Implementing Effective Information Security Curriculum Michael E. Whitman, Ph.D., CISM, CISSP
Download
Report
Transcript Implementing Effective Information Security Curriculum Michael E. Whitman, Ph.D., CISM, CISSP
Implementing Effective Information
Security Curriculum
Michael E. Whitman, Ph.D., CISM, CISSP
Herbert J. Mattord, CISM, CISSP
Kennesaw State University, GA
The Need for Curricula
- National Strategy to Secure Cyberspace (FEB 2003)
- Presidential Decision Directive PDD-63 (MAY 98)
- National Security Telecommunications Information
Systems Security Directive 500 (FEB 93)
- National Security Telecommunications Information
Systems Security Directive 501 (NOV 92)
- National Security Directive (NSD)-42 (JUL 90)
- Bureau of Labor Statistics (2010-11)
Course University: Teaching Information
Security
2
National Strategy To Secure Cyberspace
Cyber Space Policy Review - Assuring a Trusted and Resilient
Information and Communications Infrastructure
While we continue to boast the most positive environment for information technology
firms in the world, the Nation should develop a workforce of U.S. citizens necessary to
compete on a global level and sustain that position of leadership.
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Re
view_final.pdf
Course University: Teaching
Information Security
3
Presidential Decision Directive PDD-63
Plan of action on the findings of the President’s Commission
on Critical Infrastructure Protection (PCCIP) of Oct 97.
Requires Vulnerability Awareness and Education Programs
within both the Government and private sector to sensitize
people regarding the importance of security and train them
to security standards, particularly regarding cyber systems.
Course University: Teaching
Information Security
4
U.S. Department of Labor-BLS
Computer, Network, Systems & DB Admins
Employment is projected to grow much faster than the
average for all occupations and add 286,600 new jobs
over the 2008-18 decade..
…Computer security specialists plan, coordinate, and
maintain an organization’s information security. These
workers educate users about computer security, install
security software, monitor networks for security
breaches, respond to cyber attacks, and, in some cases,
gather data and evidence to be used in prosecuting
cyber crime. The responsibilities of computer security
specialists have increased in recent years as cyber
attacks have become more sophisticated.
U.S. Department of Labor-BLS
Computer & IS Managers
Employment is expected to grow faster than the average for all
occupations. (2008-2018)
A bachelor's degree in a computer-related field usually is required for
management positions, although employers often prefer a graduate
degree, especially an MBA with technology as a core component.
Job prospects should be excellent.
Management information systems (MIS) directors or information
technology (IT) directors manage computing resources for their
organizations. They often work under the chief information officer and
plan and direct the work of subordinate information technology
employees. These managers ensure the availability, continuity, and
security of data and information technology services in their
organizations. In this capacity, they oversee a variety of technical
departments, develop and monitor performance standards, and
implement new projects.
Curriculum Design – Begin with the End in Mind
Definers provide the policies, guidelines and standards.
They’re the people who do the consulting and the risk
assessment, who develop the product and technical
architectures. These are senior people with a lot of
broad knowledge, but often not a lot of depth.
Builders are the real techies, who create and install
security solutions.
Administrators operate and administrate the security
tools, and the security monitoring function
and…continuously improve the processes, performing
all the day-to-day work.
Approaches to Curricula
1.
2.
3.
4.
5.
Elements added to existing courses
Elements added to a capstone course or courses
Independent information security courses
Information security certificates / minors
Information security degree programs
Course University: Teaching
Information Security
8
Adding Elements to Courses
Existing
Course
Programming
Principles
Information Security Topics
Secure programming techniques
Applied cryptography
Networking / Data Network security principles
Use of security tools (firewalls, IDS systems)
Communications
Systems Analysis
& Design
Creating secure systems by design
Database
Principles
Developing secure database structures
Security tools for data management
Privacy topics
Operating
Systems
Configuration management
Course University: Teaching Information
Security
9
Roles
Information Security Roles:
o
o
o
o
o
o
CIO
CISO
Information Security Manager
Information Security Analyst
Information Security Technician
Information Security Watch standers
Course University: Teaching Information
Security
10
Positions
Network Engineer / Administrator / Analyst
Firewall Engineer / Administrator / Analyst
IDS Engineer / Administrator / Analyst
System Engineer /Administrator / Analyst
Information Security Officer
Forensic Analyst
Information Security Manager
Privacy Manager
Incident Response Manager
Disaster Recovery/BCP Manager
Director of Security
Information Security Consultant
Course University: Teaching Information
Security
11
Knowledge Areas
Knowledge areas in InfoSec are many and can be very
technical but, there is an agreed upon way to discuss
them…
o
o
o
o
o
o
o
o
o
o
CISSP
SSCP
GIAC
SCP
Security+
CISA/CISM
ISO 27000 series
NSTISSI Publication 4011
NIST SP 800-14
NIST SP 800-16
Course University: Teaching
Information Security
12
CISSP
Access control systems and methodology
Applications and systems development
Business continuity planning
Cryptography
Law, investigation, and ethics
Operations security
Physical security
Security architecture and models
Security management practices
Telecommunications, network and internet security
Course University: Teaching
Information Security
13
CISM
Information Security Governance
Risk Management
Information Security Program
Management
Information Security Management
Response Management
Course University: Teaching
Information Security
14
ISO 27000 series (www.27000.org)
ISO 27001 - This is the specification for an information security management
system (an ISMS) which replaced the old BS7799-2 standard
ISO 27002 - This is the 27000 series standard number of what was originally
the ISO 17799 standard (which itself was formerly known as BS7799-1).
ISO 27003 - This will be the official number of a new standard intended to
offer guidance for the implementation of an ISMS (IS Management System) .
ISO 27004 - This standard covers information security system management
measurement and metrics, including suggested ISO27002 aligned controls..
ISO 27005 - This is the methodology independent ISO standard for
information security risk management..
ISO 27006 - This standard provides guidelines for the accreditation of
organizations offering ISMS certification.
ISO 27002
Structure
Risk Assessment and Treatment
Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical Security
Communications and Ops Management
Access Control
Information Systems Acquisition, Development, Maintenance
Information Security Incident management
Business Continuity
Compliance
Course University: Teaching
Information Security
16
NSTISSI Publication 4011
Automated Information Systems Basics
Security Basics
NSTISS Basics
System Operating Environment
NSTISS Planning and Management
NSTISS Policies and Procedures
Course University: Teaching
Information Security
17
NIST SPs
Policy
Program Management
Risk Management
Life Cycle Planning
Personnel/User Issues
Preparing for Contingencies
and Disasters
Computer Security Incident
Handling
Awareness and Training
Security Considerations in
Computer Support and
Operations
Physical and Environmental
Security
Identification and
Authentication
Logical Access Control
Audit Trails
Cryptography
Course University: Teaching Information
Security
18
Roles/Positions/Knowledge Areas
Net Admin
ACS
Firewall Analyst
SA & D
IDS Eng
SysAdmin
CISO
InfoSec Mgr
InfoSec Mgr
InfoSec Analyst
InfoSec Tech
InfoSec Cons.
OpSec
PhySec
Architecture
IRP Handler
DR/BCP Mgr
Crypto
Law & Ethics
ISO
Forensics
BCP
InfoSec W.S.
Sec Mgt
NetSec
(Varying levels of mastery)
Course University: Teaching Information
Security
19
Learning Objectives
Next step toward curriculum
Identify the extent to which the student is expected to learn
the components of each knowledge area
o
o
o
o
Understanding
Accomplishment
Proficiency
Mastery
Course University: Teaching
Information Security
20
Learning Objectives Example
Upon completion of identified material, the student
should be able to:
o Understanding
Know and discuss importance of policy in the organization
o Accomplishment
Demonstrate procedures needed to design and implement policy
o Proficiency
Able to develop and implement a variety of security policies
o Mastery
Able to review and critique all types of security policy at all levels
of the organization
Course University: Teaching
Information Security
21
Course
Needs
Worksheets
Course University: Teaching
Information Security
22
Learning Objectives
Understanding of:
Example Learning
Objectives Map
Prerequisites
Intro to Computing
Data Communications
Introduction
to
InfoSec
Course University: Teaching Information
Security
Access control systems and
methodology
Applications and systems
development
Business continuity planning
Cryptography
Law, investigation, and ethics
Operations security
Physical security
Security architecture and
models
Security management
practices
Telecommunications, network
and internet security
23
Example Learning Objectives Map
Learning Objectives
Prerequisites
Intro to Computing
Data Communications
Operating Systems
Organization &
Architecture
Programming
Intro Infosec
Course University: Teaching
Information Security
Accomplishment and
Proficiency of:
Technical
InfoSec
24
Firewalls
IDS
Access Controls
Vulnerability Assessment
OS Security
Cryptography
Example Learning Objectives Map
Learning Objectives
Prerequisites
Intro to Computing
Data Communications
Operating Systems
Organization &
Architecture
Programming
Advanced Networking
Technical InfoSec
Course University: Teaching
Information Security
Mastery of:
Firewall
Technology
25
Firewall ACLs
Firewall Architecture
Firewall Generations
Proxy Services
DMZ Configuration
VPN Configuration
Remote Firewall
Management
Creating InfoSec Courses and Programs
Courses and programs should be created in ways that:
o Involve all critical stakeholders
o Create employable students or students who can advance
academically
o Capitalize on available resources (faculty, classrooms, labs)
o Support local / state / national program objectives like the National
Strategy to Secure Cyberspace
Course University: Teaching
Information Security
26
Resources Needed to Support ISA Curricula
Classrooms
Texts
Labs
Internships / Coops
Business Partners / Clients
Course University: Teaching
Information Security
27
Resources To Help Build Curricula
Local
o Department / College / University
o Advisory Boards
o Business Partners
National
o NIST documentation resources
o NSA Centers of Excellence program
o NSF Grants
Course University: Teaching
Information Security
28
Supplemental Materials
NIST Special Publications
http://csrc.nist.gov
CNSS Documentation
http://www.cnss.gov/instructions.html
Textbook publishers
o Cengage/Course Technology
http://www.course.com
Course University: Teaching Information
Security
29
Textbooks
Also: Readings & Cases
in Mgt of InfoSec - Vol I
Coming Soon:
Principles of Network Security
Course University: Teaching
Information Security
30
Three Sample Courses
Introduction to InfoSec
Network Security
Management of InfoSec
Course University: Teaching
Information Security
31
Introduction to Information Security
Purpose - An introduction to technical and
administrative aspects of Information Security, provides
the foundation for understanding key issues in
protecting information assets, determining the levels of
protection and response to security incidents, and
designing a consistent, reasonable information security
system, with appropriate intrusion detection and
reporting features. Provides the student with an
overview of the field of Information Security.
Prerequisites – Introduction to data communication
Course University: Teaching
Information Security
32
Introduction to Information Security
Homework Assignments – Development of SETA
materials as well as the expected learning support
exercises
Lab Assignments – Hands on activities in fingerprinting
tools, firewall configuration, and systems configuration
management
Case Assignments – Creation of incident response plans,
disaster recovery plans as well as information security
blueprints and project management work plans
Course University: Teaching
Information Security
33
Network Security
Purpose – An introduction to applications used in
Information Security, provides practical experience in
understanding and using key technologies used to protect
information technology programs and assets.
Prerequisites – Introduction to data communication
Course University: Teaching
Information Security
34
Network Security
Homework Assignments – Traditional learning support
assignments as well as web-based research tasks and lab
preparation activities.
Lab Assignments – Includes configuration and use of an
assortment of software tools including activities in
cryptography, configuration of systems, implementation of
firewalls and intrusion detection systems, and gaining skills
in log analysis.
Course University: Teaching
Information Security
35
Management of Information Security
Purpose - A detailed examinations of the management
perspective of information security, including a strategic
planning process for security. Includes an examination
of the policies, procedures and staffing functions
necessary to organize and administer ongoing security
functions in the organization. Subjects include security
practices, security architecture and models, information
security threats and attacks, risk management,
continuity planning and disaster recovery planning.
Prerequisites – Introduction to data communication
Course University: Teaching
Information Security
36
Management of Information Security
Homework Assignments - Traditional learning
support assignments as well as web-based research
tasks and lab preparation activities.
Lab Assignments – Hands-on labs in policy
management support tools, computer forensics,
and tools for configuration policy validation.
Case Assignments – Team project to develop
formation security policy and planning documents
for a fictitious company from a case study.
Course University: Teaching
Information Security
37
Other Course Topics
Advanced Network Security
Auditing for Security
Criminal Law
Computer Ethics
Computer Law
Cryptography / Cryptology
Secure Programming
Internships / Coops
Course University: Teaching
Information Security
38
Sample Curriculum From Kennesaw
State University
KSU BBA - Information Security and Assurance
After College of Business Lower & Upper Division Requirements
ISA 3100 – Principles of Information Security
ISA 3010 – Security Script Programming
ISA 3200 – Network Security
ISA 3210 – Client Systems Security
ISA 3300 – Management of Information Security
ISA 4200 – Perimeter Defense (FW/VPN)
ISA 4220 – Server Systems Security
ISA 4330 – Incident Response and Contingency Planning (E)
ISA 4805 – Penetration Testing (E)
ISA 4810 – Cyber Defense
Course University: Teaching Information
Security
40
Security Events at KSU
Sep 30 - Oct 1 – Information Security Curriculum
Development Conference
o Faculty Curriculum Development Workshop Friday PM
o Full Academic Conference Saturday
o CFP forthcoming – email [email protected] to get on the list
SECCDC – Southeast Collegiate Cyber Defense Competition
o March 2012
o Winner to UTSA for National CCDC
o 3 day student competition
Helen Keller
I am only one; but still I am one.
I cannot do everything, but still I can do something;
I will not refuse to do the something I can do.
Course University: Teaching
Information Security
42
Contact Info
Michael E. Whitman, Ph.D., CISM, CISSP
o [email protected]
Herbert J. Mattord, (Ph.D. - ABD), CISM, CISSP
o [email protected]
KSU Center for Information Security Education
o [email protected]
Thank You For Your Time
Course University: Teaching
Information Security
44