What is DACUM? : DACUM (Developing A Curriculum) is a job analysis technique . The DACUM process is used to determine the competencies that should be addressed in a training curriculum for a specific occupation.
When: Dec. 1999 – Jan. 2000
Where: KRIVET (Korea Research Institute of Vocational
Education and Training) in Korea
Who: DACUM committee consisting of 5 employees (ISMs)
and 5 professors
How: DACUM process (modified)
Why: A Curriculum Development for ISM
Facilitator – Computer Science Education
Subject matter Experts: five;
Security R&D Manager–1
Security product implementer – 1
Security Managers –2
Consultant (Security Integration) – 1
Professors – 5: MIS –2; CS-2: CE – 1.
(Korea Inst of Info Security & Cryptology)
Table 1. Procedure of job analysis 2.2 DACUM Process for ISM Steps Procedure Methods Results Step 1 Preparation for job analysis Data collection, interviews Collection of related information and data. Organizing of DACUM committee. Step 2 Job/task analysis DACUM List of tasks and works including the characteristics of works. Step 3 Work analysis DACUM Work description: need for education; work elements, skills, knowledge, and tools. Step 4 Education /training program development DACUM Key works/education contents matrix, Key works/courses matrix. Course profile and education/ training road map. Step 5 Validation Interviews Modification and documentation of results
3. RESULTS OF JOB ANALYSIS ON INFORMATION SECURITY MANAGER
3.1 Job of ISM
3.2 Job Description and Work List of ISM
3.3 Key works (relating to education)
3.4 Example of Work description
: Risk Analysis
(Draft Occupational description – not discussed here)
3.1 Job of Information Security Manager Fig. 1. Flow chart of task and work for information security manager Task Work A. Security policy A-1. Analysis of security requirements A-2. Document security policy B. Risk management B-1. Risk analysis B-2. Selection of safeguard B-3. Test of selected safeguard B-4. Development of security guideline B-5. Security aggregate planning C. Safeguard Implementa -tion & training C-1. Safeguard implementa -tion C-2. Education and training D. Safeguard management D-1. Operation & Maintenance D-2. Security audit & review D-3. Emergency Response to security incidents D-4. Monitoring
3.2 Job Description and Work List of ISM 1. Job Description: Manager for information system who establishes security policy, chooses and maintains optimal safeguards through risk management . 2. Work List Task No Name of work Difficulty Importance Frequency A. S ecurity policy 1 2 Analysis of security Requirements Documentation of security policy B. Risk management 1 2 3 4 5 Risk analysis Selection of safeguard Test of selected safeguard Development of security Guideline Security aggregate Planning C. Safeguard implementation & training 1 2 Safeguard implementation Education and training D. Safeguard management 1 2 3 4 Operations & Maintenance Security audit & Review Emergency response to security incidents Monitoring
3.3 Key works (relating to education) CRI; critical, IMP; important, SUP; supportive CT; Classroom Training, JA; Job Aids, OJT; On-the-Job Training, RT; Re-Training 3. Key Works Task No Name of work Education necessity Education methods CRI IMP SUP CT JA OJT RT A. Security policy 1 2 Analysis of security requirements Documentation of security policy B. Risk management 1 2 3 4 5 Risk analysis Selection of safeguard Test of selected safeguard Development of security guideline Security aggregate planning C. Safeguard implementation & training 1 2 Safeguard implementation Education and training D. Safeguard management 1 2 3 4 Operations & maintenance Security audit & review Emergency response to security incidents Monitoring
3.4 Example of Work description: Risk Analysis Be able to evaluate vulnerability of information assets against threats by risk analysis. Difficulty average 2. Achievement Level 1. Name of Work B-1 Risk analysis 3. Work Elements Difficulty (1) Choice of risk analysis strategy (2) Asset analysis: Assets classified, identified, evaluated property (from info point of view) (3) Threat analysis: threats classified, identified, measured (for events / actor behaviors) (4) Vulnerability evaluation: identified situations / points susceptible for attack (for threats) (5) Business impact analysis for hazards or disaster (6) Documentation of checklist for vulnerability evaluation 4. Related Knowledge & Skill Knowledge Skill Accounting and finance, statistics, network, operating system, information system, hacking, virus. Risk analysis tool, business impact analysis, documentation 5. Requirements Materials Asset list, threats statistics, vulnerability evaluation checklist 6. Requirements Equipments and Tools Server, PC, printer, risk analysis s/w
Test of selected safeguard * * * * * * * * * * * * * *
Security aggregate planning * * * * *
Safeguard Implementation * * * * * * * * * * *
Education and training * * * * * *
Operation & maintenance * * *
Security audit & review * * *
Emergency response to incidents * * *
Monitoring * * * * * * * * * * *
4.2 Key Works/Courses Matrix Courses Key Works 1 2 3 4 5 6 7 System security I System security II Network security I Network security II Applica -tion security I Applica -tion security II Information technology risk manage -ment A-1 Analysis of security requirements A-2 Documentation of security policy B-1 Risk analysis B-2 Selection of safeguard B-3 Test of selected safeguard B-5 Security aggregate planning C-1 Safeguard implementation C-2 Education and training D-1 Maintenance D-2 Security audit D-3 Response of security incidents D-4 Monitoring
4.3 Example of Course Profile: Network Security I Program: Information Security Manager Course name: Network security I Course aim (Education goal) 1. Able to describe network security 2. Able to establish an approach and a technical strategy for network security 3. Able to establish security measures for the PC networks. Course contents 1. Distributed computing and network operation 2. Network security issues 3. Rule of network security 4. Network security approach and mechanism 5. Security and issues related to networking PCs 6. Strategy of network security 7. Network security standard Institute College, University Contact Period 256 hours Education method Theory and practice Prerequisite courses Computer network, Operating system
The 4 tasks of ISM are security policy (with two works), risk management (with five works), safeguard choice (two works), and safeguard maintenance management (four works).
There are 18 education contents and 7 education courses in the education/training program for ISM.
The primary methodological contribution has been the combination of DACUM and interviews including the final validation step in which the committee reviewed the feedback from industry and the academia.
DACUM being a cost-effective approach this technique can be applied even to other educational programs to fine-tune them using the validation step. But, the worker-oriented instruments for job analysis have several limitations.
Further work: on issues relating to ISM occupation