern United States school
    that primarily serves a specific student body
    made up of Department of Defense employees.
  • With a program in place for many years in
    Information Assurance (IA) we have now created
    this new program with a decidedly IRM focus to
    IA.
  • It is the authors hope that other schools can use
    this information to review their own program(s)
    and incorporate the concepts presented here as
    appropriate.
  • While these concepts are somewhat unique to the
    DoD, we feel other schools could benefit from
    there inclusion into the curriculum.
  • The concept of Information Assurance is now
    popping up in many schools while it has been in
    the DoD for many more years.

28
Questions
  • ??????
Write a Comment
User Comments (0)
About PowerShow.com