Presentation on theme: "Curriculum & Workforce Development in Cyber-Security"— Presentation transcript:
1Curriculum & Workforce Development in Cyber-Security Hal ZenisekBlackhawk Technical CollegeJanesville, Wisconsin USAHandouts include Curriculum Sheets; Accronym Hunt; & slides as handouts. CD available if interested. Website?
2“If it works, try not to be surprised.” by Ron Fischer, WCTC
3Introduction – The Power of 2 Three purposes of this sessionShare lessons learned developing a 2-year degree for information securityShare ideas for workforce developmentLearn from others attending this sessionIntroductionsHal ZenisekDeanBusiness & Information TechnologyBlackhawk Technical CollegeJanesville, Wisconsin USAIntroductions from audience, who is here? Names, where is home? Organization & roles?Power of 2 includes who is NOT here – Doug Tabbutt.
4Our Agenda What I plan to talk about! Our Thesis – Information is the assetIndustry-driven program designShare resources & skill standardsCourse & Curriculum developmentFaculty developmentDelivery methodologies & ideas for workforce developmentSharing ideas & questions60+ slides today – will go through them quickly. Touch on a lot of things briefly. Nothing technical in this presentation.This process started in 2001
5Blackhawk Technical College is one of 16 technical colleges in Wisconsin. Smaller than most.
6I am from Janesville Wisconsin Our area has a long history of being a heavy industrial area along with agriculture & agribusiness. We are the west end of a triangle from Madison, Milwaukee, and Chicago.Biggest employers include General Motors (and the automotive supply chain). History includes diesel engine manufacturing and paper machines. Cheese and dairy from the ag sector. Due to this history, easier to get a $200K CNC machine for the machine shop than it is to get a $4,000 firewall.Size is 80,000 residents.
7Blackhawk Technical College – www.blackhawk.edu Mission - Career & Technical Education including workforce & economic developmentBusiness & Information Technology2-year programs, diplomas, & certificatesAccounting, Marketing, ManagementOffice CareersIT ClusterNetworking SpecialistMicro Programmer SpecialistHelp Desk AssistantInformation Systems Security SpecialistBIT division as well call it at home.
8The WTCS Associate in Applied Science Degree Applied Associate degree programs as defined by Wisconsin Statute are two-year, post-high school programs in an area designated and approved by the State Board for which the course requirements are established by the State Board. Applied associate degree programs adhere to the following principles:provide the education and training in occupational areas required by the state's economy;shall prepare students to be productive employees and to succeed in occupations requiring advanced education and training;specific degree requirements shall have a demonstrated relevance to the needs of employers and students as employees;all courses shall be of the highest quality as demonstrated by national and regional accreditation and perceptions of graduates and employers;shall be designed to impart identified competencies and program graduates shall achieve those competencies.We’ve covered WHO we are. Here is a brief summary of WHAT our mission provides.This is known as the fine print page. My statutory purpose and limitations. The page for the lawyers and also the page that defines our state aid funding sources, etc.
9ADDIE The ADDIE Instructional Design Model Analysis --> Design --> Development --> Implementation --> EvaluationFor the purposes of this presentation… This model of instructional design will be used to organize this presentation.
10Analysis & needs identification It’s about Information Security…A is for Analysis phase of looking at cyber-security.
11Our thesis – it’s all about Information Security! Computers (& even networks) can be replaced, information is the asset which has value & therefore the critical resource.Information security includes assurance, confidentiality, availability, integrity, threats & vulnerabilities.What KSA’s go with protecting/security information & information systems?Which competencies fit within our mission & purpose as a 2-year technical college?Which are the highest priority? Prepare for future “program outcomes” and documenting the need.KSA – technical skills beyond networking, and include security management, policy development, ethical behavior, and more. Breadth of field versus depth of field. Issues inside the firewall as well as outside of it.My thesis statement –CIA triangle plus system vulnerabilities.KSA accronym for Knowledge Skills & AbilitiesDue to mission appropriateness, NOT about Security EngineersNOT about research. Technician level & operational personnel.
12More on Information Security Information needs to be available andInformation needs to be private.Information needs to be trusted.Information systems need to be reliable.Networks make information available.Secure networks help insure privacy & protection.However, we felt there is more.Assumptions we made defining the need.Not about locking down systems & restricting access.
13Types of information systems Accounting information systemsFinancial systems (banking & others)Business systems (e-Commerce)Health information systems (medical)Community information systems (Emergency Response)Governmental, education, telecommunications & othersAnalyzing the need.
14Blackhawk Technical College’s Multi-Disciplinary Approach Network Security (4 courses)Programming & e-Commerce for information systems security (3 courses)Security Management (5)Business Continuity PlanningCyber Law & EthicsSecurity Measures/Countermeasures (intrusion detection & defending an internetworked system against attacks) would be our capstone lab experience.Decided on a multi-disciplinary approach & ending up with this mix.
15Program Design – A Multi-Disciplinary Approach AAS limited to 68 credits- 12 core courses.Advanced technical certificates=36 credits.Target trained incumbent IT professionals and technical staff.Elective courses for IT students in other majors such as networking & programming.Big picture approach & cross section of the continuum of information systems.From operating systems, buffer overruns, policies & procedures, to intrusion detection & appropriate countermeasures.We wanted toAdd security to networking, help desks & end user support, programmers writing better code, e-commerce, etc.
16Blackhawk Technical College found: One Wisconsin employer (without a significant Web presence) shared their recent experience with a spam firewall.Based on 900 usersOver per hour2974 were spam (60%)33 had virusesSOP for their IT personnel & business was transacted without incident with a firewall & spam filter (plus trained personnel).Part of our analysis was talking to others.One employer shared this data from their experience.
17Recent Job Advertisement– Madison, Wisconsin Enterprise Security SpecialistSet overall security strategy, conducts security technology research, consults on best practices, and coordinates in-house security operations.Bachelors degree, Computer Science5 years recent experience – networksCisco experienceCSSIP and/or Cisco certification.Security is not an entry-level position but this job ad conveys our vision. A Cisco networker with infosec added.IT personnel & incumbent workers with work experience adding an advanced degree which emphasizes information security.
18Blackhawk Technical College’s Needs Assessment Process Institutional Advancement survey51% response rate from 74 employers53% have problems finding qualified cyber security workers56% indicated the demand would increase over the next four years16 new full-time and 7 new part-time openings over next 4 yrs. projectedOur formal research findings.
19Blackhawk Technical College’s Needs Assessment Data 82% would encourage current employees to participate in an educational program89% would hire a graduate for a cyber security programaverage hourly wage = $20.20 ($42,000)sent to the WTCS office & approved as a new & emerging occupationapproval to proceed with program developmentPoint #4 – STATE office requires programs in occupational areas as required by the State’s economy. Need to prove this need for program approval.
20Program & Curriculum Design Program DesignCourse & curriculum developmentBack to the ADDIE model, transition slide to DESIGN aspects
21Industry-Driven Design NSA Information Assurance Directorate & Skill Standard (www.nsa.gov)Relevant industry-based competencies such as the Systems Security Certified Practitioner (www.isaca.org)Global Information Assurance Certification (www.giac.org)Local Chapter of the ISSA (Information Systems Security Association - seeAlignment with 10 domains of the CISSP or not?Blackhawk Technical College IT Employer Advisory Committee (Rock & Green County Wisconsin) – “everyone is impacted by this.”
22This document from the AACC helped us answer the concern about mission fit & articulated the argument for workforce development.
23Blackhawk Technical College Program Design Process Articulate our thesis & correlate it to an identified need. It’s about Information Security!Draft exit skills statements & design program outcomes from those. Align & refine as we go.Select tentative courses as building blocks to program outcomes.Aligned with industry skill standards.Prioritize program & course outcomes.Prepare for course level curriculum development.Focused on the learner?As one might expect, we ended up with 10 lbs of sugar for a 5 pound bag.Overviews our process for design. Points 2 and 3 in detail next few slides.
24Proposed Exit Skills From the learners point of view From an employers point of viewThese will evolve into future program outcomesFrom Steven Covey, begin with the end in mind!
25Proposed Exit SkillsA very good understanding of what information security is, as currently defined by both industry and government.A detailed understanding of the man-made and natural threats to information systems, and how to effectively deal with them.An extensive knowledge of the information assets that need protection.A detailed knowledge of the various methods for countering/preventing internal and external threats.A detailed knowledge of how to deal with threats.An understanding that InfoSec is not a single thing, nor is it an absolute science or a purely technical subject.Ended up with 11 on the list. These will get replaced later with something we call program outcomes.Give audience a few moments to read these
26Proposed Exit SkillsA detailed methodology for creating and maintaining a consistently proven means for countering threats in an organizational InfoSec Program.An understanding that a successful approach to security planning, policies, and procedures are as much about business process improvement as it is about technology.An understanding of the need to maintain the interoperability of the organizational InfoSec Program with external systems.What makes Information Assurance (IA) different than InfoSec and the need for IA across the enterprise.The knowledge base necessary to obtain common InfoSec/IA industry certifications.Page 2 exit skills.
27What are Program Outcomes in Career & Technical Education? Occupational specific knowledge, skills and attitudes that learners demonstrate upon completion.Pertain to the holistic ‘program’ and go beyond courses.Derived from overall tasks performed on the job or in life roles.Are not program evaluation; the learner is the focus not the program.Want to move from exit skills that talk about general knowledg or understandings to –SPECIFIC OCCUPATIONAL SKILLS – “CONFIGURE SECURITY SOFTWARE PROPERLY.”CREDIT DUE TO KATHLEEN FRATIANNE FROM OUR STAFF.Kay Fratianne, Blackhawk Technical College
28Program Outcomes Purpose Provides the reader with an overview of what the learner will be able to do as a result of the learning process.Highest level of achievement that is part of the learning process.Are supported by student outcomes assessment plans.
29Program Outcomes Guidelines Use lead-in phrase – upon completion of the Infosec program, the learner will be able to do.Use only one action verb per outcome and preferably the application level or above.Consider the nature of the skills and the environment in which the learner will perform on the job.Write concise & clear phrases.Limit of 8 to 10 outcomes validated by advisory committee members – both for content and for understanding.Application Level or above applies to Bloom’s Taxonomy?IMPORTANT TO VALIDATE THE UNDERSTANDING OF THESE – USED OUR EMPLOYER ADVISORY COMMITTEE. CLEARN & UNDERSTOOD?
30BTC Infosec Program Outcomes Identify resources, assess threats, analyze losses, and understand vulnerabilities of information systems.Establish safeguards for automated information systems.Install, configure, and use specialized security software, hardware, and firmware components.Troubleshoot potential IT security issues.Implement preventative measures.Respond to threats from viruses, worms, and other unauthorized access.THIS IS WHAT WE ENDED UP WITH…AND YOU’LL NOTE WE DIDN’T FOLLOW OUR OWN GUIDELINES WITH 4 VERBS IN STATEMENT ONE.
31Program Design Model Adds Flexibility No specific hardware or software specifics through the use of more generic titles (Operating Systems Security).A variety of hardware, firmware, and software vendors are covered in courses and found in the lab.Statewide model for other WTCS colleges.Current Issues & Trends seminar changes based on employer input, technology, and trends.EXAMPLE – HARDWARE COURSE, YES CISCO FOR SURE,…BUT ALSO LOOKING AT HP, BARRACUDA, OTHERS.
32Program Outcomes – Resources DACUM facilitated processAdvisory CommitteeJob PostingsEmployee InputIndustry standardsGraduate follow-up studiesInternshipsOther collegesDACUM acronym for Developing a Curriculum.
33Program Design Resources NSACenters for Academic ExcellenceSkill Standards such as 4011, 12, etc.Protecting Information: The Role of Community Colleges in Cybersecurity Education
34Program Design Resources Cybersecurity Education in Community Colleges.pdf4011.pdfCISSP –www.isc2.org
35“Infosec” Core Courses – Blackhawk Technical College I’Net/WWW+Information Security PrinciplesNetwork SecurityInternetwork Security IInternetwork Security IIDesigning Secure WebsitesOperating Systems SecuritySecurity Policies & ProceduresInformation Security DocumentationClient/Server Systems SecuritySecurity Meaures & CountermesauresBusiness Continuity PlanningOUTCOME OF OUR PROGRAM DESIGN PROCESS WAS 12 CORE COURSES CRITICAL TO INFORMATION SECURITY.
36Curriculum Development Our plan for getting students to those exit skills and program outcomes.Back to ADDIE model – Development PhaseVIEW CURRICULUM AS A PROCESS – OR OUR PLAN TO GETTING TO THE DESIRED OBJECTIVES.
38Curriculum Development “It’s About Information Security”Course-level outcomes (blueprint)CompetenciesMajor skills, attitude, or ability needed to perform a task effectivelyLearning ObjectivesPerformance StandardsLearning Plans with learning activitiesPerformance Assessment PlansStudent Outcomes Assessment PlansA Learning Objective = Minor or supporting skills, concepts, procedures, processes, and/or principles a learner needs to perform the competency.Performance standards includes conditions and criteria that describe the situation in which the performance will be assessed (incl. format, eqpmt, &/or supplies provided or denied.Student outcomes assessment plans include rubrics and data collection that tell how we know the learners are learning what we think they they are learning.
39Curriculum Development Competency-based software - WIDSEach course has several competencies that support program outcomes.Each competency has learning objectives, performance standards, learning plans, and assessment.WIDS generated reports include syllabi, Course Outcome Summary, and addresses…WORLDWIDE INSTRUCTIONAL DESIGN SOFTWARE
40Worldwide Instructional Design System (WIDS) WHO IS THE LEARNING FOR?WHAT WILL THEY LEARN?WHEN WILL THEY LEARN IT?HOW WILL THEY LEARN IT?
414011 Alignment ISSC4011Matrix.xls HOW WELL DOES OUR PLAN ALIGN WITH SKILL STANDARDS?LOOK AT GOVERNMENT LED PROGRAMS.
42Alignment efforts ISSCPCrsAreas 2005.xls LOOK AT CORPORATE WORLD VIA ISSA
43Alignment Efforts & Curriculum ISSCPWIDS.xlsADD THE WIDS CHECKLISTS TO THE MATRIX.
44WIDS Course Examples Information Security Principles Network Security ITSEC-114.docNetwork SecurityITSEC-124.docPerimeter SecurityITSEC-145.docCOURSE EXAMPLES USING WIDS
45Implementation (Delivery) IMPLEMENTATION PHASE OF ADDIE.
46Instructional delivery vision Face-to-face traditional learningOn-line (distance learning)On-site employee developmentTechnical assistanceSeminars, awareness workshops & lifelong learning for IT and non-IT employeesPOINT 2 – LEARNERS WON’T COME FROM JANESVILLE WI. INCUMBENT WORKERS DON’T HAVE TIME TO LEAVE WORK.LEARNERS DON’T HAVE COMMON SCHEDULES.PONT 3POINT 4 – HELP BUILD & PROTECT TECHNOLOGY INFRASTRUCTURE.POINT 5 – END USERS & OTHERS. BRING IN A DISKETTE FROM HOME.
47Real Life – Student 1 Age, 40+ & Female Main Frame Programmer & Web Site Administrator for a number of yearsLaid off & job hunting; ready to leave IT for a more viable occupationLast time in ‘school’ was mid 1980’s“I love this program and am so glad you talked me into it. It’s the first time I’ve ever taken time to look at the big picture. I can’t wait to get a job in this field.”
48Real Life – Student 2Age, 30+, Male & learned everything he knows about IT ‘on-the-job.’Local ISP Administrator for a number of years.Last time in school was high school & didn’t like it that much.Strong technical skills – “a quick study” but often sees the answer as adding more technology.Doesn’t see the need for policies and procedures.A classic practitioner in approach to problem solving.
49Serving distance education learners with limited resources Blackboard?WebCT?Others?IT infrastructure support?College firewalls & security?OUR CULTURE –WE ARE A SMALL SCHOOL WITH LIMITED RESOURCESWE SERVE A LOCAL POPULATIONA FEW FACULTY ARE ON-LINE & 80% OF OUR STUDENTS ARE WITHIN 45 MINUTES FROM CAMPUS BUT HAVE SCHEDULING CONFLICTS.
50www.etechcollege.com A PORTAL TO ONLINE COURSES FOR ALL 16 COLLEGES. FUNDED A PROJECT TO ADAPT INFOSEC FOR DISTANCE LEARNERS.
51Distance Learning via the Web Powered by BlackBoard, Inc.Hosted by Milwaukee Area Technical College.Information Security PrinciplesDisaster Recovery PlanningWHERE WE ENDED UP.OUR SISTER SCHOOL IN MILWAUKEE ENROLLED OVER 10,000 STUDENTS IN ONLINE LAST FISCAL YEAR.HUGE INVESTMENT AND COMMITMENT COMPARED TO WHAT WE COULD EVER DO. IT STAFF SUPPORTING AND FACULTY TO MENTOR. CULTURE IS RIGHT FOR COLLABORATION.
52Workforce Development Short-course seminars (modules from credit courses)Week-long “boot camps”Awareness seminars for all employees – password protocols, basics on viruses, ethics, inside the firewall…New hire training for your IT staff? –Specific Courses?12-course, 36-credit certificate?2-year AAS degree?SHORT COURSES COULD BE 1/3 OF A 3-CREDIT COURSE FOR EXAMPLE.BOOT CAMPS?
53Evaluation Program evaluation – 3 years Crucial Conversations Lessons LearnedThe Reflective PractitionerWe’ve reached the E in ADDIEENROLLMENT = 42 DUPLICATED HEADCOUNT. 50% ONLINE AND 50% OF COURSES ONLINE.
54Next Steps? Plan Do Check Act I’M A FAN OF THE PDCA MODEL. WE PLANNED, WE DID. WE ARE AT THE CHECKING AND ACTING NEXT STEP.
55Crucial BTC Conversations Is the time right for expanding IT educational programs?So tell me again why do you want to bring viruses on the College’s computers?Aren’t you teaching hackers to be better hackers?Will there be jobs at the end?It’s a great idea for the 4-year collegeSOME CRUCIAL CONVERSATIONS I HAD DURING THE PROCESS ARE SUMMARIZED ON THIS SLIDE.
56Key Points & the Power of 2 We are one dean and one faculty member at a small school in central Wisconsin – do not underestimate the power of 2.It is more than simply computer security. It’s more than network security. It’s all about information security.Technical competencies and security management oriented competencies are both part of our approach. Both in the computer lab make for terrific conversations! Integrating this is powerful.Some key points!ON 3 – EVERYBODY – OUR THESIS IS?SUBTHEME – POWER OF 2 INTRODUCED ONE A SLIDE AT THE BEGINNING.
57Future Vision & The Power of 2 AAS degree approved for next fall.2+2 partnerships for Baccalaureate degrees will better serve students & the workforce.Distance learning courses support an employed IT workforce.Supporting the college’s IT infrastructure with advising and technical assistance. Our campus is more secure!Better aligning our occupational outcomes with related certification programs & getting students into testing such as the CISSP.“Center for Information Assurance?”
58Transitioning to an AAS 21 credits of General Education6 credits of Elective courses42 credits of Program Requirements18 credits – support34 credits of coreWork-based learning component68 total credits
59Academic Partnerships Milwaukee Area Technical College’s AAS degree (www.matc.edu)University of Illinois, Center for Academic Excellence, ChampaignNational Colloquium for Information Systems Security Education or CISSE (http://www.ncisse.org). Wisconsin Technical College System office, Madison, Wisconsin (www.wtcsystem.org).Worldwide Instructional Design Software (www.wids.org).Franklin University (www.franklin.edu) pending a 2+2 agreement for an online Bachelors degree.THANKS TO ALL THOSE WHO SUPPPORTED US.
60Faculty Development CISSE, June 2005 in Atlanta GA NSA Centers of Academic ExcellenceNSA Skill Standards 4011 – 4014 etc.CISSP’s 10 domains & certificationDesigning & delivering distance learningWIDS Curriculum Development software trainingNSA’S CENTER OF ACADEMIC EXCELLENCE – GOOD MODEL REGARDLESS OF APPLYING FOR IT.ISSA – OUR STUDENTS WANT CERTIFICATIONS. EDUCATION ISN’T ONLY ABOUT CERTIFICATION. NEED TO MONITOR THIS.
61The Other Half of the Power of 2 Douglas A. TabbuttIT InstructorCenter for Information Assurance EducationBlackhawk Technical College6004 Prairie RoadJanesville, WI USA 53547HERE’S THE GUY YOU NEED TO TALK TO. HIM.
62Wrap-up & Next Steps Expanding The Power of 2 Summarize any actions from the audience as a result of this presentation?Summarize any follow up action items required from Blackhawk Technical College?See me during the conference if you want to talk further.ANYONE HAVE ANY ACTION PLANS FOR HOME?ANYONE HAVE ANY ACTION ITEMS FOR BTC?
63At Blackhawk Technical College, Janesville Wisconsin It’s about ?YOUR FINAL EXAM – IT’S ABOUT ?
64Questions and Discussion ???????AS WARNED, AUDIENCE PARTICIPATION TIME.