assc military information assurance and security symposium 2009
DESCRIPTION
A holistic approach to effective Information Assurance Education:MIASec09TRANSCRIPT
Information Security and its Assurance
A holistic approach to effective Information Assurance
Education
A holistic approach to effective Information Assurance Education
Presented by:
Christopher Richardson BEng CEng MIET, M.Inst.ISP, QTS.CIS Security LecturerDefence College of Communications and Information SystemsBlandford ForumDorset
Associate Lecturer to Bournemouth University and EngD Research Engineer at Southampton University.
A holistic approach to effective Information Assurance Education Slide 2
Goals
• Introduce and scope current UK Government ideas and IA professional development.
• To provide an Educator’s insight to the direction of Information Security and it’s Assurance.
A holistic approach to effective Information Assurance education Slide 3
Training, Education and Awareness
• Goal: IA responsibilities are assigned from the Main Board downwards to ensure that appropriately trained staff are held accountable for their decisions and actions. The result is a culture within the organisation that values information as a business asset.
• Justification: Without effective training, education and awareness staff within the organisation will not implement policies and procedures in a way that values and protects information as a core business asset.
A holistic approach to effective Information Assurance education Slide 4
HMG Information Assurance Maturity Model and Assessment Framework(Version 2.0 dated 20 Feb 09)
Presentation Themes
There are 4 themes to this holistic approach to the Assurance Paradigm.
Complexity
Professionalism
Strategic Positioning
Educational Bridges
A holistic approach to effective Information Assurance education Slide 5
A Complex World
• A Complex World IA in the Defence Community Assuring the Information Assets
• The UK's IA Profession IISP Perspective Cabinet Office/GIPSI Educational Goals
• KTN the Information Security Officers Strategic Positioning of Security Cyber Security for Information Leaders
• Bridging the IA gapProfessional Development Programmes
Qualifications; Certification and Course Accreditation IA Academies
A holistic approach to effective Information Assurance education Slide 6
A holistic approach to effective Information Assurance education Slide 7
The Information Concept Map
The Information Asset
• Information is one of the most important assets of our business.
• How much do we and our user community really comprehend this?
A holistic approach to effective Information Assurance education Slide 8
A Complex World
A holistic approach to effective Information Assurance education Slide 9
Strategic Position
Purpose
Purpose
Confidentiality
It is the confidence that information systems will protect the information they carry and will function as they need to, when they need to under the control of legitimate users.Information is a critical asset to any organisation or individual, as such it should be safeguarded.
Strategic Position
Purpose
Environment
Expansive
The world of Information and its risks is an expansive explosion of the Internet activities and the associated e-business applications. When combined with the geometric rate of technological changes in IT presents organisations with an environment that significantly increases the degrees of uncertainty.
Strategic Position
Purpose
Capability
Tangible Resource
s
Computer Network Operations using CND to negate CNA and CNE enables operations to employ IA capabilities to respond to unauthorised activities using counterintelligence, law enforcement, policies, monitoring, risk assessment, forensics, accreditation and other security technologies to defend the assets, systems and networks.
Strategic Position
Purpose
Culture
Stories
Information Assurance and security is inherently normative, dealing with complex social and ethical issues such as privacy, access, ownership, liability, reliability and safety. Norms are an integral part of human life, vary greatly amongst peoples and cultures and are regulated through social structures such as policies and economics.
INFORMATION ASSURANCE
• Information Assurance [IA] provides effective and timely exploitation of information.
• IA is fundamental to all aspects of MoD’s business from the successful conduct of military operations to the management of the MoD as a Department of State.
• IA ensures stakeholder confidence that Information Systems risk is managed pragmatically, appropriately, and in a cost-effective manner.
A holistic approach to effective Information Assurance education Slide 14
And it’s multi-functional, multi -disciplined
A holistic approach to effective Information Assurance education Slide 15
IA Security Framework
A holistic approach to effective Information Assurance education Slide 16
Information Assurance
Education,Training and
Awareness
Information Security
Physical
Security
Information Operations
Information Exploitation
IA in the Defence Community• The military see IA from the premise that it is the
conduct of Defence business, whether on deployed operations or in the administration of MoD as a Department of State that should predominate.
• IA encompasses all activity needed to assure the critical information on which Defence business relies. From this approach a new definition of IA is established:
Information Assurance (IA) is a management process, designed to ensure that the systems and networks employed to manage the critical information used by an organisation are reliable and secure, and that measures and processes are in place to counter malicious activity, in order to support the business needs of the organisation.
A holistic approach to effective Information Assurance education Slide 17
The IA Cycle
A holistic approach to effective Information Assurance education Slide 18
Strategy and Governance
Analysis and Intelligence
People and Change
Architecture and
Assurance
Capability and
Solutions
Defence and Resilience
Culture
PurposeEnvironment
Capability
Assuring the Information Assets
Without the timely and effective use of information our decisions become jaded, inappropriate or suspect. As an asset:
• Information about something (e.g. a passenger timetable)
• Information as something (e.g. DNA or fingerprints)
• Information for something (e.g. algorithms or instructions)
• Information in something (e.g. patterns or videos)
Consequently we need our information to be clear, accurate, trusted and not compromised, lost, leaked, disseminated, unauthorised, published or corrupted.
A holistic approach to effective Information Assurance education Slide 19
The UK's IA Profession
BSc (Hons) H-Level Unit 13 Slide 20
• A Complex World IA in the Defence Community Assuring the Information Assets
• The UK's IA Profession IISP Perspective Cabinet Office/GIPSI Educational Goals
• KTN the Information Security Officers Strategic Positioning of Security Cyber Security for Information Leaders
• Bridging the IA gapProfessional Development Programmes
Qualifications; Certification and Course Accreditation IA Academies
The UK's IA Profession• Professional skills and development are vital in the three
principle areas – Information Technology, Knowledge and Information Management (KIM) and IA – to ensure that information systems are properly developed and operated.
• There are overlaps, but IA takes a holistic approach to information risk, and includes a variety of roles within government, including accreditation, operation of cryptographic systems and contingency management.
• IA professionals complement the work of IT and KIM professionals and support the operation of effective government as do other professionals (including IT, KIM, finance, HR etc).
• IA professionals too, bridge the gap between the sensitive security issues and complex technical issues, and the business leaders who make investment decisions.
A holistic approach to effective Information Assurance education Slide 21
IISP Perspective
A holistic approach to effective Information Assurance education Slide 22
All IA professionals undertake appropriate continuing professional development, in line with the requirements of the IISP or other relevant body. This includes working towards professional certification, maintaining currency of specialist skills, developing new skills and awareness of other specialisms
IA Competency Framework
A holistic approach to effective Information Assurance education Slide 23
TRANSFERABLE SKILLS and QUALIFICATIONS: Business and Personal
DISCIPLINES
Leadership
IA P
olic
y an
d G
over
nanc
e
IA E
duca
tion,
Tra
inin
g an
d A
war
enes
s
IA C
ontin
genc
y M
anag
emen
t
IA O
pera
tions
and
S
ecur
ity M
anag
emen
t
IA E
ngin
eerin
g an
d S
ecur
ity N
etw
ork
Arc
hite
ctur
e
IA R
isk
Man
agem
ent
and
Acc
redi
tatio
n
IA V
erifi
catio
n an
d A
udit
Information Assurance
Level
Head of Specialism
Lead Practitioner (Subject Matter Expert)
Senior Practitioner
Practitioner
Entry level
Head of Profession
PR
OG
RE
SS
ION
5
4
3
2
1
0
TRANSFERABLE SKILLS and QUALIFICATIONS: Business and Personal
DISCIPLINES
Leadership
IA P
olic
y an
d G
over
nanc
e
IA E
duca
tion,
Tra
inin
g an
d A
war
enes
s
IA C
ontin
genc
y M
anag
emen
t
IA O
pera
tions
and
S
ecur
ity M
anag
emen
t
IA E
ngin
eerin
g an
d S
ecur
ity N
etw
ork
Arc
hite
ctur
e
IA R
isk
Man
agem
ent
and
Acc
redi
tatio
n
IA V
erifi
catio
n an
d A
udit
Information Assurance
Level
Head of Specialism
Lead Practitioner (Subject Matter Expert)
Senior Practitioner
Practitioner
Entry level
Head of Profession
PR
OG
RE
SS
ION
5
4
3
2
1
0
TRANSFERABLE SKILLS and QUALIFICATIONS: Business and Personal
DISCIPLINES
Leadership
IA P
olic
y an
d G
over
nanc
e
IA E
duca
tion,
Tra
inin
g an
d A
war
enes
s
IA C
ontin
genc
y M
anag
emen
t
IA O
pera
tions
and
S
ecur
ity M
anag
emen
t
IA E
ngin
eerin
g an
d S
ecur
ity N
etw
ork
Arc
hite
ctur
e
IA R
isk
Man
agem
ent
and
Acc
redi
tatio
n
IA V
erifi
catio
n an
d A
udit
Information Assurance
Level
Head of Specialism
Lead Practitioner (Subject Matter Expert)
Senior Practitioner
Practitioner
Entry level
Head of Profession
PR
OG
RE
SS
ION
5
4
3
2
1
0
Educational Goals
A holistic approach to effective Information Assurance education Slide 24
IA Education is a both complex and subjective that is often driven by agendas and compromises, we have a plethora of training courses and so few dealing with security education and the beginnings of structured professional development.
A framework is required to provide clear professional objectives and an underlying understanding of the nature of Information Security’s many domains. In particular, with Information Assurance, there is a greater need to focus on educating professional practitioners and developing their profession.
Security Education is a strategic goal that needs objectives and a performance metric to meet the established policies by Cabinet Office’s “A United Kingdom Strategy for Information Assurance” and the overarching “Manual of Protective Security”.
Knowledge Transfer toInformation Security Officers
BSc (Hons) H-Level Unit 13 Slide 25
• A Complex World IA in the Defence Community Assuring the Information Assets
• The UK's IA Profession IISP Perspective Cabinet Office/GIPSI Educational Goals
• KTN the Information Security Officers Strategic Positioning of Security Cyber Security for Information Leaders
• Bridging the IA gapProfessional Development Programmes
Qualifications; Certification and Course Accreditation IA Academies
A holistic approach to effective Information Assurance education Slide 25
KTN the Information Security Officers
A holistic approach to effective Information Assurance education Slide 26
Strategic Positioning of Security
A holistic approach to effective Information Assurance education Slide 27
Effects Based Operations
Effects Based Operations
Ignorance Management
Ignorance Management
Policies and GovernancePolicies and Governance
Infrastructure InteroperabilityInfrastructure
Interoperability
Security Strategy
Modular CPD Roadmap
A holistic approach to effective Information Assurance education Slide 28
Module
Descriptor
Certification
Advance
Incident Management
BTEC 4
Honours Degree Points
Business Continuity
NQF Level 4
CPD Credits
Module
Descriptor
Certification
Foundation Level
Practitioner Level
Master Level
Pro fe s s i o n a l
BT EC 5
IS EB
Module
Descriptor
Certification
Cyber Security for Information Leaders
• We need to remind ourselves again and again that information security is not a technology issue, it’s a people issue.
• Information security is reliant on people, their awareness, ethics and behaviour.
• Security professionals must understand what the user needs if they are to accomplish the goals of the business.
• In this demanding world of technological, economic, legal, operational and commercial drivers, we are all becoming dependent on secure, robust and resilient communication and information systems.
A holistic approach to effective Information Assurance education Slide 29
Management
A holistic approach to effective Information Assurance education Slide 30
Ignorance is always correctable. But what shall we do if we take ignorance to be knowledge?
Neil Postman It is more important for organizations to manage their ignorance. Knowledge management strives to locate, map, collect, share, and exploit what the organization knows. Ignorance management, on the other hand, recognizes that it is never possible to know everything, or even a lot of things, well. Acting from an assumption that the organization knows enough may represent
hubris at best and bad management at worst. Michael H. Zack
Bridging the Gap
A holistic approach to effective Information Assurance education Slide 31
15 minutes
• A Complex World IA in the Defence Community Assuring the Information Assets
• The UK's IA Profession IISP Perspective Cabinet Office/GIPSI Educational Goals
• KTN the Information Security Officers Strategic Positioning of Security Cyber Security for Information Leaders
• Bridging the IA gapProfessional Development Programmes
Qualifications; Certification and Course Accreditation IA Academies
The Air Gap• What we want is an assured asset.
• What we have is not what we want!
• There are gaps in our Purpose, Capability, Environment and Culture.
• Strategic Positioning of Security generates the roadmap.
• IA education gets people moving down that road.
A holistic approach to effective Information Assurance education Slide 32
Gap Analysis
A holistic approach to effective Information Assurance education Slide 33
Qualifications; Certification and Course Accreditation
A holistic approach to effective Information Assurance education Slide 34
An IA AcademyThis country needs an IA Academy, a specialist
school of learning, of teaching. A place that finds ways to bring IA into mainstream IT and change the way we all deal with Information.
• A place to studying security, its vulnerabilities and failures in a dedicated academy; a depositary of knowledge and incidents;
• Having a research facility to pursue innovative
solution. A place that coordinates IA issues, where threats and attacks can be diagnosed and investigated without compromising commercial sensitivities or the confidentiality of military systems.
A holistic approach to effective Information Assurance education Slide 35
An Imaginative solution• There are challenges and opportunities
presented by offering a UK wide IA Education and CPD programme,
• The Academy needs to be innovated, timely and relevant, to offer a clear progression academically challenging and professionally rewarding education.
• It will have to enable students pursue further careers in both academia and industry.
• The IA Academy can be positioned to facilitate security knowledge and curiosity.
A holistic approach to effective Information Assurance education Slide 36
Untrusted
Presentation Plenary
A holistic approach to effective Information Assurance education Slide 37
Unsafe
Insecure
Information Assurance Examine how to
Manage our Assets
Train to Apply Services
Know how to Mitigate Risks
UnderstandTechnology
Education, Training and Awareness
Exploit our NQFand generateCPD credits
Any Questions?
A holistic approach to effective Information Assurance education Slide 38
Points to Remember• Security is always related to utility. (You can
always do nothing, securely.)
• Security should be relative to the threat.
• Security and its Assurance should be considered from an overall systems point of view.
• Security and its Assurance should be affordable and cost effective.
• Security should be as simple as possible
• Education is the key to successful IA implementation
It’s a good day, Safe journey home
A holistic approach to effective Information Assurance education Slide 39
A holistic approach to effective Information Assurance education Slide 40