Recent MSIA graduate Jacqueline R. Tregre is a senior information assurance engineer with the U.S. Army in Arizona. She has very kindly contributed the following article to the column. The remainder of today’s posting is entirely her work (with minor edits).

* * *

How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, "Information Assurance Workforce Improvement Program." Publicly available, the manual calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance (IA) program.

This development is important to private industry because if these levels of certification are required for the operation of the government, then it is reasonable to believe these levels will eventually become a de facto standard for industry.

The Defense Department manual defines categories and specialties within the IA workforce, and certifications in both the computing and/or network environments and in the IA arena. For example, an enterprise administrator (Domain / Forest Administrator) should be certified in the operating system that he or she administers, plus any applications administered in that computing environment.

Furthermore, due to the extensive responsibilities of the individual, the manual demands that administrators (technically IAT-III, standing for IA Technical Level III) obtain suitable certifications. Options include CISSP, CISA, SCNA.

The IA Manager category, or IAM, is responsible for IA policy, procedures, and the IT workforce structure and training. The IAM-III requires the GSLC, the CISM, or the CISSP. Certifications such as these demonstrate that your IAM has the broadly scoped knowledge necessary to make prudent and reasonable decisions in information and network security policies and procedures.

The manual's certification requirements for Level III are the highest-level requirements; it also recognizes Levels II and I. These roughly correlate to Enterprise Level (III), Network Level (II), and System Level (I). The manual elaborates further on position requirements such as experience, knowledge, supervision, and other requirements, such as independence in actions. For example, the IAT-I works entirely within established policies and procedures, while the IAT-II "relies on experience and judgment to plan and accomplish goals within the [Network Environment]."

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.