1 / 20

A Curriculum Development for Information Security Manager Using DACUM

A Curriculum Development for Information Security Manager Using DACUM. Ki-Yoon Kim Kwangwoon University, Korea min1203@daisy.kwangwoon.ac.kr Ken Surendran Southeast Missouri State University ksurendran@semovm.semo.edu. CONTENTS. INTRODUCTION (ISM) JOB ANALYSIS METHODOLOGY

nishi
Télécharger la présentation

A Curriculum Development for Information Security Manager Using DACUM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Curriculum Development for Information Security Manager Using DACUM Ki-Yoon Kim Kwangwoon University, Korea min1203@daisy.kwangwoon.ac.kr Ken Surendran Southeast Missouri State University ksurendran@semovm.semo.edu

  2. CONTENTS • INTRODUCTION (ISM) • JOB ANALYSIS METHODOLOGY • RESULTS OF JOB ANALYSIS ON ISM (INFORMATION SECURITY MANAGER) • CURRICULUM DEVELOPMENT FOR ISM • CONCLUSION

  3. 1. INTRODUCTION • In information and technology security, a risk is any hazard or danger to which a system or its components (e.g., hardware, software, information, or data) is subjected. • The job of an ISM (Information Security Manager) to ensure confidentiality, integrity, and availability, which could be compromised when those risks actually surface. • DACUM (Developing A CUrriculuM) is a job analysis method used to create descriptions for new education /training programs.

  4. 2. JOB ANALYSIS METHODOLOGY 2.1 DACUM - a Job Analysis Method 2.2 DACUM Process for ISM

  5. 2.1 DACUM - a Job Analysis Method • What is DACUM? : DACUM (Developing A Curriculum) is a job analysis technique. The DACUM process is used to determine the competencies that should be addressed in a training curriculum for a specific occupation. • When: Dec. 1999 – Jan. 2000 • Where: KRIVET (Korea Research Institute of Vocational Education and Training) in Korea • Who: DACUM committee consisting of 5 employees (ISMs) and 5 professors • How: DACUM process (modified) • Why: A Curriculum Development for ISM

  6. Facilitator – Computer Science Education • Subject matter Experts: five; • Security R&D Manager–1 • Security product implementer – 1 • Security Managers –2 • Consultant (Security Integration) – 1 • Professors – 5: MIS –2; CS-2: CE – 1. (Korea Inst of Info Security & Cryptology)

  7. Steps Procedure Methods Results Step 1 Preparation for job analysis Data collection, interviews Collection of related information and data. Organizing of DACUM committee. Step 2 Job/task analysis DACUM List of tasks and works including the characteristics of works. Step 3 Work analysis DACUM Work description: need for education; work elements, skills, knowledge, and tools. Step 4 Education /training program development DACUM Key works/education contents matrix, Key works/courses matrix. Course profile and education/ training road map. Step 5 Validation Interviews Modification and documentation of results 2.2 DACUM Process for ISM Table 1. Procedure of job analysis

  8. 3. RESULTS OF JOB ANALYSIS ON INFORMATION SECURITY MANAGER 3.1 Job of ISM 3.2 Job Description and Work List of ISM 3.3 Key works (relating to education) 3.4 Example of Work description : Risk Analysis (Draft Occupational description – not discussed here)

  9. Task Work A. Security policy A-1. Analysis of security requirements A-2. Document security policy B. Risk management B-1. Risk analysis B-2. Selection of safeguard B-3. Test of selected safeguard B-4. Development of security guideline B-5. Security aggregate planning C. Safeguard Implementa -tion & training C-1. Safeguard implementa -tion C-2. Education and training D. Safeguard management D-1. Operation & Maintenance D-2. Security audit & review D-3. Emergency Response to security incidents D-4. Monitoring 3.1 Job of Information Security Manager Fig. 1. Flow chart of task and work for information security manager

  10. 1. Job Description: Manager for information system who establishes security policy, chooses and maintains optimal safeguards through risk management. 2. Work List Task No Name of work Difficulty Importance Frequency A. Security policy 1 2 Analysis of security Requirements Documentation of security policy                               B. Risk management 1 2 3 4 5 Risk analysis Selection of safeguard Test of selected safeguard Development of security Guideline Security aggregate Planning                                                                            C. Safeguard implementation & training 1 2 Safeguard implementation Education and training                               D. Safeguard management 1 2 3 4 Operations & Maintenance Security audit & Review Emergency response to security incidents Monitoring                                                             3.2 Job Description and Work List of ISM

  11. 3. Key Works Task No Name of work Education necessity Education methods CRI IMP SUP CT JA OJT RT A. Security policy 1 2 Analysis of security requirements Documentation of security policy      B. Risk management 1 2 3 4 5 Risk analysis Selection of safeguard Test of selected safeguard Development of security guideline Security aggregate planning               C. Safeguard implementation & training 1 2 Safeguard implementation Education and training         D. Safeguard management 1 2 3 4 Operations & maintenance Security audit & review Emergency response to security incidents Monitoring               3.3 Key works (relating to education) CRI; critical, IMP; important, SUP; supportive CT; Classroom Training, JA; Job Aids, OJT; On-the-Job Training, RT; Re-Training

  12. 1. Name of Work B-1 Risk analysis 2. Achievement Level 3. Work Elements Difficulty (1) Choice of risk analysis strategy (2) Asset analysis: Assets classified, identified, evaluated property (from info point of view) (3) Threat analysis: threats classified, identified, measured (for events / actor behaviors) (4) Vulnerability evaluation: identified situations / points susceptible for attack (for threats) (5) Business impact analysis for hazards or disaster (6) Documentation of checklist for vulnerability evaluation                               4. Related Knowledge & Skill Knowledge Skill Accounting and finance, statistics, network, operating system, information system, hacking, virus. Risk analysis tool, business impact analysis, documentation 5. Requirements Materials Asset list, threats statistics, vulnerability evaluation checklist 6. Requirements Equipments and Tools Server, PC, printer, risk analysis s/w 3.4 Example of Work description: Risk Analysis Be able to evaluate vulnerability of information assets against threats by risk analysis. Difficulty average     

  13. 4. CURRICULUM DEVELOPMENTFOR ISM 4.1 Key Works/Education Contents Matrix 4.2 Key Works/Courses Matrix 4.3 Example of Course Profile : Network Security I 4.4 Education Training Road Map

  14. 4.1. Education Contents • Information security law and standards • Information system analysis and design • System security technology • Database • Operating system • Network security • Intrusion detection and interception • Network • Network security technology • Virus • Hacking case • Web security • E-commerce security • Accounting and finance • Statistics • Risk analysis • Decision theory • Cryptology

  15. Key work / education contents mapping • Key WorksEducation Contents* 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 • 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 • Analysis of security requirements * * * • Documentations of security policy * * • Risk analysis * * * * * * * * * • Selection of safeguards * * * * * * * * * * * * * * * * • Test of selected safeguard * * * * * * * * * * * * * * • Security aggregate planning * * * * * • Safeguard Implementation * * * * * * * * * * * • Education and training * * * * * * • Operation & maintenance * * * • Security audit & review * * * • Emergency response to incidents * * * • Monitoring * * * * * * * * * * *

  16. Courses Key Works 1 2 3 4 5 6 7 System security I System security II Network security I Network security II Applica -tion security I Applica -tion security II Information technology risk manage -ment A-1 Analysis of security requirements        A-2 Documentation of security policy  B-1 Risk analysis  B-2 Selection of safeguard        B-3 Test of selected safeguard        B-5 Security aggregate planning  C-1 Safeguard implementation       C-2 Education and training       D-1 Maintenance       D-2 Security audit       D-3 Response of security incidents       D-4 Monitoring       4.2 Key Works/Courses Matrix

  17. Program: Information Security Manager Course name: Network security I Course aim (Education goal) 1. Able to describe network security 2. Able to establish an approach and a technical strategy for network security 3. Able to establish security measures for the PC networks. Course contents 1. Distributed computing and network operation 2. Network security issues 3. Rule of network security 4. Network security approach and mechanism 5. Security and issues related to networking PCs 6. Strategy of network security 7. Network security standard Institute College, University Contact Period 256 hours Education method Theory and practice Prerequisite courses Computer network, Operating system 4.3 Example of Course Profile: Network Security I

  18. The3rd occupation Step The4th occupation competence competence Level 1 2 1 2 3 4 network security expert course application security expert course system security basic course system security expert course network security basic course information technology risk management course Course application security course 4.4 Education/training road map

  19. 5. CONCLUSION • There are 4 tasks and 13 works in the job of ISM. • The 4 tasks of ISM are security policy (with two works), risk management (with five works), safeguard choice (two works), and safeguard maintenance management (four works). • There are 18 education contents and 7 education courses in the education/training program for ISM. • The primary methodological contribution has been the combination of DACUM and interviews including the final validation step in which the committee reviewed the feedback from industry and the academia. • DACUM being a cost-effective approach this technique can be applied even to other educational programs to fine-tune them using the validation step. But, the worker-oriented instruments for job analysis have several limitations.

  20. Questions? • Further work: on issues relating to ISM occupation • Question Time

More Related