ASSC Military Information Assurance and Security Symposium 2009

1,258 views

Published on

A holistic approach to effective Information Assurance Education:
MIASec09

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,258
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Information is a key asset within Government, but it can also become a key liability. Departmental Accounting Officers (AOs), through their Senior Information Risk Owners (SIROs) and their Information Asset Owners (IAOs), are accountable for the adequate protection of information which is collected, processed and stored within their Departments. To do so they must put in place effective Information Risk Management (IRM) processes and procedures. They will also need to be assured that these arrangements are sufficient to reveal what impact the range of programmes in Transformational Government will have on their Department’s information risk.The growing need for Departments to share information in response to the Transformational Government and Shared Services initiatives means that common standards need to be applied across Government. This is to ensure that those accountable and responsible for IRM can have confidence that the information will be handled appropriately when it is passed to others. The HMG Security Policy Framework (HMG SPF)[1] lays down mandatory standards to be applied by Departments. However, in addition to these standards there is a body of best practice measures, which if applied will assist Departments in discharging their obligations to enact effective IRM.To assist SIROs in putting in place an effective change programme to improve IRM an Information Assurance (IA) Maturity Model has been created. This Model incorporates the mandatory information related requirements of the HMG SPF, which includes the requirement to apply the 2008 Data Handling Review[2], (also available as IS6 [3]),and it is aligned with the ISO27001 Standard[4] and the broader outcomes sought by the National IA Strategy[5].The Model is underpinned by an IA Assessment Framework (IAAF) which gives considerably more detail of the measures required to deliver the levels of maturity contained within the Model. In addition, the IAAF has been designed for use by independent IA Review Teams as part of an independent IA Benchmarking Service delivered by CESG. However, the IAAF can also be used by Departments that wish to conduct IA self-assessments, either by themselves, or with some limited support from CESG staff.
  • ASSC Military Information Assurance and Security Symposium 2009

    1. 1. Information Security and its Assurance<br />A holistic approach to effective Information Assurance Education<br />
    2. 2. A holistic approach to effective Information Assurance Education<br />Presented by:<br />Christopher Richardson <br />BEng CEng MIET, M.Inst.ISP, QTS.<br />CIS Security Lecturer<br />Defence College of Communications and Information Systems<br />Blandford Forum<br />Dorset<br />Associate Lecturer to Bournemouth University and <br />EngD Research Engineer at Southampton University.<br />A holistic approach to effective Information Assurance EducationSlide 2<br />
    3. 3. Goals<br />Introduce and scope current UK Government ideas and IA professional development.<br />To provide an Educator’s insight to the direction of Information Security and it’s Assurance. <br />A holistic approach to effective Information Assurance education Slide 3<br />
    4. 4. Training, Education and Awareness<br />Goal: IA responsibilities are assigned from the Main Board downwards to ensure that appropriately trained staff are held accountable for their decisions and actions. The result is a culture within the organisation that values information as a business asset.<br />Justification: Without effective training, education and awareness staff within the organisation will not implement policies and procedures in a way that values and protects information as a core business asset.<br />HMG Information Assurance Maturity Model and Assessment Framework<br />(Version 2.0 dated 20 Feb 09)<br />A holistic approach to effective Information Assurance education Slide 4<br />
    5. 5. Presentation Themes<br />There are 4 themes to this holistic approach to the Assurance Paradigm.<br /><ul><li>Complexity
    6. 6. Professionalism
    7. 7. Strategic Positioning
    8. 8. Educational Bridges</li></ul>A holistic approach to effective Information Assurance education Slide 5<br />
    9. 9. A Complex World<br />A Complex World        IA in the Defence Community        Assuring the Information Assets<br />The UK's IA Profession        IISP Perspective        Cabinet Office/GIPSI        Educational Goals<br />KTN the Information Security Officers        Strategic Positioning of Security        Cyber Security for Information Leaders<br />Bridging the IA gap Professional Development Programmes        Qualifications; Certification and Course Accreditation        IA Academies<br />A holistic approach to effective Information Assurance education Slide 6<br />
    10. 10. The Information Concept Map<br />A holistic approach to effective Information Assurance education Slide 7<br />
    11. 11. The Information Asset<br />Information is one of the most important assets of our business.<br />How much do we and our user community really comprehend this?<br />A holistic approach to effective Information Assurance education Slide 8<br />
    12. 12. A Complex World<br />A holistic approach to effective Information Assurance education Slide 9<br />
    13. 13.
    14. 14.
    15. 15.
    16. 16.
    17. 17. INFORMATION ASSURANCE<br />Information Assurance [IA] provides effective and timely exploitation of information. <br />IA is fundamental to all aspects of MoD’s business from the successful conduct of military operations to the management of the MoD as a Department of State. <br />IA ensures stakeholder confidence that Information Systems risk is managed pragmatically, appropriately, and in a cost-effective manner.<br />A holistic approach to effective Information Assurance education Slide 14<br />
    18. 18. And it’s multi-functional, multi -disciplined<br />A holistic approach to effective Information Assurance education Slide 15<br />
    19. 19. IA Security Framework<br />A holistic approach to effective Information Assurance education Slide 16<br />
    20. 20. IA in the Defence Community<br />The military see IA from the premise that it is the conduct of Defence business, whether on deployed operations or in the administration of MoD as a Department of State that should predominate.<br />IA encompasses all activity needed to assure the critical information on which Defence business relies. From this approach a new definition of IA is established: <br />Information Assurance (IA) is a management process, designed to ensure that the systems and networks employed to manage the critical information used by an organisation are reliable and secure, and that measures and processes are in place to counter malicious activity, in order to support the business needs of the organisation. <br />A holistic approach to effective Information Assurance education Slide 17<br />
    21. 21. The IA Cycle<br />Purpose<br />Environment<br />Culture<br />Capability<br />A holistic approach to effective Information Assurance education Slide 18<br />
    22. 22. Assuring the Information Assets<br />Without the timely and effective use of information our decisions become jaded, inappropriate or suspect. As an asset:<br />Information about something <br />(e.g. a passengertimetable) <br />Information as something <br />(e.g. DNA or fingerprints) <br />Information for something <br />(e.g. algorithms or instructions) <br />Information in something <br />(e.g. patterns or videos)<br />Consequently we need our information to be clear, accurate, trusted and not compromised, lost, leaked, disseminated, unauthorised, published or corrupted.<br />A holistic approach to effective Information Assurance education Slide 19<br />
    23. 23. The UK's IA Profession<br />A Complex World        IA in the Defence Community        Assuring the Information Assets<br />The UK's IA Profession        IISP Perspective        Cabinet Office/GIPSI        Educational Goals<br />KTN the Information Security Officers        Strategic Positioning of Security        Cyber Security for Information Leaders<br />Bridging the IA gap Professional Development Programmes        Qualifications; Certification and Course Accreditation        IA Academies<br />BSc (Hons) H-Level Unit 13 Slide 20<br />
    24. 24. The UK's IA Profession<br />Professional skills and development are vital in the three principle areas – Information Technology, Knowledge and Information Management (KIM) and IA – to ensure that information systems are properly developed and operated. <br />There are overlaps, but IA takes a holistic approach to information risk, and includes a variety of roles within government, including accreditation, operation of cryptographic systems and contingency management.<br />IA professionals complement the work of IT and KIM professionals and support the operation of effective government as do other professionals (including IT, KIM, finance, HR etc). <br />IA professionals too, bridge the gap between the sensitive security issues and complex technical issues, and the business leaders who make investment decisions.<br />A holistic approach to effective Information Assurance education Slide 21<br />
    25. 25. IISP Perspective<br />All IA professionals undertake appropriate continuing professional development, in line with the requirements of the IISP or other relevant body. This includes working towards professional certification, maintaining currency of specialist skills, developing new skills and awareness of other specialisms <br />A holistic approach to effective Information Assurance education Slide 22<br />
    26. 26. IA Competency Framework<br />A holistic approach to effective Information Assurance education Slide 23<br />
    27. 27. Educational Goals<br />IA Education is a both complex and subjective that is often driven by agendas and compromises, we have a plethora of training courses and so few dealing with security education and the beginnings ofstructured professional development.<br />A framework is required to provide clear professional objectives and an underlying understanding of the nature of Information Security’s many domains. In particular, with Information Assurance, there is a greater need to focus on educating professional practitioners and developing their profession. <br />Security Education is a strategic goal that needs objectives and a performance metric to meet the established policies by Cabinet Office’s “A United Kingdom Strategy for Information Assurance” and the overarching “Manual of Protective Security”. <br />A holistic approach to effective Information Assurance education Slide 24<br />
    28. 28. Knowledge Transfer toInformation Security Officers<br /><ul><li>A Complex World        IA in the Defence Community        Assuring the Information Assets
    29. 29. The UK's IA Profession        IISP Perspective        Cabinet Office/GIPSI        Educational Goals
    30. 30. KTN the Information Security Officers        Strategic Positioning of Security        Cyber Security for Information Leaders
    31. 31. Bridging the IA gap Professional Development Programmes        Qualifications; Certification and Course Accreditation        IA Academies</li></ul>BSc (Hons) H-Level Unit 13 Slide 25<br />A holistic approach to effective Information Assurance education Slide 25<br />
    32. 32. KTN the Information Security Officers<br />A holistic approach to effective Information Assurance education Slide 26<br />
    33. 33. Strategic Positioning of Security<br />Ignorance Management<br />Policies and Governance<br />Effects Based Operations<br />Infrastructure Interoperability<br />A holistic approach to effective Information Assurance education Slide 27<br />
    34. 34. Modular CPD Roadmap<br />Foundation Level<br />Practitioner Level<br />Master Level<br />A holistic approach to effective Information Assurance education Slide 28<br />
    35. 35. Cyber Security for Information Leaders<br />We need to remind ourselves again and again that information security is not a technology issue, it’s a people issue. <br />Information security is reliant on people, their awareness, ethics and behaviour. <br />Security professionals must understand what the user needs if they are to accomplish the goals of the business. <br />In this demanding world of technological, economic, legal, operational and commercial drivers, we are all becoming dependent on secure, robust and resilient communication and information systems. <br />A holistic approach to effective Information Assurance education Slide 29<br />
    36. 36. Management<br />Ignorance is always correctable. But what shall we do if we take ignorance to be knowledge?<br />Neil Postman   <br />It is more important for organizations to manage their ignorance. Knowledge management strives to locate, map, collect, share, and exploit what the organization knows.<br />Ignorance management, on the other hand, recognizes that it is never possible to know everything, or even a lot of things, well. Acting from an assumption that the organization knows enough may represent hubris at best and bad management at worst.<br />Michael H. Zack<br />A holistic approach to effective Information Assurance education Slide 30<br />
    37. 37. Bridging the Gap<br />15 minutes<br />A Complex World        IA in the Defence Community        Assuring the Information Assets<br />The UK's IA Profession        IISP Perspective        Cabinet Office/GIPSI        Educational Goals<br />KTN the Information Security Officers        Strategic Positioning of Security        Cyber Security for Information Leaders<br />Bridging the IA gap Professional Development Programmes        Qualifications; Certification and Course Accreditation        IA Academies<br />A holistic approach to effective Information Assurance education Slide 31<br />
    38. 38. The Air Gap<br />What we want is an assured asset.<br />What we have is not what we want!<br />There are gaps in our Purpose, Capability, Environment and Culture.<br />Strategic Positioning of Security generates the roadmap.<br />IA education gets people moving down that road.<br />A holistic approach to effective Information Assurance education Slide 32<br />
    39. 39. Gap Analysis<br />A holistic approach to effective Information Assurance education Slide 33<br />
    40. 40. Qualifications; Certification and Course Accreditation<br />A holistic approach to effective Information Assurance education Slide 34<br />
    41. 41. An IA Academy<br />This country needs an IA Academy, a specialist school of learning, of teaching. A place that finds ways to bring IA into mainstream IT and change the way we all deal with Information.<br />A place to studying security, its vulnerabilities and failures in a dedicated academy; a depositary of knowledge and incidents;<br />Having a research facility to pursue innovative solution. A place that coordinates IA issues, where threats and attacks can be diagnosed and investigated without compromising commercial sensitivities or the confidentiality of military systems.<br />A holistic approach to effective Information Assurance education Slide 35<br />
    42. 42. An Imaginative solution<br />There are challenges and opportunities presented by offering a UK wide IA Education and CPD programme,<br />The Academy needs to be innovated, timely and relevant, to offer a clear progression academically challenging and professionally rewarding education.<br />It will have to enable students pursue further careers in both academia and industry. <br />The IA Academy can be positioned to facilitate security knowledge and curiosity. <br />A holistic approach to effective Information Assurance education Slide 36<br />
    43. 43. Presentation Plenary<br />Untrusted<br />Unsafe<br />Education, Training and Awareness<br />Information <br />Assurance<br />Examine how to <br />Manage our Assets<br />Understand<br />Technology<br />Insecure<br />Know how to <br />Mitigate Risks<br />Train to <br />Apply Services<br />Exploit our NQF<br />and generate<br />CPD credits<br />A holistic approach to effective Information Assurance education Slide 37<br />
    44. 44. Any Questions?<br />A holistic approach to effective Information Assurance education Slide 38<br />
    45. 45. Points to Remember<br />Security is always related to utility. (You can always do nothing, securely.)<br />Security should be relative to the threat.<br />Security and its Assurance should be considered from an overall systems point of view.<br />Security and its Assurance should be affordable and cost effective.<br />Security should be as simple as possible<br />Education is the key to successful IA implementation<br />It’s a good day, Safe journey home<br />A holistic approach to effective Information Assurance education Slide 39<br />
    46. 46. A holistic approach to effective Information Assurance education Slide 40<br />

    ×