Energy By: Cheyanne, Rene, MaryAnne, Taylor, Lyndsay, Nikolas.
TRUST 2 nd Year Site Visit, March 19 th, 2007 Developing an Industry Supported Computer Security...
13
TRUST 2 nd Year Site Visit, March 19 th , 2007 Developing an Industry Supported Computer Security Curriculum Kristen Gates, UC Berkeley Maryanne McCormick, UC Berkeley Sigurd Meldal, SJSU John Mitchell, Stanford Robert Rodriguez
Transcript of TRUST 2 nd Year Site Visit, March 19 th, 2007 Developing an Industry Supported Computer Security...
TRUST 2nd Year Site Visit, March 19th, 2007
Developing an Industry Supported Computer Security Curriculum
Kristen Gates, UC BerkeleyMaryanne McCormick, UC Berkeley
Sigurd Meldal, SJSU
John Mitchell, Stanford
Robert Rodriguez
"Security Curriculum", J. Mitchell 2TRUST 2nd Year Site Visit, March 19th, 2007
Starting point for initiative
March 13, 2006 ITTC Panel– Mary Ann Davidson, CSO, Oracle– Mark Connelly, CISO, Sun Microsystems– Abe Smith, CSO, Xilinx– Pat Faith, Visa
A challenging comment (as I heard it)– The big problem in computer security is that
universities don’t teach students anything about computer security. There’s no reason we should have to hire programmers who don’t know what a buffer overflow is.
What should we do about this?
"Security Curriculum", J. Mitchell 3TRUST 2nd Year Site Visit, March 19th, 2007
Background
National Security Agency (NSA)– National Centers of Academic Excellence in
Information Assurance Education (CAEIAE)
Association for Computing Machinery– Security as part of existing courses (CS)
Network Security – 3 hours in networking course Operating system security – 2 hours OS course Cryptography – algorithms course elective
Many fine efforts to develop valuable courses
"Security Curriculum", J. Mitchell 4TRUST 2nd Year Site Visit, March 19th, 2007
Our Goals
Provide students with – Specific and realistic IT security information– Success in their careers, service to industry
Curriculum backed by industry leaders– Set of topics– Specific objectives and examples for each topic
Materials to support and accelerate adoption– Sample teaching material– Case studies– Webinars
Impact beyond top 10 research universities
"Security Curriculum", J. Mitchell 5TRUST 2nd Year Site Visit, March 19th, 2007
TRUST team includes …
Maryanne McCormick, Nick Bambos, Anupam Datta, Ann Miura-Ko , Deirdre Mulligan
Robert Rodriguez
Sigurd MeldalSan Jose State
John MitchellStanford
Kristen GatesUC Berkeley TRUST
"Security Curriculum", J. Mitchell 6TRUST 2nd Year Site Visit, March 19th, 2007
Process
Convene industry/academia group– Draw on USSS, ITTC, CSO community – Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15– Consensus
Identify 8 topic areas
– Divide and conquer Each area module assembled by two leaders
Public presentation: IEEE FIE Panel, Oct 29 Outcome
– Curriculum modules– Internship/summer school– Speaker series and video archive
"Security Curriculum", J. Mitchell 7TRUST 2nd Year Site Visit, March 19th, 2007
Industrial contributors include …
– Sanjay Bahl Tata Consultancy Services– Ken Baylor McAfee -> Symantec– James Beeson General Electric Commercial Finance– Jeffrey Camiel Jefferson Wells – Mark Connelly Sun Microsystems– Dave Cullinane Washington Mutual Bank -> eBay CISO– Mary Ann Davidson Oracle– Liz Glasser CSIA– Jason Hoffman Greater Bay Bank– Paul Kurtz CSIA– Dennis Kushner Deliotte & Touche– Paul Kurtz CSIA– Kemi Macaulay Xilinx– Andrew Neilson Silicon Valley Bank– Sherry Ryan HP– Abe Smith Xilinx– George Sullivan VP Global IT Security, Visa International– Johan (Hans) van Tilburg Visa – Robert Weaver ING– Robert Rodriguez Former USSS
"Security Curriculum", J. Mitchell 8TRUST 2nd Year Site Visit, March 19th, 2007
Sample module
Security Management (Jason Hoffman, James Beeson) Minimum core coverage time: .. hours Topics:
– Security governance– Privacy– Roles & responsibilities– Security education & awareness– Policies & standards– Security strategy– Risk management– Security monitoring & reporting– Incident response & forensics– Security safeguards & controls
Core learning outcomes:– …
Elective learning outcomes:– …
"Security Curriculum", J. Mitchell 9TRUST 2nd Year Site Visit, March 19th, 2007
Sample module
Core learning outcomes:– Explain and give examples of security governance in a typical
organization and list the components of an information security program.
– Explain the importance of privacy and how protection of data is critical to the success of the organization, and describe business and user obligations and expectations.
– List and describe the various security roles and responsibilities at different levels within the organization and explain options for the reporting structure.
– Describe the relationship between the security organization and other business functions.
– Describe the different types of security awareness, education, training approaches and tactics essential for every organization and explain how to establish awareness of individual behaviors and how they affect security.
– Describe the differences among security policies, standards, and guidelines and how they are related to relevant regulatory requirements and privacy legislation.
– …
"Security Curriculum", J. Mitchell 10TRUST 2nd Year Site Visit, March 19th, 2007
Sample module
Core learning outcomes:– …– Describe components of security strategy including layered security, how it
should be integrated into IT strategy and organization’s business strategy.– Identify components of security risk management framework and explain
how it helps organizations identify and manage security risk.– Explain why monitoring and reporting is important in measuring the
effectiveness of an information security program and describe various types of reporting such as operational metrics versus senior management dashboards.
– Describe process for managing a security incident and explain how forensics assists organizations during investigations.
– List examples of security safeguards and controls in place that provide confidentiality, integrity and availability of information and are based on defense in depth.
– Identify due diligence needed to assess security of an organization’s outsourced service provider and describe the different types of 3rd parties (i.e. vendors, customers, ASP’s, etc…)
– Identify common approaches to selling security to senior management and understand the basics of ROSI (Return on Security Investment) and other payback strategies.
"Security Curriculum", J. Mitchell 11TRUST 2nd Year Site Visit, March 19th, 2007
Sample module
Elective learning outcomes:– Complete a security risk assessment on a local organization if possible.– Design a security awareness program for an organization.– Conduct a presentation to senior leadership on the importance of information
protection.– Design a forensics program.– Create an incident response process (with storyboard examples).
"Security Curriculum", J. Mitchell 12TRUST 2nd Year Site Visit, March 19th, 2007
Course Modules
Security Architecture Security Management Host and OS Security Application Security Network Security Secure Software Engineering Risk Management Policy and Legal Compliance Convergence of physical and information security
"Security Curriculum", J. Mitchell 13TRUST 2nd Year Site Visit, March 19th, 2007
Process
Convene industry/academia group– Draw on USSS, ITTC, CSO community – Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15– Consensus
Identify 8 topic areas
– Divide and conquer Each area module assembled by two leaders
Public presentation: IEEE FIE Panel, Oct 29 Outcome
– Curriculum modules– Internship/summer school– Speaker series and video archive
