Download It
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Download It

on

  • 672 views

 

Statistics

Views

Total Views
672
Views on SlideShare
671
Embed Views
1

Actions

Likes
1
Downloads
11
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Download It Presentation Transcript

  • 1. A Curriculum Development for Information Security Manager Using DACUM Ki-Yoon Kim Kwangwoon University, Korea [email_address] Ken Surendran Southeast Missouri State University [email_address]
  • 2. CONTENTS
    • INTRODUCTION (ISM)
    • JOB ANALYSIS METHODOLOGY
    • RESULTS OF JOB ANALYSIS ON ISM (INFORMATION SECURITY MANAGER)
    • CURRICULUM DEVELOPMENT FOR ISM
    • CONCLUSION
  • 3. 1. INTRODUCTION
    • In information and technology security, a risk is any hazard or danger to which a system or its components (e.g., hardware, software, information, or data) is subjected.
    • The job of an ISM (Information Security Manager) to ensure confidentiality , integrity , and availability, which could be compromised when those risks actually surface.
    • DACUM (Developing A CUrriculuM) is a job analysis method used to create descriptions for new education /training programs.
  • 4.
    • 2.1 DACUM - a Job Analysis Method
    • 2.2 DACUM Process for ISM
    2. JOB ANALYSIS METHODOLOGY
  • 5. 2.1 DACUM - a Job Analysis Method
    • What is DACUM? : DACUM (Developing A Curriculum) is a job analysis technique . The DACUM process is used to determine the competencies that should be addressed in a training curriculum for a specific occupation.
    • When: Dec. 1999 – Jan. 2000
    • Where: KRIVET (Korea Research Institute of Vocational
    • Education and Training) in Korea
    • Who: DACUM committee consisting of 5 employees (ISMs)
    • and 5 professors
    • How: DACUM process (modified)
    • Why: A Curriculum Development for ISM
  • 6.
    • Facilitator – Computer Science Education
    • Subject matter Experts: five;
      • Security R&D Manager–1
      • Security product implementer – 1
      • Security Managers –2
      • Consultant (Security Integration) – 1
      • Professors – 5: MIS –2; CS-2: CE – 1.
      • (Korea Inst of Info Security & Cryptology)
  • 7.   Table 1. Procedure of job analysis   2.2 DACUM Process for ISM Steps Procedure Methods Results Step 1 Preparation for job analysis Data collection, interviews Collection of related information and data. Organizing of DACUM committee. Step 2 Job/task analysis DACUM List of tasks and works including the characteristics of works. Step 3 Work analysis DACUM Work description: need for education; work elements, skills, knowledge, and tools. Step 4 Education /training program development DACUM Key works/education contents matrix, Key works/courses matrix. Course profile and education/ training road map. Step 5 Validation Interviews Modification and documentation of results
  • 8. 3. RESULTS OF JOB ANALYSIS ON INFORMATION SECURITY MANAGER
    • 3.1 Job of ISM
    • 3.2 Job Description and Work List of ISM
    • 3.3 Key works (relating to education)
    • 3.4 Example of Work description
    • : Risk Analysis
    • (Draft Occupational description – not discussed here)
  • 9. 3.1 Job of Information Security Manager                               Fig. 1. Flow chart of task and work for information security manager     Task Work A. Security policy A-1. Analysis of security requirements A-2. Document security policy B. Risk management B-1. Risk analysis B-2. Selection of safeguard B-3. Test of selected safeguard B-4. Development of security guideline B-5. Security aggregate planning C. Safeguard Implementa -tion & training C-1. Safeguard implementa -tion C-2. Education and training D. Safeguard management D-1. Operation & Maintenance D-2. Security audit & review D-3. Emergency Response to security incidents D-4. Monitoring
  • 10. 3.2 Job Description and Work List of ISM 1. Job Description: Manager for information system who establishes security policy, chooses and maintains optimal safeguards through risk management . 2. Work List Task No Name of work Difficulty Importance Frequency A. S ecurity policy 1   2   Analysis of security Requirements Documentation of security policy                               B. Risk management 1 2 3 4   5 Risk analysis Selection of safeguard Test of selected safeguard Development of security Guideline Security aggregate Planning                                                                            C. Safeguard implementation & training 1 2 Safeguard implementation Education and training                               D. Safeguard management 1 2 3   4 Operations & Maintenance Security audit & Review Emergency response to security incidents Monitoring                                                            
  • 11. 3.3 Key works (relating to education) CRI; critical, IMP; important, SUP; supportive CT; Classroom Training, JA; Job Aids, OJT; On-the-Job Training, RT; Re-Training 3. Key Works Task No Name of work Education necessity Education methods CRI IMP SUP CT JA OJT RT A. Security policy 1   2 Analysis of security requirements Documentation of security policy                        B. Risk management 1 2 3 4   5 Risk analysis Selection of safeguard Test of selected safeguard Development of security guideline Security aggregate planning                                           C. Safeguard implementation & training 1 2 Safeguard implementation Education and training                     D. Safeguard management 1 2 3   4 Operations & maintenance Security audit & review Emergency response to security incidents Monitoring                                  
  • 12. 3.4 Example of Work description: Risk Analysis   Be able to evaluate vulnerability of information assets against threats by risk analysis. Difficulty average      2. Achievement Level 1. Name of Work B-1 Risk analysis 3. Work Elements Difficulty (1) Choice of risk analysis strategy (2) Asset analysis: Assets classified, identified, evaluated property (from info point of view) (3) Threat analysis: threats classified, identified, measured (for events / actor behaviors) (4) Vulnerability evaluation: identified situations / points susceptible for attack (for threats) (5) Business impact analysis for hazards or disaster (6) Documentation of checklist for vulnerability evaluation                               4. Related Knowledge & Skill Knowledge Skill Accounting and finance, statistics, network, operating system, information system, hacking, virus. Risk analysis tool, business impact analysis, documentation 5. Requirements Materials Asset list, threats statistics, vulnerability evaluation checklist 6. Requirements Equipments and Tools Server, PC, printer, risk analysis s/w
  • 13. 4. CURRICULUM DEVELOPMENT FOR ISM
    • 4.1 Key Works/Education Contents Matrix
    • 4.2 Key Works/Courses Matrix
    • 4.3 Example of Course Profile
    • : Network Security I
    • 4.4 Education Training Road Map
  • 14. 4 .1. Education Contents    
    • Information security law and standards
    • Information system analysis and design
    • System security technology
    • Database
    • Operating system
    • Network security
    • Intrusion detection and interception
    • Network
    • Network security technology
    • Virus
    • Hacking case
    • Web security
    • E-commerce security
    • Accounting and finance
    • Statistics
    • Risk analysis
    • Decision theory
    • Cryptology
  • 15. Key work / education contents mapping
    • Key Works  Education Contents*  0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1
    • 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8
    • Analysis of security requirements * * *
    • Documentations of security policy * *
    • Risk analysis * * * * * * * * *
    • Selection of safeguards * * * * * * * * * * * * * * * *
    • Test of selected safeguard * * * * * * * * * * * * * *
    • Security aggregate planning * * * * *
    • Safeguard Implementation * * * * * * * * * * *
    • Education and training * * * * * *
    • Operation & maintenance * * *
    • Security audit & review * * *
    • Emergency response to incidents * * *
    • Monitoring * * * * * * * * * * *
  • 16. 4.2 Key Works/Courses Matrix       Courses       Key Works 1 2 3 4 5 6 7 System security I System security II Network security I Network security II Applica -tion security I Applica -tion security II Information technology risk manage -ment A-1 Analysis of security requirements        A-2 Documentation of security policy              B-1 Risk analysis              B-2 Selection of safeguard        B-3 Test of selected safeguard        B-5 Security aggregate planning              C-1 Safeguard implementation         C-2 Education and training         D-1 Maintenance         D-2 Security audit         D-3 Response of security incidents         D-4 Monitoring        
  • 17. 4.3 Example of Course Profile: Network Security I Program: Information Security Manager Course name: Network security I Course aim (Education goal) 1. Able to describe network security 2. Able to establish an approach and a technical strategy for network security 3. Able to establish security measures for the PC networks. Course contents   1. Distributed computing and network operation 2. Network security issues 3. Rule of network security 4. Network security approach and mechanism 5. Security and issues related to networking PCs 6. Strategy of network security 7. Network security standard Institute College, University Contact Period 256 hours Education method Theory and practice Prerequisite courses Computer network, Operating system
  • 18. 4.4 Education/training road map Step The 3 rd occupation competence The 4 th occupation competence Level 1 2 1 2 3 4 Course system security basic course network security basic course application security course network security expert course application security expert course information technology risk management course system security expert course
  • 19. 5. CONCLUSION
    • There are 4 tasks and 13 works in the job of ISM.
    • The 4 tasks of ISM are security policy (with two works), risk management (with five works), safeguard choice (two works), and safeguard maintenance management (four works).
    • There are 18 education contents and 7 education courses in the education/training program for ISM.
    • The primary methodological contribution has been the combination of DACUM and interviews including the final validation step in which the committee reviewed the feedback from industry and the academia.
    • DACUM being a cost-effective approach this technique can be applied even to other educational programs to fine-tune them using the validation step. But, the worker-oriented instruments for job analysis have several limitations.
  • 20. Questions?
    • Further work: on issues relating to ISM occupation
    • Question Time