1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security...
-
Upload
jeffry-walton -
Category
Documents
-
view
213 -
download
0
Transcript of 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security...
![Page 1: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/1.jpg)
1
VA ISO Infrastructure Development Office of Cyber and Information Security
Cyber Security Professionalization (CSP) Program:
It’s ALL About People! FISSEA ‘04
Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison
![Page 2: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/2.jpg)
2
Agenda
Background ObjectivesProgram Elements
![Page 3: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/3.jpg)
3
Background: VA“. . .for them who shall have borne the battle. . .”
VA: Largest Civilian Department
230,000 Employees, plus Contractors, Volunteers, Students. . .
Health Services, Benefits, Memorial Services, and supporting Staff Offices for 26 Million Veterans, Plus Beneficiaries.
Spend $60 Billion Annually
COG, National Infrastructure, Emergency Preparedness
![Page 4: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/4.jpg)
4
Background: VA Cyber Security
Responsible for Cyber Security for entire Department.
Bruce A. Brody, ADAS for Cyber and Information Security (Within OI&T, direct report to CIO)
Recently Consolidated.
TEAP (Training, Education, Awareness, and Professionalization)
VA InfoSec Conferences, Universal Awareness, CISSP, National LMS
![Page 5: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/5.jpg)
5
Background: Official Story
June 2002: Promise to Congress (Congressman Buyer, Chairman, Subcommittee on Oversight and Investigations) Implement a “rigorous qualifications and certification program for ISOs…”
September 2002: Information Security Officer (ISO) Infrastructure Development Support contract awarded.
![Page 6: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/6.jpg)
6
Background: The Back Story
Unflattering Congressional “Report Cards”.
Persistent OIG Material Weakness
Rampant Internet Worms
Et Cetera. [Fill in you own Cyber Nightmares.]
Incomplete transition to unified IT organizational structure.
No direct line authority to the VA field security community.
![Page 7: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/7.jpg)
7
Agenda
Background ObjectivesProgram Elements
![Page 8: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/8.jpg)
8
Objectives of CSP Program
The training and certification is on current standards and best practices established by:– VA cyber security program– VA cyber security policies and procedures – National Institute of Standards and
Technology (NIST) The program targets the core body of
knowledge (CBK) required to perform the requisite duties of a CSP [Available on demand. . .just ask!]
![Page 9: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/9.jpg)
9
Agenda
Background ObjectivesProgram Elements
![Page 10: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/10.jpg)
10
Program Elements
Directive and Handbook
Position Descriptions (PDs)
Career Paths Certification Program
– Training Incentive Program Credential Program
![Page 11: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/11.jpg)
11
Program Elements
Directive and Handbook
Describes the sub-elements of the program– Types of Cyber Security Practitioners– Certification– Credential– Incentive
![Page 12: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/12.jpg)
12
Program Elements
Types of Cyber Security Practitioners (CSP)
InformationSecurity
Manager (ISM)
InformationSecurity
Officer(ISO)
TechnicalSecurityOfficer (TSO)
ISMmanage the departmental cyber security program
TSOmanage/implement security program elements that are system (e.g., hardware/ software) related
ISOmanage/implement security
program elements that are not hardware or software
related
![Page 13: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/13.jpg)
13
Program Elements
Position Descriptions–Purpose
Generic position descriptions (PDs) – Related performance standards – Performance metrics– Rating factors
Flexibility to assign resources more effectively Ability to establish a career path with both vertical
and horizontal progression Ability to accommodate IT personnel who wish to
transition to the security field PDs to Human Resources Classifiers Available on demand. . .just ask!
![Page 14: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/14.jpg)
14
Program Elements
7 Categories of PDs
ROLEManage Departmental Cyber Security Program
SuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSr. StaffTeam LeadStaff
GRADESES GS-15, and GS-14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14GS-13/14GS-13/14GS-12/13/14 GS-12/13GS-11GS-7/9
POSITIONInfo. Sec.
Manager (ISM)
RegionalISO
RegionalTSO
ISO
TSO
Sr. Staff ISOStaff ISO
SupervisePerforms annual review, hire/fireTeam LeadAllows a GS-n to provide work direction to another GS-nStaffImplementspolicy/procedure
![Page 15: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/15.jpg)
15
Program Elements
Career Paths–Purpose
Identify movement for CSPs– Within and between local VA facilities– From local VA facilities to OCS regional support
centers– Between and within OCS regional support
centers– From OCS regional support centers to VACO– Within VACO OCS
Identify sources of CSPs to fill openings
![Page 16: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/16.jpg)
16
• Will be developed after the PDs are written and the level structure of the ISO positions has been completed
• Will clearly identify options for vertical and horizontal movement
E III Within E III
E II Within E II
E I Within E I
• Critical for retention of certified staff
• Essential for recruiting highly qualified cyber security practitioners
Program Elements
Career Paths–Approach
![Page 17: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/17.jpg)
17
Program Elements
Certification Program–Purpose
The certification program for VA information security professionals will establish a realistic standard for information security practitioners
The certification program is composed of successful completion of specific training including completion of certification quizzes throughout the training
Once CSP’s have successfully completed training and testing certifications will be awarded.
The objective was to have 320 Full-time CSPs certified by 10/01/03; Achieved / Moving On.
![Page 18: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/18.jpg)
18
Program Elements
Certification Program–Approach
Develop a framework to allow for flexibility and growth Provide training to initiate the certification program Provide quizzes throughout the training that ensure
CSPs have the minimum level of knowledge required on each subject to perform the duties of their position
Provide guidance on additional training and certifications that can provide growth within the framework
![Page 19: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/19.jpg)
19
Program Elements
Certification Program–Training
Training tailored to VA, limited Federal policy and basic security concepts
Objectives directly linked to source documents for tracking purposes
Pre-test and training target the same objectives and can be used for self-assessment and training evaluation (non-attributable score)
Delivery by Web as well as some stand-up at InfoSec Conference
![Page 20: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/20.jpg)
20
Program Elements
Core Body of Knowledge (CBK)
1. InfoSec Concepts 2. VA’s IT security programs 3. VA’s IT security policies and procedures 4. Risk management 5. System development life cycle
6. System environment 7. System Interconnections (physical) 8. Information sharing (logical) 9. Defense in depth at VA10. Risk assessment
11. Security plans12. Certification and accreditation13. Technical controls14. Operational controls 15. Incident Management16. Security Awareness and Training17. Internal audit18. External audit
InfoSecConcepts
NetworkingConcepts
MajorISO Tasks
![Page 21: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/21.jpg)
21
Program Elements
Incentive Program
Work with representatives from VA HR, OCS, OI&T and with OPM to develop appropriate reward/retention options in draft form Options may include:– Compensation
• Advance payment for new hires• Recruitment and relocation bonuses• Retention allowances• Superior qualification appointments
– Training– Career development
• Vertical movement• Horizontal movement
– Flexible work arrangements
![Page 22: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/22.jpg)
22
Program Elements
Credential Program
One credential for all Cyber Security Practitioners (e.g., ISM, ISO, and TSO)
Credentialing criteria– Successful completion of ISO training course=certification– Experience– Ascribe to code of ethics– Satisfactory background investigation– Having no extant cyber security related adverse actions
Credential identifies CSPs and gives them authority to act for the CIO in reporting security incidents and assisting in investigations as required
![Page 23: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/23.jpg)
23
What Do We Want You to Leave With?
VA is on it’s way.– The whole Department is watching!
Battles Fought / Victories Gained.
Battles Fought / Lessons Learned / Scars Earned.
Find Partners / Leverage Benefits.
Introduce Ourselves.
![Page 24: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/24.jpg)
24
Contact Us
Terri Cinnamon, Team Leader [email protected]
Michael Arant, Cyber Security [email protected]
VA Office of Cyber and Information Security
![Page 25: 1 VA ISO Infrastructure Development Office of Cyber and Information Security Cyber Security Professionalization (CSP) Program: It’s ALL About People! FISSEA.](https://reader035.fdocuments.in/reader035/viewer/2022062717/56649e1a5503460f94b07eb4/html5/thumbnails/25.jpg)
25
VA ISO Infrastructure Development Office of Cyber and Information Security
Cyber Security Professionalization (CSP) Program:
It’s ALL About People! FISSEA ‘04
Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison