Kevin Lee Elder

1
Information Assurance Education and the IS
Curriculum

• By
• Kevin Lee Elder
• Dennis Strouble
• Dave Bouvin
• Air Force Institute of Technology
• Wright-Patterson AFB, Ohio

2

• The views expressed in this article are those of
  the authors and do not reflect the official
  policy or position of the United States Air
  Force, Department of Defense, or the US
  Government.

3
Outline for Today

• Introduction
• Background of Information Assurance
• NSA Centers of Excellence in Information
  Assurance Education
• IRM Program Description
• Information Assurance Track
• Conclusion

4
Introduction

• Air Force Institute of Technology
• Graduate School of Engineering and Management
• Information Resource Management Degree
• Information Assurance Track
• NSA Certification

5
Information Assurance

• The National Security Agencys (NSA) Information
  Security Assessment Model (IAM) identifies 18
  baseline categories that should be included as
  components of the Information Assurance (IA)
  posture of any organization

6
Baseline for IA

1. IA Documentation
2. IA Roles and Responsibilities
3. Identification Authentication
4. Account Management
5. Session controls
6. External Connectivity
7. Telecommunications
8. Auditing
9. Virus Protection

Hurd, 2001
7
Baseline for IA cont.

1. Contingency Planning
2. Maintenance
3. Configuration Management
4. Back-Ups
5. Labeling
6. Media Sanitization/Disposal
7. Physical Environment
8. Personnel Security
9. Training and Awareness

Hurd, 2001
8
Information Assurance Model

• McCumber model is used to appropriately organize
  the 18 baseline categories for analysis and to
  address possible threats to automated systems.
• Dimensions
• Information States
• Security Services
• Security Countermeasures
• Maconachy et al. expanded the model to include
• Idea of current information intensive environment
• Time as a fourth dimension

Hurd, 2001
9
Information Assurance Model
Maconachy et al, 2001
10
Model and Mapping
IA Model Dimensions NSA IAM Baseline Categories
Information States  
Transmission External Connectivity
Storage Back-Ups Disposal
Processing Auditing Session Controls
11
Model and Mapping cont.
IA Model Dimensions NSA IAM Baseline Categories
Security Counter Measures  
Technology MaintenanceTelecommunicationsVirus Protection
Policies and Practices Account ManagementConfiguration ManagementContingency PlanningIA DocumentationIA Roles ResponsibilitiesMedia Sanitization
People AwarenessPersonnel SecurityPhysical SecurityTraining
12
Standards

• National Security Telecommunications and
  Information Systems Security Committee (NSTICC)
  has been designated, by the President, as the
  Committee on National Security Systems (CNSS)
• Standing Committee of the Critical Infrastructure
  Protection Board, chaired by the Department of
  Defense

13
Standards

• National Security Telecommunications and
  Information Systems Security Committee (NSTICC)
• 4011 National Training Standard for Information
  Systems Security (INFOSEC) Professionals
• 4012 National Training Standard for Designated
  Approving Authority (DAA)
• 4013 National Training Standard for System
  Administration in Information Systems Security
• 4014 National Training Standard for Information
  Systems Security Officers (ISSO)
• 4015 National Training Standard for Systems
  Certifiers
• 4016 National Training Standard for Risk Analyst
  (In Development)

14
NIETP

• National Information Assurance Education and
  Training Program (NIETP)9800 Savage RoadFort
  Meade, MD 20755-6744ATTN I02E, Suite 6744
• Phone 410-854-6206
• Fax 410-854-7043
• http//niatec.info/nsacoe.htm

15
NSA Centers

• 60 centers nationally
• Primarily Computer Science Faculty
• (45 out of 60)
• Only 15 out of 60 primarily utilize faculty from
  outside of Computer Science in Information
  oriented programs.

16
NSA Centers cont.

• Only 22 of the 60 centers offer the NSA 4012
  certification.
• Furthermore, only 8 of those 22 centers offer the
  4012 certification with a curriculum taught from
  an Information program.
• Additionally, almost all of those eight centers
  build the 4012 off of the 4011 certification.

17
NSA 4012 Certification

• Designated Approving Authority (DAA) as defined
  in NSTISSI no. 4012
• Core areas defined for coverage in the
  certification
• Mapped to Knowledge clusters in IRM IA sequence
  of 3 courses

18
INFOSEC functions of DAA

1. Granting final approval to operate an IS or
   network in a specified security mode
2. Reviewing the accreditation documentation to
   confirm that the residual risk is within
   acceptable limits
3. verifying that each IS complies with the IS
   security requirements, as reported by the
   Information Systems Security Officer (ISSO)
4. ensuring the establishment, administration, and
   coordination of security for systems that agency,
   service, or command personnel or contractors
   operate
5. ensuring that the Program Manager (PM) defines
   the system security requirements for acquisitions
6. assigning INFOSEC responsibilities to the
   individuals reporting directly to the DAA
7. approving the classification level required for
   applications implemented in a network
   environment
8. approving additional security services necessary
   to interconnect to external systems (e.g.
   encryption and non-repudiation)
9. reviewing the accreditation plan and sign the
   accreditation statement for the network and each
   IS

19
INFOSEC Functions of DAA cont.

1. defining the criticality and sensitivity levels
   of each IS
2. reviewing the documentation to ensure each IS
   supports the security requirements as defined in
   the IS and network security programs
3. allocating resources to achieve an acceptable
   level of security and to remedy security
   deficiencies
4. establishing working groups, when necessary, to
   resolve issues regarding those systems requiring
   multiple or joint accreditation. This may
   require documentation of conditions or agreements
   in Memoranda of Agreement (MOA) and
5. ensuring that when classified or sensitive but
   unclassified information is exchanged between
   logically connected components, the content of
   this communication is protected from unauthorized
   observation by acceptable means, such as
   cryptography, and Protected Distribution Systems
   (PDS).

20
AFIT Graduate IRM

• Graduate Eng. Mgt. School
• IRM Program
• Built off of MSIS 2000 Model
• Required Core Classes
• Required Specialty Sequence
• Required Thesis

21
CORE IRM Courses

• ORSC 542 Managerial Behavior in Organizations
• EMGT 530 Contract Management
• IMGT 530 Conceptual Foundations of IRM
• IMGT 580 Enterprise Information Architecture
• IMGT 561 Database Management
• IMGT 651 Systems Analysis and Design
• IMGT 657 Data Communications
• IMGT 690 Capstone Seminar in IRM.

22
IA Track

IMGT 684 Strategic Information Management IMGT
688 Security and Ethics in the Information
Age IMGT 687 Managerial Aspects of Information
Warfare.
23
Electives

• CSCE 525 Intro to Information Warfare
• CSCE 625 Info Sys Security, Assurance and
  Analysis I
• CSCE 725 Info Sys Security, Assurance and
  Analysis II
• IMGT 570 E-Business
• IMGT 680 Knowledge Management
• SENG 530 Introduction to Space Operation
• ORSC 638 Seminar in Contemporary Leadership
• ORSC 647 Organizational Policy and Strategic Mgt.

24
Graduate IA Program(Computer Science)

• Core
• CSCE 544 Data Security
• CSCE 625 Information Systems Security, Assurance
  and Analysis I
• CSCE 654 Computer Networks
• CSCE 689 Distributed Software Systems
• CSCE 725 Information Systems Security, Assurance
  and Analysis II
• Mathematics Requirement (4 quarter hours)
• STAT 583 Probability and Statistics for Computer
  Science
• Encouraged (Discrete Math, Finite Automata,
  Queuing Theory)

25
Graduate IA Program

• IA Depth (12 quarter hours)
• CSCE 526 Secure Software Development (4)
• CSCE 527 Cyber Forensics (4)
• CSCE 528 Cyber Defense and Exploitation I (4)
• CSCE 628 Cyber Defense and Exploitation II (2)
• IMGT 684 Role of the Chief Information Officer
  (3)
• IMGT 688 Security and Ethics in the Information
  Age (3)

26
IRM Knowledge Clusters
1 Legal Issues
2 Liability Issues
3 Crime Issues
4 Computer Security Policy
5 OMB Circular A-130
6 Electronic Records Management
7 Threats and Incidents
8 Threats and Vulnerabilities
9 Access
10 Administrative Responsibilities
11 COMSEC
12 Tempest
13 DAA Authority
14 Life Cycle Management
15 Continuity of Operations (COOP)
16 Risk Management
27
Conclusion

• This paper described the unique Masters
  program(s) at a Midwestern United States school
  that primarily serves a specific student body
  made up of Department of Defense employees.
• With a program in place for many years in
  Information Assurance (IA) we have now created
  this new program with a decidedly IRM focus to
  IA.
• It is the authors hope that other schools can use
  this information to review their own program(s)
  and incorporate the concepts presented here as
  appropriate.
• While these concepts are somewhat unique to the
  DoD, we feel other schools could benefit from
  there inclusion into the curriculum.
• The concept of Information Assurance is now
  popping up in many schools while it has been in
  the DoD for many more years.

28
Questions

• ??????