Upload
jeffry-walton
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
1
VA ISO Infrastructure Development Office of Cyber and Information Security
Cyber Security Professionalization (CSP) Program:
It’s ALL About People! FISSEA ‘04
Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison
2
Agenda
Background ObjectivesProgram Elements
3
Background: VA“. . .for them who shall have borne the battle. . .”
VA: Largest Civilian Department
230,000 Employees, plus Contractors, Volunteers, Students. . .
Health Services, Benefits, Memorial Services, and supporting Staff Offices for 26 Million Veterans, Plus Beneficiaries.
Spend $60 Billion Annually
COG, National Infrastructure, Emergency Preparedness
4
Background: VA Cyber Security
Responsible for Cyber Security for entire Department.
Bruce A. Brody, ADAS for Cyber and Information Security (Within OI&T, direct report to CIO)
Recently Consolidated.
TEAP (Training, Education, Awareness, and Professionalization)
VA InfoSec Conferences, Universal Awareness, CISSP, National LMS
5
Background: Official Story
June 2002: Promise to Congress (Congressman Buyer, Chairman, Subcommittee on Oversight and Investigations) Implement a “rigorous qualifications and certification program for ISOs…”
September 2002: Information Security Officer (ISO) Infrastructure Development Support contract awarded.
6
Background: The Back Story
Unflattering Congressional “Report Cards”.
Persistent OIG Material Weakness
Rampant Internet Worms
Et Cetera. [Fill in you own Cyber Nightmares.]
Incomplete transition to unified IT organizational structure.
No direct line authority to the VA field security community.
7
Agenda
Background ObjectivesProgram Elements
8
Objectives of CSP Program
The training and certification is on current standards and best practices established by:– VA cyber security program– VA cyber security policies and procedures – National Institute of Standards and
Technology (NIST) The program targets the core body of
knowledge (CBK) required to perform the requisite duties of a CSP [Available on demand. . .just ask!]
9
Agenda
Background ObjectivesProgram Elements
10
Program Elements
Directive and Handbook
Position Descriptions (PDs)
Career Paths Certification Program
– Training Incentive Program Credential Program
11
Program Elements
Directive and Handbook
Describes the sub-elements of the program– Types of Cyber Security Practitioners– Certification– Credential– Incentive
12
Program Elements
Types of Cyber Security Practitioners (CSP)
InformationSecurity
Manager (ISM)
InformationSecurity
Officer(ISO)
TechnicalSecurityOfficer (TSO)
ISMmanage the departmental cyber security program
TSOmanage/implement security program elements that are system (e.g., hardware/ software) related
ISOmanage/implement security
program elements that are not hardware or software
related
13
Program Elements
Position Descriptions–Purpose
Generic position descriptions (PDs) – Related performance standards – Performance metrics– Rating factors
Flexibility to assign resources more effectively Ability to establish a career path with both vertical
and horizontal progression Ability to accommodate IT personnel who wish to
transition to the security field PDs to Human Resources Classifiers Available on demand. . .just ask!
14
Program Elements
7 Categories of PDs
ROLEManage Departmental Cyber Security Program
SuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSr. StaffTeam LeadStaff
GRADESES GS-15, and GS-14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14GS-13/14GS-13/14GS-12/13/14 GS-12/13GS-11GS-7/9
POSITIONInfo. Sec.
Manager (ISM)
RegionalISO
RegionalTSO
ISO
TSO
Sr. Staff ISOStaff ISO
SupervisePerforms annual review, hire/fireTeam LeadAllows a GS-n to provide work direction to another GS-nStaffImplementspolicy/procedure
15
Program Elements
Career Paths–Purpose
Identify movement for CSPs– Within and between local VA facilities– From local VA facilities to OCS regional support
centers– Between and within OCS regional support
centers– From OCS regional support centers to VACO– Within VACO OCS
Identify sources of CSPs to fill openings
16
• Will be developed after the PDs are written and the level structure of the ISO positions has been completed
• Will clearly identify options for vertical and horizontal movement
E III Within E III
E II Within E II
E I Within E I
• Critical for retention of certified staff
• Essential for recruiting highly qualified cyber security practitioners
Program Elements
Career Paths–Approach
17
Program Elements
Certification Program–Purpose
The certification program for VA information security professionals will establish a realistic standard for information security practitioners
The certification program is composed of successful completion of specific training including completion of certification quizzes throughout the training
Once CSP’s have successfully completed training and testing certifications will be awarded.
The objective was to have 320 Full-time CSPs certified by 10/01/03; Achieved / Moving On.
18
Program Elements
Certification Program–Approach
Develop a framework to allow for flexibility and growth Provide training to initiate the certification program Provide quizzes throughout the training that ensure
CSPs have the minimum level of knowledge required on each subject to perform the duties of their position
Provide guidance on additional training and certifications that can provide growth within the framework
19
Program Elements
Certification Program–Training
Training tailored to VA, limited Federal policy and basic security concepts
Objectives directly linked to source documents for tracking purposes
Pre-test and training target the same objectives and can be used for self-assessment and training evaluation (non-attributable score)
Delivery by Web as well as some stand-up at InfoSec Conference
20
Program Elements
Core Body of Knowledge (CBK)
1. InfoSec Concepts 2. VA’s IT security programs 3. VA’s IT security policies and procedures 4. Risk management 5. System development life cycle
6. System environment 7. System Interconnections (physical) 8. Information sharing (logical) 9. Defense in depth at VA10. Risk assessment
11. Security plans12. Certification and accreditation13. Technical controls14. Operational controls 15. Incident Management16. Security Awareness and Training17. Internal audit18. External audit
InfoSecConcepts
NetworkingConcepts
MajorISO Tasks
21
Program Elements
Incentive Program
Work with representatives from VA HR, OCS, OI&T and with OPM to develop appropriate reward/retention options in draft form Options may include:– Compensation
• Advance payment for new hires• Recruitment and relocation bonuses• Retention allowances• Superior qualification appointments
– Training– Career development
• Vertical movement• Horizontal movement
– Flexible work arrangements
22
Program Elements
Credential Program
One credential for all Cyber Security Practitioners (e.g., ISM, ISO, and TSO)
Credentialing criteria– Successful completion of ISO training course=certification– Experience– Ascribe to code of ethics– Satisfactory background investigation– Having no extant cyber security related adverse actions
Credential identifies CSPs and gives them authority to act for the CIO in reporting security incidents and assisting in investigations as required
23
What Do We Want You to Leave With?
VA is on it’s way.– The whole Department is watching!
Battles Fought / Victories Gained.
Battles Fought / Lessons Learned / Scars Earned.
Find Partners / Leverage Benefits.
Introduce Ourselves.
24
Contact Us
Terri Cinnamon, Team Leader [email protected]
Michael Arant, Cyber Security [email protected]
VA Office of Cyber and Information Security
25
VA ISO Infrastructure Development Office of Cyber and Information Security
Cyber Security Professionalization (CSP) Program:
It’s ALL About People! FISSEA ‘04
Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison