curriculum & workforce development in cyber-security hal zenisek blackhawk technical college...
TRANSCRIPT
Curriculum & Workforce Development in Cyber-Security
Hal ZenisekBlackhawk Technical CollegeJanesville, Wisconsin USA
“If it works, try not to be surprised.”
by Ron Fischer, WCTC
Introduction – The Power of 2 Three purposes of this session
Share lessons learned developing a 2-year degree for information security
Share ideas for workforce development Learn from others attending this session
Introductions Hal Zenisek
DeanBusiness & Information TechnologyBlackhawk Technical CollegeJanesville, Wisconsin [email protected]
Our Agenda What I plan to talk about!
Our Thesis – Information is the asset Industry-driven program design Share resources & skill standards Course & Curriculum development Faculty development Delivery methodologies & ideas for
workforce development Sharing ideas & questions
www.blackhawk.edu
Blackhawk Technical College – www.blackhawk.edu
Mission - Career & Technical Education including workforce & economic development
Business & Information Technology 2-year programs, diplomas, & certificates
Accounting, Marketing, Management Office Careers IT Cluster
Networking Specialist Micro Programmer Specialist Help Desk Assistant Information Systems Security Specialist
The WTCS Associate in Applied Science Degree
Applied Associate degree programs as defined by Wisconsin Statute are two-year, post-high school programs in an area designated and approved by the State Board for which the course requirements are established by the State Board. Applied associate degree programs adhere to the following principles: provide the education and training in occupational areas required by
the state's economy; shall prepare students to be productive employees and to succeed in
occupations requiring advanced education and training; specific degree requirements shall have a demonstrated relevance to
the needs of employers and students as employees; all courses shall be of the highest quality as demonstrated by national
and regional accreditation and perceptions of graduates and employers;
shall be designed to impart identified competencies and program graduates shall achieve those competencies.
ADDIE
The ADDIE Instructional Design Model
Analysis --> Design --> Development --> Implementation --> Evaluation
Analysis & needs identification
It’s about Information Security…
Our thesis – it’s all about Information Security!Information Security!
Computers (& even networks) can be replaced, information is the asset which has value & therefore the critical resource.
Information security includes assurance, confidentiality, availability, integrity, threats & vulnerabilities.
What KSA’s go with protecting/security information & information systems?
Which competencies fit within our mission & purpose as a 2-year technical college?
Which are the highest priority? Prepare for future “program outcomes” and documenting the need.
KSA – technical skills beyond networking, and include security management, policy development, ethical behavior, and more. Breadth of field versus depth of field. Issues inside the firewall as well as outside of it.
More on Information Security Information needs to be available and Information needs to be private. Information needs to be trusted. Information systems need to be reliable. Networks make information available. Secure networks help insure privacy &
protection. However, we felt there is more.
Types of information systems
Accounting information systems Financial systems (banking & others) Business systems (e-Commerce) Health information systems (medical) Community information systems
(Emergency Response) Governmental, education,
telecommunications & others
Blackhawk Technical College’s Multi-Disciplinary Approach Network Security (4 courses) Programming & e-Commerce for
information systems security (3 courses) Security Management (5)
Business Continuity Planning Cyber Law & Ethics
Security Measures/Countermeasures (intrusion detection & defending an internetworked system against attacks) would be our capstone lab experience.
AAS limited to 68 credits- 12 core courses. Advanced technical certificates=36 credits. Target trained incumbent IT professionals
and technical staff. Elective courses for IT students in other
majors such as networking & programming. Big picture approach & cross section of the
continuum of information systems. From operating systems, buffer overruns,
policies & procedures, to intrusion detection & appropriate countermeasures.
Program Design – A Multi-Disciplinary Approach
Blackhawk Technical College found: One Wisconsin employer (without a
significant Web presence) shared their recent experience with a spam firewall. Based on 900 users Over 5000 e-mail per hour 2974 were spam (60%) 33 had viruses
SOP for their IT personnel & business was transacted without incident with a firewall & spam filter (plus trained personnel).
Recent Job Advertisement– Madison, Wisconsin
Enterprise Security Specialist Set overall security strategy, conducts
security technology research, consults on best practices, and coordinates in-house security operations.
Bachelors degree, Computer Science 5 years recent experience – networks Cisco experience CSSIP and/or Cisco certification.
Blackhawk Technical College’s Needs Assessment Process
Institutional Advancement survey 51% response rate from 74 employers 53% have problems finding qualified
cyber security workers 56% indicated the demand would
increase over the next four years 16 new full-time and 7 new part-time
openings over next 4 yrs. projected
Blackhawk Technical College’s Needs Assessment Data
82% would encourage current employees to participate in an educational program
89% would hire a graduate for a cyber security program
average hourly wage = $20.20 ($42,000) sent to the WTCS office & approved as a
new & emerging occupation approval to proceed with program
development
Program & Curriculum Design
Program Design Course & curriculum development
Industry-Driven Design
NSA Information Assurance Directorate & Skill Standard (www.nsa.gov)
Relevant industry-based competencies such as the Systems Security Certified Practitioner (www.isaca.org)
Global Information Assurance Certification (www.giac.org)
Local Chapter of the ISSA (Information Systems Security Association - see www.issa.org).
Alignment with 10 domains of the CISSP or not? Blackhawk Technical College IT Employer Advisory
Committee (Rock & Green County Wisconsin) – “everyone is impacted by this.”
www.aacc.nche.edu
Blackhawk Technical CollegeProgram Design Process
Articulate our thesis & correlate it to an identified need. It’s about Information Security!
Draft exit skills statements & design program outcomes from those. Align & refine as we go.
Select tentative courses as building blocks to program outcomes.
Aligned with industry skill standards. Prioritize program & course outcomes. Prepare for course level curriculum development. Focused on the learner?
Proposed Exit Skills
From the learners point of view From an employers point of view These will evolve into future program
outcomes
Proposed Exit Skills1. A very good understanding of what information security is, as
currently defined by both industry and government.2. A detailed understanding of the man-made and natural threats
to information systems, and how to effectively deal with them.
3. An extensive knowledge of the information assets that need protection.
4. A detailed knowledge of the various methods for countering/preventing internal and external threats.
5. A detailed knowledge of how to deal with threats.6. An understanding that InfoSec is not a single thing, nor
is it an absolute science or a purely technical subject.
Proposed Exit Skills7. A detailed methodology for creating and maintaining a
consistently proven means for countering threats in an organizational InfoSec Program.
8. An understanding that a successful approach to security planning, policies, and procedures are as much about business process improvement as it is about technology.
9. An understanding of the need to maintain the interoperability of the organizational InfoSec Program with external systems.
10. What makes Information Assurance (IA) different than InfoSec and the need for IA across the enterprise.
11. The knowledge base necessary to obtain common InfoSec/IA industry certifications.
Kay Fratianne, Blackhawk Technical College
What are Program Outcomes in Career & Technical Education?
Occupational specific knowledge, skills and attitudes that learners demonstrate upon completion.
Pertain to the holistic ‘program’ and go beyond courses.
Derived from overall tasks performed on the job or in life roles.
Are not program evaluation; the learner is the focus not the program.
Program Outcomes Purpose
Provides the reader with an overview of what the learner will be able to do as a result of the learning process.
Highest level of achievement that is part of the learning process.
Are supported by student outcomes assessment plans.
Program Outcomes Guidelines Use lead-in phrase – upon completion of the
Infosec program, the learner will be able to do.
Use only one action verb per outcome and preferably the application level or above.
Consider the nature of the skills and the environment in which the learner will perform on the job.
Write concise & clear phrases. Limit of 8 to 10 outcomes validated by
advisory committee members – both for content and for understanding.
BTC Infosec Program Outcomes
Identify resources, assess threats, analyze losses, and understand vulnerabilities of information systems.
Establish safeguards for automated information systems.
Install, configure, and use specialized security software, hardware, and firmware components.
Troubleshoot potential IT security issues. Implement preventative measures. Respond to threats from viruses, worms,
and other unauthorized access.
Program Design Model Adds Flexibility No specific hardware or software specifics
through the use of more generic titles (Operating Systems Security).
A variety of hardware, firmware, and software vendors are covered in courses and found in the lab.
Statewide model for other WTCS colleges. Current Issues & Trends seminar changes
based on employer input, technology, and trends.
Program Outcomes – Resources
DACUM facilitated process Advisory Committee Job Postings Employee Input Industry standards Graduate follow-up studies Internships Other colleges
Program Design Resources
NSA www.nsa.gov Centers for Academic Excellence Skill Standards such as 4011, 12, etc.
Protecting Information: The Role of Community Colleges in Cybersecurity Education www.aacc.nche.edu.
Program Design Resources Cybersecurity Education in
Community Colleges.pdf
4011.pdf
www.nsa.gov/ia/index.cfm
CISSP –www.isc2.org
“Infosec” Core Courses – Blackhawk Technical College I’Net/WWW+ Information Security
Principles Network Security Internetwork
Security I Internetwork
Security II Designing Secure
Websites
Operating Systems Security Security Policies &
Procedures Information Security
Documentation Client/Server Systems
Security Security Meaures &
Countermesaures Business Continuity Planning
Curriculum Development
Our plan for getting students to those exit skills and program outcomes.
www.samsa.com
Curriculum Development “It’s About Information Security” Course-level outcomes (blueprint)
Competencies Major skills, attitude, or ability needed to
perform a task effectively Learning Objectives Performance Standards Learning Plans with learning activities
Performance Assessment Plans Student Outcomes Assessment Plans
Curriculum Development Competency-based software - WIDS Each course has several competencies that
support program outcomes. Each competency has learning objectives,
performance standards, learning plans, and assessment.
WIDS generated reports include syllabi, Course Outcome Summary, and addresses…
Worldwide Instructional Design System (WIDS)
www.wids.org
4011 Alignment
ISSC4011Matrix.xls
Alignment efforts
ISSCPCrsAreas 2005.xls
Alignment Efforts & Curriculum
ISSCPWIDS.xls
WIDS Course Examples
Information Security Principles ITSEC-114.doc
Network Security ITSEC-124.doc
Perimeter Security ITSEC-145.doc
Implementation (Delivery)
Instructional delivery vision
Face-to-face traditional learning On-line (distance learning) On-site employee development Technical assistance Seminars, awareness workshops &
lifelong learning for IT and non-IT employees
Real Life – Student 1 Age, 40+ & Female Main Frame Programmer & Web Site
Administrator for a number of years Laid off & job hunting; ready to leave IT for
a more viable occupation Last time in ‘school’ was mid 1980’s “I love this program and am so glad you
talked me into it. It’s the first time I’ve ever taken time to look at the big picture. I can’t wait to get a job in this field.”
Real Life – Student 2 Age, 30+, Male & learned everything he knows
about IT ‘on-the-job.’ Local ISP Administrator for a number of years. Last time in school was high school & didn’t like it
that much. Strong technical skills – “a quick study” but often
sees the answer as adding more technology. Doesn’t see the need for policies and procedures. A classic practitioner in approach to problem
solving.
Serving distance education learners with limited resources
Blackboard? WebCT? Others? IT infrastructure support? College firewalls & security?
www.etechcollege.com
Distance Learning via the Web
Powered by BlackBoard, Inc. Hosted by Milwaukee Area Technical
College. www.matc.edu
Information Security Principles 154-151
Disaster Recovery Planning 154-155
Workforce Development Short-course seminars (modules from
credit courses) Week-long “boot camps” Awareness seminars for all employees
– password protocols, basics on viruses, ethics, inside the firewall…
New hire training for your IT staff? – Specific Courses? 12-course, 36-credit certificate? 2-year AAS degree?
Evaluation
Program evaluation – 3 years Crucial Conversations Lessons Learned The Reflective Practitioner
Next Steps?
Plan Do Check Act
Crucial BTC Conversations Is the time right for expanding IT
educational programs? So tell me again why do you want to
bring viruses on the College’s computers?
Aren’t you teaching hackers to be better hackers?
Will there be jobs at the end? It’s a great idea for the 4-year college
Key Points & the Power of 2 We are one dean and one faculty member
at a small school in central Wisconsin – do not underestimate the power of 2.
It is more than simply computer security. It’s more than network security. It’s all about information security.
Technical competencies and security management oriented competencies are both part of our approach. Both in the computer lab make for terrific conversations! Integrating this is powerful.
Future Vision & The Power of 2 AAS degree approved for next fall. 2+2 partnerships for Baccalaureate degrees
will better serve students & the workforce. Distance learning courses support an employed
IT workforce. Supporting the college’s IT infrastructure with
advising and technical assistance. Our campus is more secure!
Better aligning our occupational outcomes with related certification programs & getting students into testing such as the CISSP.
“Center for Information Assurance?”
Transitioning to an AAS
21 credits of General Education 6 credits of Elective courses 42 credits of Program Requirements
18 credits – support 34 credits of core
Work-based learning component 68 total credits
Academic Partnerships Milwaukee Area Technical College’s AAS degree
(www.matc.edu) University of Illinois, Center for Academic Excellence,
Champaign National Colloquium for Information Systems Security
Education or CISSE (http://www.ncisse.org). Wisconsin Technical College System office, Madison,
Wisconsin (www.wtcsystem.org). Worldwide Instructional Design Software
(www.wids.org). Franklin University (www.franklin.edu) pending a 2+2
agreement for an online Bachelors degree.
Faculty Development
CISSE, June 2005 in Atlanta GA NSA Centers of Academic Excellence NSA Skill Standards 4011 – 4014 etc. CISSP’s 10 domains & certification Designing & delivering distance
learning WIDS Curriculum Development
software training
The Other Half of the Power of 2
Douglas A. TabbuttIT InstructorCenter for Information
Assurance EducationBlackhawk Technical
College6004 Prairie RoadJanesville, WI USA [email protected]
Wrap-up & Next StepsExpanding The Power of 2
Summarize any actions from the audience as a result of this presentation?
Summarize any follow up action items required from Blackhawk Technical College?
See me during the conference if you want to talk further.
At Blackhawk Technical College, Janesville Wisconsin
It’s about ?
Questions and Discussion
?? ?? ????
????