Information Security Training and Education
BARBARA LASWELL

The complexity of today's software, hardware, and networking products presents challenges to technical staff attempting to configure systems and networks to use the strongest security measures appropriate; these challenges are significant even for trained, skilled technical staff. In this environment, small mistakes can leave organizations and stores of information assets at risk and vulnerable to attack.

The Software Engineering Institute's Networked Systems Survivability (NSS) Program in conjunction with its CERT Coordination Center is working to mitigate these risks by providing leading-edge training and education programs in the area of information security for both technical and non-technical staff and managers.

A National Call for Action

The need for information security training programs is underscored by the White House's National Plan for Information Systems Protection which calls the shortage of adequately trained information systems security personnel "acute." Moreover, Program Seven of the national plan states plainly its objective as being to "train and employ adequate numbers of information security specialists." Looking at the number of people and the skills required for information security specialists both within the federal government and elsewhere, Program Seven points to a clear need to take decisive action to train current federal information technology workers and recruit and educate additional personnel to meet anticipated shortfalls.

In addition, a report published last year by the Office of the Secretary of Defense¹ outlined five "critical" information assurance functions to incorporate into training programs. Of these five functions, four are being met already:

• system/network administration and operations
• threat and vulnerability assessment
• computer emergency response team
• Web security

These functions are incorporated into existing training media in the form of security improvement modules (a series of documents that each address a single, narrowly defined problem in network security) and the existing SEI curriculum. The only critical information assurance function not being directly addressed by the SEI is computer and network crime-though the SEI is working collaboratively with several national law enforcement agencies to help them understand the relevant technical issues.

Current Course Offerings

The SEI currently offers six courses (please see the sidebar accompanying this article). Three of the course offerings derive from out of the work of the CERT Coordination Center. As such, these courses are aimed at providing introductory and advanced training for technical staff and the management of computer security incident response teams.

The NSS Program also offers three courses centered around broader Internet security issues. Its Information Security for System and Network Administrators is an intensive five-day course for technical staff. Other offerings in the program are geared toward educating policymakers, managers, and senior executives who in some capacity are charged with or are responsible for the security of information assets.
The program also is developing courses in support of its Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. OCTAVE is a comprehensive, repeatable, self-directed technique for identifying and analyzing information security risks. These courses will allow an organization to independently direct and manage its own OCTAVE evaluation.

These training and education activities are aimed at improving the information security practices of technical staff and management. Public courses are offered periodically and can be attended by anyone, with a reduced charge for U.S. military and other U.S. government personnel. In addition, customer-site courses are offered to individual organizations with-again-a reduced fee for U.S. government organizations.

Extending Impact and Reach

In addition, the NSS Program is in the process of licensing its course materials to outside organizations. Licensing courses will extend the reach and impact of both the NSS Program and the CERT Coordination Center.

In another effort to extend the impact of its work, the program collaborated with the Carnegie Mellon University H. J. Heinz III School of Public Policy and Management and developed a curriculum in information security management. NSS Program and CERT Coordination Center staff members are teaching courses in the Information Security Management specialization of the Master of Information Systems Management program.

Use of the Internet is replacing other forms of electronic communication. As the technology is being distributed, so is the management of that technology. As such, system administration and management often falls upon people who do not have the training, skill, resources, or interest needed to operate their systems securely: the number of directly connected homes, schools, libraries, and other organizations without trained system administration and security staff is rapidly increasing.

Information security training will enhance the ability of administrators and managers to use available technology to safeguard systems from attack and further maintain the integrity of information assets.

For more information, contact—

Customer Relations

Phone
412 / 268-5800

Email
customer-relations@sei.cmu.edu

Joe McLeod

Email
jmcleod@cert.org

World Wide Web
http://www.cert.org