IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development EDUCAUSE Live! November 14,

Slides:



Advertisements
Similar presentations
ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.
Advertisements

Organizational Governance
Khammar Mrabit Director Office of Nuclear Security
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Course: e-Governance Project Lifecycle Day 1
Administration, Management, and Coordination of Supportive Housing: Guidelines from CSH’s Dimensions of Quality MHSA TA Operations Call September 1, 2010.
IT Security Law for Federal Agencies As of: 30 December 2002.
Control and Accounting Information Systems
Continuous Auditing Global Technology Auditing Guide 3 Twelfth Continuous Auditing and Reporting Symposium Rutgers Business School November.
National Incident Management System Overview. Homeland Security Presidential Directive 5 Directed Secretary, DHS to develop and administer: 1.National.
It’s Time to Talk About Risk and Control
Security and Personnel
Agenda COBIT 5 Product Family Information Security COBIT 5 content
DHS, National Cyber Security Division Overview
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Environmental Management Systems An Overview With Practical Applications.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Quality evaluation and improvement for Internal Audit
Session 121 National Incident Management Systems Session 12 Slide Deck.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Purpose of the Standards
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Fraud Prevention and Risk Management
Emerging Latino Communities Initiative Webinar Series 2011 June 22, 2011 Presenter: Janet Hernandez, Capacity-Building Coordinator.
Control environment and control activities. Day II Session III and IV.
Complying With The Federal Information Security Act (FISMA)
Information Technology Audit
Internal Auditing and Outsourcing
Project Human Resource Management
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
1 Module 4: Designing Performance Indicators for Environmental Compliance and Enforcement Programs.
Evolving IT Framework Standards (Compliance and IT)
US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.
Internal Audit Role in Order to Develop an Ethical Corporate Culture as a Competitiveness Factor A.I.I.A. - Internal Auditing body Università degli Studi.
Basics of OHSAS Occupational Health & Safety Management System
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
Roles and Responsibilities
© OECD A joint initiative of the OECD and the European Union, principally financed by the EU Co-operation Between the Ministry of Finance and the Court.
EECS 710: Information Security and Assurance Assignment #3 Brent Frye 10/13/
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Defense Information Systems Agency A Combat Support Agency E3 Engineering Division 13 December 2011 Defense Information Systems Agency A Combat Support.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.
Chief Compliance Officer
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Belgian Technical Cooperation Internal audit presentation.
National Emergency Communications Plan Update National Association of Regulatory Utility Commissioners Winter Committee Meeting February 16, 2015 Ron Hewitt.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
The National Initiative for Cybersecurity Education (NICE)  AFCEA International Cyber Education, Research, and Training Symposium January 17, 2018 Bill.
IS4550 Security Policies and Implementation
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
2017 Administration and Finance Conference
Taking the STANDARDS Seriously
Presentation transcript:

IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development EDUCAUSE Live! November 14, 2007

2 Agenda DHS/CS&C/NCSD Organizational Overview Training & Education Objectives/Key Programs Introduction to the IT Security EBK -Objectives -Contributing Resources and Methodology -Model Framework -Role and Functional Matrix -Potential for Strengthening the Workforce -Public Review and Comment

3 The National Protection and Programs Directorate and the Office of Cybersecurity and Communications Under Secretary for National Protection and Programs Deputy Under Secretary Office of Infrastructure Protection Assistant Secretary Inter- governmental Programs Assistant Secretary Risk Management and Analysis Director US-VISIT Director National Cyber Security Division National Communications System Office of Emergency Communications Office of Cybersecurity and Communications Assistant Secretary

4 Director Deputy Director  Operations  Future Operations  Mission Support  Situational Awareness  Law Enforcement/Intel  Stakeholder Communications  Public Affairs  GFIRST  CISO Forum  US-CERT Portal  CIP Cyber Security  Control Systems Security Program  Software Assurance  Training & Education  Exercise Planning & Coordination  ISS-LOB Program Office  Standards & Best Practices  R&D Coordination US-CERT Outreach & Awareness Strategic Initiatives NCSD Organization Chart

5 Training & Education: Program Goals and Objectives National Strategy to Secure Cyberspace Priority III: National Cyberspace Security Awareness and Training Program NCSD Education and Training Program Program Goal: Foster adequate training and education programs to support the Nation’s cyber security needs  Improve cyber security education for IT professionals  Increase efficiency of existing cyber security training programs  Promote widely-recognized, vendor-neutral cyber security certifications

6 Training & Education: Key Programs  IT Security EBK: A Competency and Functional Framework for IT Security Workforce Development  National Centers of Academic Excellence in Information Assurance Education - CAEIAE Program  Federal Cyber Service: Scholarship for Service - SFS Program

7 Training & Education: National CAEIAE Program Founded in 1998 by NSA; co-sponsored with DHS since 2004 Eligibility: Four-year universities demonstrating significant depth and maturity in IA programs, as well as overall university cyber security posture Currently Designated: 86 universities in 34 states and DC

8 Training & Education: Federal Cyber Service: SFS Program Founded in 2001 by NSF; co-sponsored by DHS since 2004 Provides scholarship money for a maximum of 2 years – IN EXCHANGE for an equal amount Federal employment ~350 students from 30 universities

9 IT Security EBK: Objectives  Ensure that we have the most qualified and appropriately trained IT security workforce possible  Establish a national baseline representing the essential knowledge and skills that IT security practitioners should possess to perform  Advance the IT security landscape by promoting uniform competency guidelines

10 IT Security EBK: Model

11 IT Security EBK: Contributing Resources  DoD’s Workforce Improvement Program (WIP) – Directive IA Training and Certification Framework  Committee on National Security Systems (CNSS) Training Standards  DoD Physical and Personnel Security program policy  Federal Acquisition Regulation  Various Federal agency program plans  Position Descriptions  National Institute of Standards and Technology SP-800 Series  FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems  ISO/IEC Standards  Models (COBIT, SSE-CMM, CMMi)  Microsoft Operations Framework

12 IT Security EBK: Methodology Develop notional competencies using DoD IA Skill Standards Identify functions from resources and critical work functions (CWFs) and map to competencies Identify key terms and concepts for each competency area Identify notional IT security roles Categorize functions as Manage, Design, Implement, Evaluate Map roles to competencies to functional perspectives

13 IT Security EBK: Functional Perspectives M anageoverseeing a program or technical aspect of a security program at a high level and ensuring its currency with changing risk and threat D esign scoping a program or developing procedures and processes that guide work execution I mplementputting programs, processes, or policy into action within an organization E valuateassessing the effectiveness of a program, policy, or process in achieving its objectives Work functions that concern:

14 14 Competency Areas  Definitions for each to specify parameters of what’s included and avoid overlap  Work functions categorized by functional perspective (M, D, I, E) Key Terms and Concepts - Aligned to Competencies 10 Function-Based IT Security Roles  Clusters of organizational positions/jobs  Example job titles for clarification  Role charts to “bring together” the model from an individual’s perspective IT Security EBK: The Framework

15 14 Competency Areas Key Terms and Concepts 10 Function-Based IT Security Roles Competency, Role and Function Matrix IT Security EBK: Framework Components

16  Personnel Security  Physical and Environmental Security  Procurement  Regulatory and Standards  Risk Management  Strategic Management  System and Application Security  Data Security  Digital Forensics  Enterprise Continuity  Incident Management  IT Security Training and Awareness  IT Systems Operations and Maintenance  Network Security and Telecommunications IT Security EBK: 14 Competency Areas

17 EXAMPLE IT Security EBK: Regulatory and Standards Compliance Refers to the application of the principles, policies, and procedures that enable an enterprise to meet applicable information security laws, regulations, standards, and policies to satisfy statutory requirements, perform industry-wide best practices, and achieve its information security program goals.  Policy  Privacy Principles/Fair Info Practices  Procedure  Regulations  Security Program  Standards  Validation  Verification Key Terms and Concepts:  Assessment  Auditing  Certification  Compliance  Ethics  Evaluation  Governance  Laws Functions:  Manage: Establish and administer a risk-based enterprise information security program that addresses applicable standards, procedures, directives, policies, regulations and laws  Design: Specify enterprise information security compliance program control requirements  Implement: Monitor and assess the information security compliance practices of all personnel in accordance with enterprise policies and procedures  Evaluate: Assess the effectiveness of enterprise compliance program controls against the applicable laws, regulations, standards, policies, and procedures

18 IT Security EBK: 10 Roles  IT Systems Operations and Maintenance Professional  IT Security Professional  Physical Security Professional  Privacy Professional  Procurement Professional  Chief Information Officer  Digital Forensics Professional  Information Security Officer/Chief Security Officer  IT Security Compliance Professional  IT Security Engineer

19 EXAMPLE IT Security EBK: Role Chart Role: IT Security Compliance Professional Role Description: The IT Security Compliance Professional is responsible for overseeing, evaluating, and supporting compliance issues pertinent to the organization. Individuals in this role perform a variety of activities, encompassing compliance from an internal and external perspective. Such activities include leading and conducting internal investigations, assisting employees comply with internal policies and procedures, and serving as a resource to external compliance officers during independent assessments. The IT Security Compliance Professional provides guidance and autonomous evaluation of the organization to management.  Data Security: Evaluate  Digital Forensics: Evaluate  Enterprise Continuity: Evaluate  Incident Management: Evaluate  IT Security Training and Awareness: Evaluate  IT Systems Operations & Maintenance: Evaluate  Network Security & Telecommunications: Evaluate Job Titles:  Auditor  Compliance Officer  Inspector General  Personnel Security: Evaluate  Physical and Environmental Security: Evaluate  Procurement: Evaluate  Regulatory & Standards Compliance: Design, Implement, Evaluate  Risk Management: Implement, Evaluate  Strategic Management: Evaluate  System and Application Security: Evaluate Competencies/Functional Perspectives:  Inspector / Investigator  Regulatory Affairs Analyst

20

21 IT Security EBK: Strengthening the IT Security Workforce IT Security EBK Education Training

22 IT Security EBK: Strengthening the IT Security Workforce IT Security EBK Professional Development Workforce Management

IT Security EBK - Federal Register Publication October - December, 2007 Download EBK: Request Comment Form: Submit Comments by December 7

Contact Information: Brenda Oldfield Program Director Training and Education CS&T-National Cyber Security Division (703)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.