43 The mission of the Information Security department is to protect the information assets, the information systems, and the networks that deliver the information from damage resulting from failures of confidentiality, integrity, and availability. Security’s objective is to enhance the productivity of the business by reducing probability of loss through the design and implementation of policy, standards, procedures, and guidelines that enhance the protection of business assets. Defining the Role “ Departmentally” Specific …… Business Objective ……
44 Resources NationalCyberSecurityStrategy Requirements Strategy Determines Requirements and Requirements Drive Resources TOA StrategyStrategyOperationalRequirements Mission Needs The Business Plan The Flight Plan Goals Objectives Sub-Objectives Prioritized Tasks FAA Cyber Security Strategy Federal Information Security Management Act LOB Participation and Influence External Internal Drivers
46 A Case Study The FAA Information Systems Security Program
47 System of Systems Internet Access Points Messaging Systems Finance and Budget Personnel and Payroll Asset Management Flight Procedures Security Inspection Safety Analysis Accident / Incident Investigation
48 Manage more than 30,000 commercial flights to move 2,000,000 passengers safely each day Support more than 35,000 general aviation flights on a daily basis Regulate and certify the people and aircraft that use our airspace FAA’s Job National Airspace System (NAS)
52 The Evolving Landscape of Cyber Security Standardized Certification
53 A New Look at Cyber Defense The “Android” Approach
54 The “Android” Cyber Defense – Emulates the most resilient system in the world
55 Enterprise Architecture As Is To Be Finance Services Reduction in applications and interfaces Improved connectivity Simplified architecture Reduced potential vulnerabilities
56 The “Android” Cyber Defense – Emulates the most resilient system in the world
57 Element Hardening and Boundary Protection Element Hardening –96% of IT systems certified and authorized –Vulnerability scanning of public facing and internal servers on a regular basis –Patch management to facilitate timely remediation of discovered vulnerabilities Boundary Protection –Security a major component of Federal Telecommunications Infrastructure, IAPs limited to 8 and hardened, e-mail post offices reduced from 850 to 12 and hardened –Defense in-depth approach—firewalls, encryption, virtual private networks, and anti-viral software
58 The “Android” Cyber Defense – Emulates the most resilient system in the world
59 Computer Security Incident Response Center (CSIRC)
61 The Keystone to Making this all Work is a Trained and Ready Workforce
62 Purpose of Awareness and Training The two goals of the ISS Awareness and Training Program are: To make all users aware of FAA ISS responsibilities To provide each line of business (LOB) and staff office (SO) with the training necessary to obtain the knowledge, skills, and abilities required to maintain information systems, implement ISS policies, and offer training opportunities to named key personnel.
63 Awareness and Training Program The Federal Information Security Management Act of 2002 (FISMA) Requires each federal agency to “provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved in the management, use or operation of each federal computer system within or under the supervision of that agency.” Requires training under OMB, A130, Appendix III, and in accordance with guidelines co-developed by NIST.
64 Awareness and Training Program In support of FISMA, the Office of Information Systems Security (AIS) Training Program shall: Establish an ISS awareness and training program Provide awareness refresher briefings Provide training to those who design, implement, or maintain information systems Provide specialized training to key personnel who have been designated by their LOB/SO
65 Awareness The purpose of the FAA Awareness Program is: - To focus attention on security - To create sensitivity to the threats and vulnerabilities of information systems - To recognize the need to protect data, information and systems
67 Training Develop relevant and needed skills that map to defined responsibilities for each role. Methods of Training –Instructor-led training or face-to-face communications is the most personal method of training. The type of training is the most effective in the FAA. –Computer Based Training (CBT) is offered at the FAA. CBT is utilized by a small percentage of FAA employees. –System Administrator Simulation Training
68 Training As part of the Training Program the FAA’s 2005 IT/ISS Conference was held February 28 through March 4 in San Diego, California. Technical Training Sessions Held: –Patch Management –Public Key Infrastructure –FAA Telecommunications Infrastructure –Enterprise License Agreement –Web Security –Vulnerability The training classes were video taped to be provided as a learning tool for those key personnel who were unable to attend. The tapes will be taken to each Region and used in conjunction with other training.
69 Outreach Program Technology is accelerating and changing complexity daily To keep up with technology FAA must: -Seek new talent through colleges and universities -Use the Scholarship for Students Program sponsored by OPM -FAA (AIS) will utilize internship programs -FAA will leverage research and development efforts at colleges and universities that can be adapted to FAA’s ISS program goals and objectives
70 Academia Outreach Program Roles and Responsibilities -Ensure success of overall ISS efforts and promote the exchange of information with colleges and universities. -FAA will use academia in the area of research and development. Program Goals for 2005 - Work with institutions of higher learning who have been designated as Academic Centers of Excellence by the National Science Foundation that are participants in the Scholarship for Services Program. -Leverage knowledge students have gained and place them in the information security field.
71 Federal Efforts The National Strategy to Secure Cyberspace –Need to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors. DHS and other federal agencies can aid these efforts by effectively articulating the needs of the federal IT security community.
72 Current IT Security Professional Certification Environment: Challenge: Need to identify highly qualified people to develop, maintain, and secure our information systems and networks No nationally recognized certification for IT security professionals
73 IT Security Professional Certification -Goal: Set up nationally recognized, privately administered certifications at appropriate levels -Scope: Vendor-neutral certifications -Product: Industry led IT Security Professional Certification structure/ process in place -Outcome: National IT security professional certifications
74 Notional IT Security Professional Certification Process 1
75 Expected Outcomes -Standard position categories -Standard position levels -How many -Nomenclature (e.g., I, II, III; entry, intermediate, advanced) -Standard functions within categories and levels -Nomenclature (what are the functions; what are they called) -Skill Standards -By category and level: performance standards that delineate what a person must know and be able to do in order to successfully perform roles related to a specific job, an occupational cluster or across an industry sector
76 Certification Related Issues -Governance structure Stakeholder participation -Common body of knowledge & standards Job task analysis, competencies -Training, testing & accreditation Adjudication: evaluation and feedback -Continuing education -Mapping current IT security certifications and transitioning current certificate holders -Business Models
77 Status and Next Steps -Working with Government and private sectors to leverage ongoing efforts -Working with the Federal CIO Council, Workforce and Human Capital Committee to leverage existing structure -Exploring options for setting up nationally recognized, privately administered IT security professional certifications at appropriate levels -Others?
78 AN OPPORTUNITY TO DO “ISS” RIGHT Who says trains can’t fly?