DoD offers useful certification guidelines

* Document proposes industry standards for levels of IA personnel

Jacqueline R. Tregre writes: How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, publicly available, that calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance program.

Recent MSIA graduate Jacqueline R. Tregre is a senior information assurance engineer with the U.S. Army in Arizona. She has very kindly contributed the following article to the column. The remainder of today’s posting is entirely her work (with minor edits).

* * *

How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, "Information Assurance Workforce Improvement Program." Publicly available, the manual calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance (IA) program.

This development is important to private industry because if these levels of certification are required for the operation of the government, then it is reasonable to believe these levels will eventually become a de facto standard for industry.

The Defense Department manual defines categories and specialties within the IA workforce, and certifications in both the computing and/or network environments and in the IA arena. For example, an enterprise administrator (Domain / Forest Administrator) should be certified in the operating system that he or she administers, plus any applications administered in that computing environment.

Furthermore, due to the extensive responsibilities of the individual, the manual demands that administrators (technically IAT-III, standing for IA Technical Level III) obtain suitable certifications. Options include CISSP, CISA, SCNA.

The IA Manager category, or IAM, is responsible for IA policy, procedures, and the IT workforce structure and training. The IAM-III requires the GSLC, the CISM, or the CISSP. Certifications such as these demonstrate that your IAM has the broadly scoped knowledge necessary to make prudent and reasonable decisions in information and network security policies and procedures.

The manual's certification requirements for Level III are the highest-level requirements; it also recognizes Levels II and I. These roughly correlate to Enterprise Level (III), Network Level (II), and System Level (I). The manual elaborates further on position requirements such as experience, knowledge, supervision, and other requirements, such as independence in actions. For example, the IAT-I works entirely within established policies and procedures, while the IAT-II "relies on experience and judgment to plan and accomplish goals within the [Network Environment]."

The manual helpfully lists functions executed by each category and level. A supervisor may use these in writing job descriptions or especially in defining personnel ratings and rating standards. For example, the manual lists 31 functions for the IAT-II position. One may establish standards with each function, such as "T-II.20. Perform system audits to assess security related factors within the NE." and add the words "every x days or less" to establish a standard.

Your chief information security officers may also take these requirements to argue successfully for resources from the chief operating officer or chief financial officer. The manual gives management a good picture of what training the firm may deem as necessary, good to know, or non-essential.

If your organization receives, processes, stores, displays, or transmits Defense Department information, then the DoD 8500-series requirements apply to you, including these training requirements. If these requirements do apply, then consider having at least one person in your IT shop attain the Information Systems Security Engineering Professional (ISSEP) concentration certification of the CISSP. The ISSEP certifies an individual in knowledge of the NIST and Defense Department IA requirements. This level of knowledge could help your firm avoid a costly misstep in handling Defense Department information.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT