CHAPTER 15:
INFORMATION SYSTEMS SECURITY TRAINING AND CERTIFICATION
We need both education and training to reach maximum potential in the shortest amount of time.112
Dave Ladd, Blog on The Security Development Life Cycle (2007)
In this chapter:
Leverage your most important asset
The drivers
Security education, training, and awareness (SETA) – and certification
Leverage your most important asset
Organizations frequently focus on mitigating risk by investing in and implementing new technologies. But they often fail to leverage their most critical asset – people. Your personnel are both your greatest security resource and your greatest potential source of security vulnerability.
They have access to your agency’s most vital information. They may either have the knowledge to circumvent the systems that have been put in place to protect the organization’s information, or a lack of knowledge about what is needed to protect this information.
People can be the last line of defense in a network. But if they don’t have the tools or the knowledge to protect the information and the information systems, they are about as effective as a firewall still in its original packaging.
Information system-related incidents attract an ever increasing share of the headlines. One can read about the loss of unencrypted personal information on stolen laptops, stolen credit card numbers, business disruptions due to computer outages, and failing information technology infrastructures.
The drivers
Proper training and education can turn employees from risks themselves into key players in mitigating system risks. According to a report issued by Gartner, implementing an effective security awareness, education and training program can eliminate time spent reacting to security incidents and lead to productivity savings of 25 percent.113
But, in addition to the good commonsense reason to train and educate your staff, there are also legal and policy-based mandates.
113 Gartner: Information Security Awareness Training Is Essential to Protect IT Assets. Witty, Roberta J. et al. 11 January 2005.
Policy foundation
OMB Circular A-130, Appendix III, looks at training and education as a required element in a system security plan. The Circular states:
Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall ensure that employees are versed in the rules of the system … and apprise them about available technical assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system.
The Federal Information Security Management Act (FISMA) tasks the head of each federal agency with ensuring that there are “trained personnel sufficient to assist the agency in complying with (these requirements) and related policies, procedures, standards, and guidelines.” FISMA also requires that the head of each agency “delegate to the agency Chief Information Officer (CIO) (or a comparable official), the authority to ensure compliance with the requirements imposed on the agency, including…training and oversee personnel with significant responsibilities for information security…(.)” FISMA also requires that an “agency wide information security program” must include “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of:
information security risks associated with their activities; and
their responsibilities in complying with agency policies and procedures designed to reduce these risks(.)”
Security education, training, and awareness (SETA) – and certification
Security education, training, and awareness (SETA) are tools to modify any employee behaviors that might endanger the security of the agency’s information and information systems. This is the cornerstone of an effective information systems security program.
So, why does an effective security education program require all of these elements? An effective program cannot consist only of an annual refresher briefing or as training that only takes place in a classroom.
Each of these elements has a specific role to play in the security learning process. The table below illustrates the unique characteristics of education, training, and awareness as proposed by Dorothea de Zafra, Director of Curriculum Development, National Institutes of Health, in her “Comparative Instructional Levels.” By looking at this table, you can easily see that any effective security program must integrate all three approaches to security learning.
Table 42: Approaches to security learning
Security education and training go a long way towards providing a foundation for security learning, but it may not provide everything required to be effective – particularly for those individuals in positions that can have a more direct security impact. These include members of the security staff, as well as the system administrators who are responsible for the security configuration of the agency’s information systems.
Specific, targeted certification is one means of ensuring that users and security staff alike have a level of security knowledge sufficient for the performance of their functions. FISMA stipulates that any individual who performs an IA function be certified in order to retain his or her job. So, security certifications are about the hottest thing out right now.
In addition, government agencies are required to report annually to the Office of Management and Budget (OMB) and Congress about their compliance with the law, and they could lose funding if they don’t meet compliance thresholds. The US Department of Defense has implemented the most comprehensive program for defining security training and certification requirements for military, government employees, and contractors working in security and security-related positions.
DOD Directive 8570.1, Information Assurance Training, Certification and Workforce Management, was issued in August 2004. In December 2005, the accompanying implementation guidance, DOD 8570.01-M, was published. This manual details the requirements for training, certification, and implementation of the directive. DOD Directive 8570.1 requires all DOD components to identify personnel with direct or indirect responsibility for any aspect of information assurance (IA). DOD agencies must ensure that each worker obtains the appropriate certifications required for that position as established by DOD policy.
Why certification?
The real value of certifications is that they can provide an external validation of a baseline standard of knowledge. Like a degree in a specific subject, a security certification can set a level for exchange based on a common set of experiences with others in the security field.
DOD has specified certain certifications that meet the standards of ISO/IEC 17024, General Requirements for Bodies Operating Certification of Persons. ISO/IEC 17024 is the internationally recognized standard which identifies the requirements that certification bodies must meet for the development and maintenance of certification schemes for individuals.
Certifications can be vendor-neutral or vendor-specific. Examples of vendor-neutral certifications accepted by both DOD and federal agencies include:
CISA (Certified Information Systems Auditor)
CFE (Certified Fraud Examiner)
CPP (Certified Protection Professional)
CISSP (Certified Information Systems Security Professional)
SANS GIAC (Global Information Assurance Cert).
Of these, the CISSP is probably the most well-known.114
Some of the more well-known vendor-specific certifications are:
Cisco Security Specialist
Checkpoint Certified Security Program
RSA Certified Professional Program
Symantec Certified Security Professional
IBM SecureWay Specialist.
Managers and technical staff
DOD identifies a specific set of training requirements for security managers and for technical staff. The following figure shows authorized certifications for staff involved in either managing security or in the technical implementation and maintenance of safeguards.
114 More information is available at http://www.isc2.org/.
Figure 41: IA workforce certifications
Source: DOD 8570.01-M
Understanding the requirements and whether you are technical or management and at what level can be confusing, so here are some guidelines:
There are two basic questions to help identify IA technical positions:
(1) Does the position require privileged access to a DOD information system environment?
(2) Does the position include any of the functional requirements listed in Chapter 3 of the DOD 8570 Manual for that level of the information system architecture?
If the answer to both 1 and 2 is yes the position is an IA technical position. If the answer is no to both then it is not an IA technical position. If the answer is no to either 1 or 2 it is not an IA technical position. If the answer is yes to 1 and no to 2 it is not an IA technical position, but if the answer is no to 1 and yes to 2 it may be an IA manager or other IA position.
Two basic questions can also help identify IA management positions:
(1) Does the position have responsibility for managing information system security for a DOD information system environment?
(2) Does the position include any of the functions listed in Chapter 4 of the DOD 8570 Manual for that level of the information system architecture?
If the answer to both 1 and 2 is yes then the position is an IAM position. If the answer is no to both 1 and 2, it is not an IAM position. If the answer is yes to 1 and no to 2 it is not an IAM position. But, if the answer is no to 1 and yes to 2 it may be an IA position but not an IAM position as currently defined in the Manual.
|
Further reading |
|
Blokdijk, Gerard. CISSP: 100 Success Secrets, Emereo Pty Ltd Publishing, December 2007. |
|
Howard, Patrick D. Building and Implementing a Security Certification and Accreditation Program, Auerbach Publications, December 2005. |
|
Roper, Carl; Grau, Joseph; and Fischer, Lynn F. Security Awareness, Education, and Training: SEAT from Theory to Practice. Butterworth-Heinemann Publishing, September 2005. |
References
Department of Defense Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, 15 August 2004.
International Standards Organization/International Electronics Commission (ISO/IEC) 17024, General Requirements for Bodies Operating Certification of Persons, April 2003.
National Institute of Standards and Technology (NIST) Security Publication (SP) 800-16, Information Technology Security Training Requirements - A Role- and Performance-Based Model, April 1998.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program, October 2003.
National Institute of Standards and Technology (NIST) Special Awareness & Training website available at http://csrc.nist.gov/groups/SMA/ate/index.html .