assc military information assurance and security symposium 2009

Information Security and its Assurance

A holistic approach to effective Information Assurance

Education

A holistic approach to effective Information Assurance Education

Presented by:

Christopher Richardson BEng CEng MIET, M.Inst.ISP, QTS.CIS Security LecturerDefence College of Communications and Information SystemsBlandford ForumDorset

Associate Lecturer to Bournemouth University and EngD Research Engineer at Southampton University.

A holistic approach to effective Information Assurance Education Slide 2

Goals

• Introduce and scope current UK Government ideas and IA professional development.

• To provide an Educator’s insight to the direction of Information Security and it’s Assurance.

A holistic approach to effective Information Assurance education Slide 3

Training, Education and Awareness

• Goal: IA responsibilities are assigned from the Main Board downwards to ensure that appropriately trained staff are held accountable for their decisions and actions. The result is a culture within the organisation that values information as a business asset.

• Justification: Without effective training, education and awareness staff within the organisation will not implement policies and procedures in a way that values and protects information as a core business asset.


HMG Information Assurance Maturity Model and Assessment Framework(Version 2.0 dated 20 Feb 09)

Presentation Themes

There are 4 themes to this holistic approach to the Assurance Paradigm.

Complexity

Professionalism

Strategic Positioning

Educational Bridges


A Complex World

• A Complex World IA in the Defence Community Assuring the Information Assets

• The UK's IA Profession IISP Perspective Cabinet Office/GIPSI Educational Goals

• KTN the Information Security Officers Strategic Positioning of Security Cyber Security for Information Leaders

• Bridging the IA gapProfessional Development Programmes

Qualifications; Certification and Course Accreditation IA Academies



The Information Concept Map

The Information Asset

• Information is one of the most important assets of our business.

• How much do we and our user community really comprehend this?


A Complex World


Strategic Position

Purpose

Purpose

Confidentiality

It is the confidence that information systems will protect the information they carry and will function as they need to, when they need to under the control of legitimate users.Information is a critical asset to any organisation or individual, as such it should be safeguarded.

Strategic Position

Purpose

Environment

Expansive

The world of Information and its risks is an expansive explosion of the Internet activities and the associated e-business applications. When combined with the geometric rate of technological changes in IT presents organisations with an environment that significantly increases the degrees of uncertainty.

Strategic Position

Purpose

Capability

Tangible Resource

s

Computer Network Operations using CND to negate CNA and CNE enables operations to employ IA capabilities to respond to unauthorised activities using counterintelligence, law enforcement, policies, monitoring, risk assessment, forensics, accreditation and other security technologies to defend the assets, systems and networks.

Strategic Position

Purpose

Culture

Stories

Information Assurance and security is inherently normative, dealing with complex social and ethical issues such as privacy, access, ownership, liability, reliability and safety. Norms are an integral part of human life, vary greatly amongst peoples and cultures and are regulated through social structures such as policies and economics.

INFORMATION ASSURANCE

• Information Assurance [IA] provides effective and timely exploitation of information.

• IA is fundamental to all aspects of MoD’s business from the successful conduct of military operations to the management of the MoD as a Department of State.

• IA ensures stakeholder confidence that Information Systems risk is managed pragmatically, appropriately, and in a cost-effective manner.


And it’s multi-functional, multi -disciplined


IA Security Framework


Information Assurance

Education,Training and

Awareness

Information Security

Physical

Security

Information Operations

Information Exploitation

IA in the Defence Community• The military see IA from the premise that it is the

conduct of Defence business, whether on deployed operations or in the administration of MoD as a Department of State that should predominate.

• IA encompasses all activity needed to assure the critical information on which Defence business relies. From this approach a new definition of IA is established:

Information Assurance (IA) is a management process, designed to ensure that the systems and networks employed to manage the critical information used by an organisation are reliable and secure, and that measures and processes are in place to counter malicious activity, in order to support the business needs of the organisation.


The IA Cycle


Strategy and Governance

Analysis and Intelligence

People and Change

Architecture and

Assurance

Capability and

Solutions

Defence and Resilience

Culture

PurposeEnvironment

Capability

Assuring the Information Assets

Without the timely and effective use of information our decisions become jaded, inappropriate or suspect. As an asset:

• Information about something (e.g. a passenger timetable)

• Information as something (e.g. DNA or fingerprints)

• Information for something (e.g. algorithms or instructions)

• Information in something (e.g. patterns or videos)

Consequently we need our information to be clear, accurate, trusted and not compromised, lost, leaked, disseminated, unauthorised, published or corrupted.


The UK's IA Profession

BSc (Hons) H-Level Unit 13 Slide 20






The UK's IA Profession• Professional skills and development are vital in the three

principle areas – Information Technology, Knowledge and Information Management (KIM) and IA – to ensure that information systems are properly developed and operated.

• There are overlaps, but IA takes a holistic approach to information risk, and includes a variety of roles within government, including accreditation, operation of cryptographic systems and contingency management.

• IA professionals complement the work of IT and KIM professionals and support the operation of effective government as do other professionals (including IT, KIM, finance, HR etc).

• IA professionals too, bridge the gap between the sensitive security issues and complex technical issues, and the business leaders who make investment decisions.


IISP Perspective


All IA professionals undertake appropriate continuing professional development, in line with the requirements of the IISP or other relevant body. This includes working towards professional certification, maintaining currency of specialist skills, developing new skills and awareness of other specialisms

IA Competency Framework


TRANSFERABLE SKILLS and QUALIFICATIONS: Business and Personal

DISCIPLINES

Leadership

IA P

olic

y an

d G

over

nanc

e

IA E

duca

tion,

Tra

inin

g an

d A

war

enes

s

IA C

ontin

genc

y M

anag

emen

t

IA O

pera

tions

and

S

ecur

ity M

anag

emen

t

IA E

ngin

eerin

g an

d S

ecur

ity N

etw

ork

Arc

hite

ctur

e

IA R

isk

Man

agem

ent

and

Acc

redi

tatio

n

IA V

erifi

catio

n an

d A

udit


Level

Head of Specialism

Lead Practitioner (Subject Matter Expert)

Senior Practitioner

Practitioner

Entry level

Head of Profession

PR

OG

RE

SS

ION

5

4

3

2

1

0


DISCIPLINES

Leadership

IA P

olic

y an

d G

over

nanc

e

IA E

duca

tion,

Tra

inin

g an

d A

war

enes

s

IA C

ontin

genc

y M

anag

emen

t

IA O

pera

tions

and

S

ecur

ity M

anag

emen

t

IA E

ngin

eerin

g an

d S

ecur

ity N

etw

ork

Arc

hite

ctur

e

IA R

isk

Man

agem

ent

and

Acc

redi

tatio

n

IA V

erifi

catio

n an

d A

udit


Level

Head of Specialism


Senior Practitioner

Practitioner

Entry level

Head of Profession

PR

OG

RE

SS

ION

5

4

3

2

1

0


DISCIPLINES

Leadership

IA P

olic

y an

d G

over

nanc

e

IA E

duca

tion,

Tra

inin

g an

d A

war

enes

s

IA C

ontin

genc

y M

anag

emen

t

IA O

pera

tions

and

S

ecur

ity M

anag

emen

t

IA E

ngin

eerin

g an

d S

ecur

ity N

etw

ork

Arc

hite

ctur

e

IA R

isk

Man

agem

ent

and

Acc

redi

tatio

n

IA V

erifi

catio

n an

d A

udit


Level

Head of Specialism


Senior Practitioner

Practitioner

Entry level

Head of Profession

PR

OG

RE

SS

ION

5

4

3

2

1

0

Educational Goals


IA Education is a both complex and subjective that is often driven by agendas and compromises, we have a plethora of training courses and so few dealing with security education and the beginnings of structured professional development.

A framework is required to provide clear professional objectives and an underlying understanding of the nature of Information Security’s many domains. In particular, with Information Assurance, there is a greater need to focus on educating professional practitioners and developing their profession.

Security Education is a strategic goal that needs objectives and a performance metric to meet the established policies by Cabinet Office’s “A United Kingdom Strategy for Information Assurance” and the overarching “Manual of Protective Security”.

Knowledge Transfer toInformation Security Officers

BSc (Hons) H-Level Unit 13 Slide 25







KTN the Information Security Officers


Strategic Positioning of Security


Effects Based Operations

Effects Based Operations

Ignorance Management

Ignorance Management

Policies and GovernancePolicies and Governance

Infrastructure InteroperabilityInfrastructure

Interoperability

Security Strategy

Modular CPD Roadmap


Module

Descriptor

Certification

Advance

Incident Management

BTEC 4

Honours Degree Points

Business Continuity

NQF Level 4

CPD Credits

Module

Descriptor

Certification

Foundation Level

Practitioner Level

Master Level

Pro fe s s i o n a l

BT EC 5

IS EB

Module

Descriptor

Certification

Cyber Security for Information Leaders

• We need to remind ourselves again and again that information security is not a technology issue, it’s a people issue.

• Information security is reliant on people, their awareness, ethics and behaviour.

• Security professionals must understand what the user needs if they are to accomplish the goals of the business.

• In this demanding world of technological, economic, legal, operational and commercial drivers, we are all becoming dependent on secure, robust and resilient communication and information systems.


Management


Ignorance is always correctable. But what shall we do if we take ignorance to be knowledge?

Neil Postman It is more important for organizations to manage their ignorance. Knowledge management strives to locate, map, collect, share, and exploit what the organization knows. Ignorance management, on the other hand, recognizes that it is never possible to know everything, or even a lot of things, well. Acting from an assumption that the organization knows enough may represent

hubris at best and bad management at worst. Michael H. Zack

Bridging the Gap


15 minutes






The Air Gap• What we want is an assured asset.

• What we have is not what we want!

• There are gaps in our Purpose, Capability, Environment and Culture.

• Strategic Positioning of Security generates the roadmap.

• IA education gets people moving down that road.


Gap Analysis


Qualifications; Certification and Course Accreditation


An IA AcademyThis country needs an IA Academy, a specialist

school of learning, of teaching. A place that finds ways to bring IA into mainstream IT and change the way we all deal with Information.

• A place to studying security, its vulnerabilities and failures in a dedicated academy; a depositary of knowledge and incidents;

• Having a research facility to pursue innovative

solution. A place that coordinates IA issues, where threats and attacks can be diagnosed and investigated without compromising commercial sensitivities or the confidentiality of military systems.


An Imaginative solution• There are challenges and opportunities

presented by offering a UK wide IA Education and CPD programme,

• The Academy needs to be innovated, timely and relevant, to offer a clear progression academically challenging and professionally rewarding education.

• It will have to enable students pursue further careers in both academia and industry.

• The IA Academy can be positioned to facilitate security knowledge and curiosity.


Untrusted

Presentation Plenary


Unsafe

Insecure

Information Assurance Examine how to

Manage our Assets

Train to Apply Services

Know how to Mitigate Risks

UnderstandTechnology

Education, Training and Awareness

Exploit our NQFand generateCPD credits

http://www.wishfulthinking.co.uk/blog/wp-content/question.jpg

Any Questions?


Points to Remember• Security is always related to utility. (You can

always do nothing, securely.)

• Security should be relative to the threat.

• Security and its Assurance should be considered from an overall systems point of view.

• Security and its Assurance should be affordable and cost effective.

• Security should be as simple as possible

• Education is the key to successful IA implementation

It’s a good day, Safe journey home


assc military information assurance and security symposium 2009

Documents

information leadersbridging

values information

critical information

fingerprints information

instructions information

information assetswithout

passengertimetable information

information assetinformation