Implementing Effective Information Security Curriculum Michael E. Whitman, Ph.D., CISM, CISSP
Download ReportTranscript Implementing Effective Information Security Curriculum Michael E. Whitman, Ph.D., CISM, CISSP
Implementing Effective Information Security Curriculum Michael E. Whitman, Ph.D., CISM, CISSP Herbert J. Mattord, CISM, CISSP Kennesaw State University, GA The Need for Curricula - National Strategy to Secure Cyberspace (FEB 2003) - Presidential Decision Directive PDD-63 (MAY 98) - National Security Telecommunications Information Systems Security Directive 500 (FEB 93) - National Security Telecommunications Information Systems Security Directive 501 (NOV 92) - National Security Directive (NSD)-42 (JUL 90) - Bureau of Labor Statistics (2010-11) Course University: Teaching Information Security 2 National Strategy To Secure Cyberspace Cyber Space Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure While we continue to boast the most positive environment for information technology firms in the world, the Nation should develop a workforce of U.S. citizens necessary to compete on a global level and sustain that position of leadership. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Re view_final.pdf Course University: Teaching Information Security 3 Presidential Decision Directive PDD-63 Plan of action on the findings of the President’s Commission on Critical Infrastructure Protection (PCCIP) of Oct 97. Requires Vulnerability Awareness and Education Programs within both the Government and private sector to sensitize people regarding the importance of security and train them to security standards, particularly regarding cyber systems. Course University: Teaching Information Security 4 U.S. Department of Labor-BLS Computer, Network, Systems & DB Admins Employment is projected to grow much faster than the average for all occupations and add 286,600 new jobs over the 2008-18 decade.. …Computer security specialists plan, coordinate, and maintain an organization’s information security. These workers educate users about computer security, install security software, monitor networks for security breaches, respond to cyber attacks, and, in some cases, gather data and evidence to be used in prosecuting cyber crime. The responsibilities of computer security specialists have increased in recent years as cyber attacks have become more sophisticated. U.S. Department of Labor-BLS Computer & IS Managers Employment is expected to grow faster than the average for all occupations. (2008-2018) A bachelor's degree in a computer-related field usually is required for management positions, although employers often prefer a graduate degree, especially an MBA with technology as a core component. Job prospects should be excellent. Management information systems (MIS) directors or information technology (IT) directors manage computing resources for their organizations. They often work under the chief information officer and plan and direct the work of subordinate information technology employees. These managers ensure the availability, continuity, and security of data and information technology services in their organizations. In this capacity, they oversee a variety of technical departments, develop and monitor performance standards, and implement new projects. Curriculum Design – Begin with the End in Mind Definers provide the policies, guidelines and standards. They’re the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth. Builders are the real techies, who create and install security solutions. Administrators operate and administrate the security tools, and the security monitoring function and…continuously improve the processes, performing all the day-to-day work. Approaches to Curricula 1. 2. 3. 4. 5. Elements added to existing courses Elements added to a capstone course or courses Independent information security courses Information security certificates / minors Information security degree programs Course University: Teaching Information Security 8 Adding Elements to Courses Existing Course Programming Principles Information Security Topics Secure programming techniques Applied cryptography Networking / Data Network security principles Use of security tools (firewalls, IDS systems) Communications Systems Analysis & Design Creating secure systems by design Database Principles Developing secure database structures Security tools for data management Privacy topics Operating Systems Configuration management Course University: Teaching Information Security 9 Roles Information Security Roles: o o o o o o CIO CISO Information Security Manager Information Security Analyst Information Security Technician Information Security Watch standers Course University: Teaching Information Security 10 Positions Network Engineer / Administrator / Analyst Firewall Engineer / Administrator / Analyst IDS Engineer / Administrator / Analyst System Engineer /Administrator / Analyst Information Security Officer Forensic Analyst Information Security Manager Privacy Manager Incident Response Manager Disaster Recovery/BCP Manager Director of Security Information Security Consultant Course University: Teaching Information Security 11 Knowledge Areas Knowledge areas in InfoSec are many and can be very technical but, there is an agreed upon way to discuss them… o o o o o o o o o o CISSP SSCP GIAC SCP Security+ CISA/CISM ISO 27000 series NSTISSI Publication 4011 NIST SP 800-14 NIST SP 800-16 Course University: Teaching Information Security 12 CISSP Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation, and ethics Operations security Physical security Security architecture and models Security management practices Telecommunications, network and internet security Course University: Teaching Information Security 13 CISM Information Security Governance Risk Management Information Security Program Management Information Security Management Response Management Course University: Teaching Information Security 14 ISO 27000 series (www.27000.org) ISO 27001 - This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard ISO 27002 - This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1). ISO 27003 - This will be the official number of a new standard intended to offer guidance for the implementation of an ISMS (IS Management System) . ISO 27004 - This standard covers information security system management measurement and metrics, including suggested ISO27002 aligned controls.. ISO 27005 - This is the methodology independent ISO standard for information security risk management.. ISO 27006 - This standard provides guidelines for the accreditation of organizations offering ISMS certification. ISO 27002 Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources Security Physical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance Course University: Teaching Information Security 16 NSTISSI Publication 4011 Automated Information Systems Basics Security Basics NSTISS Basics System Operating Environment NSTISS Planning and Management NSTISS Policies and Procedures Course University: Teaching Information Security 17 NIST SPs Policy Program Management Risk Management Life Cycle Planning Personnel/User Issues Preparing for Contingencies and Disasters Computer Security Incident Handling Awareness and Training Security Considerations in Computer Support and Operations Physical and Environmental Security Identification and Authentication Logical Access Control Audit Trails Cryptography Course University: Teaching Information Security 18 Roles/Positions/Knowledge Areas Net Admin ACS Firewall Analyst SA & D IDS Eng SysAdmin CISO InfoSec Mgr InfoSec Mgr InfoSec Analyst InfoSec Tech InfoSec Cons. OpSec PhySec Architecture IRP Handler DR/BCP Mgr Crypto Law & Ethics ISO Forensics BCP InfoSec W.S. Sec Mgt NetSec (Varying levels of mastery) Course University: Teaching Information Security 19 Learning Objectives Next step toward curriculum Identify the extent to which the student is expected to learn the components of each knowledge area o o o o Understanding Accomplishment Proficiency Mastery Course University: Teaching Information Security 20 Learning Objectives Example Upon completion of identified material, the student should be able to: o Understanding Know and discuss importance of policy in the organization o Accomplishment Demonstrate procedures needed to design and implement policy o Proficiency Able to develop and implement a variety of security policies o Mastery Able to review and critique all types of security policy at all levels of the organization Course University: Teaching Information Security 21 Course Needs Worksheets Course University: Teaching Information Security 22 Learning Objectives Understanding of: Example Learning Objectives Map Prerequisites Intro to Computing Data Communications Introduction to InfoSec Course University: Teaching Information Security Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation, and ethics Operations security Physical security Security architecture and models Security management practices Telecommunications, network and internet security 23 Example Learning Objectives Map Learning Objectives Prerequisites Intro to Computing Data Communications Operating Systems Organization & Architecture Programming Intro Infosec Course University: Teaching Information Security Accomplishment and Proficiency of: Technical InfoSec 24 Firewalls IDS Access Controls Vulnerability Assessment OS Security Cryptography Example Learning Objectives Map Learning Objectives Prerequisites Intro to Computing Data Communications Operating Systems Organization & Architecture Programming Advanced Networking Technical InfoSec Course University: Teaching Information Security Mastery of: Firewall Technology 25 Firewall ACLs Firewall Architecture Firewall Generations Proxy Services DMZ Configuration VPN Configuration Remote Firewall Management Creating InfoSec Courses and Programs Courses and programs should be created in ways that: o Involve all critical stakeholders o Create employable students or students who can advance academically o Capitalize on available resources (faculty, classrooms, labs) o Support local / state / national program objectives like the National Strategy to Secure Cyberspace Course University: Teaching Information Security 26 Resources Needed to Support ISA Curricula Classrooms Texts Labs Internships / Coops Business Partners / Clients Course University: Teaching Information Security 27 Resources To Help Build Curricula Local o Department / College / University o Advisory Boards o Business Partners National o NIST documentation resources o NSA Centers of Excellence program o NSF Grants Course University: Teaching Information Security 28 Supplemental Materials NIST Special Publications http://csrc.nist.gov CNSS Documentation http://www.cnss.gov/instructions.html Textbook publishers o Cengage/Course Technology http://www.course.com Course University: Teaching Information Security 29 Textbooks Also: Readings & Cases in Mgt of InfoSec - Vol I Coming Soon: Principles of Network Security Course University: Teaching Information Security 30 Three Sample Courses Introduction to InfoSec Network Security Management of InfoSec Course University: Teaching Information Security 31 Introduction to Information Security Purpose - An introduction to technical and administrative aspects of Information Security, provides the foundation for understanding key issues in protecting information assets, determining the levels of protection and response to security incidents, and designing a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. Provides the student with an overview of the field of Information Security. Prerequisites – Introduction to data communication Course University: Teaching Information Security 32 Introduction to Information Security Homework Assignments – Development of SETA materials as well as the expected learning support exercises Lab Assignments – Hands on activities in fingerprinting tools, firewall configuration, and systems configuration management Case Assignments – Creation of incident response plans, disaster recovery plans as well as information security blueprints and project management work plans Course University: Teaching Information Security 33 Network Security Purpose – An introduction to applications used in Information Security, provides practical experience in understanding and using key technologies used to protect information technology programs and assets. Prerequisites – Introduction to data communication Course University: Teaching Information Security 34 Network Security Homework Assignments – Traditional learning support assignments as well as web-based research tasks and lab preparation activities. Lab Assignments – Includes configuration and use of an assortment of software tools including activities in cryptography, configuration of systems, implementation of firewalls and intrusion detection systems, and gaining skills in log analysis. Course University: Teaching Information Security 35 Management of Information Security Purpose - A detailed examinations of the management perspective of information security, including a strategic planning process for security. Includes an examination of the policies, procedures and staffing functions necessary to organize and administer ongoing security functions in the organization. Subjects include security practices, security architecture and models, information security threats and attacks, risk management, continuity planning and disaster recovery planning. Prerequisites – Introduction to data communication Course University: Teaching Information Security 36 Management of Information Security Homework Assignments - Traditional learning support assignments as well as web-based research tasks and lab preparation activities. Lab Assignments – Hands-on labs in policy management support tools, computer forensics, and tools for configuration policy validation. Case Assignments – Team project to develop formation security policy and planning documents for a fictitious company from a case study. Course University: Teaching Information Security 37 Other Course Topics Advanced Network Security Auditing for Security Criminal Law Computer Ethics Computer Law Cryptography / Cryptology Secure Programming Internships / Coops Course University: Teaching Information Security 38 Sample Curriculum From Kennesaw State University KSU BBA - Information Security and Assurance After College of Business Lower & Upper Division Requirements ISA 3100 – Principles of Information Security ISA 3010 – Security Script Programming ISA 3200 – Network Security ISA 3210 – Client Systems Security ISA 3300 – Management of Information Security ISA 4200 – Perimeter Defense (FW/VPN) ISA 4220 – Server Systems Security ISA 4330 – Incident Response and Contingency Planning (E) ISA 4805 – Penetration Testing (E) ISA 4810 – Cyber Defense Course University: Teaching Information Security 40 Security Events at KSU Sep 30 - Oct 1 – Information Security Curriculum Development Conference o Faculty Curriculum Development Workshop Friday PM o Full Academic Conference Saturday o CFP forthcoming – email [email protected] to get on the list SECCDC – Southeast Collegiate Cyber Defense Competition o March 2012 o Winner to UTSA for National CCDC o 3 day student competition Helen Keller I am only one; but still I am one. I cannot do everything, but still I can do something; I will not refuse to do the something I can do. Course University: Teaching Information Security 42 Contact Info Michael E. Whitman, Ph.D., CISM, CISSP o [email protected] Herbert J. Mattord, (Ph.D. - ABD), CISM, CISSP o [email protected] KSU Center for Information Security Education o [email protected] Thank You For Your Time Course University: Teaching Information Security 44