DOD information assurance titles

At last month’s conference of the Federal Information Systems Security Association, the Defense Information Systems Agency (DISA) of the U.S. Department of Defense presented the latest information assurance training and awareness products.

I have used the free DISA CD-ROM courses for many years as adjuncts to undergraduate courses and have always been delighted with the technical quality of the information presented. The artwork and narration have also been excellent. Most of them can be used as Web-based training (WBT) or directly from the CD-ROM.

Don’t be put off by the Defense Department orientation of the materials; it doesn’t take much effort for users to realize that Defense Department-specific references can be ignored if they are inappropriate. Except for the most specialized titles, the principles and most of the practical recommendations in these training aids are perfectly applicable to any system.

Here are some of the highlights from the current catalog that will interest network and security administrators and information assurance trainers and educators.

* Critical Infrastructure Protection v1.0: “provides baseline CIP [Critical Infrastructure Protection] awareness to enhance the knowledge of DOD personnel in the front lines of defense, DOD and other government CIP planners, infrastructure owners, managers, technicians and users.”

* Information Assurance Policy & Technology v1.0: “created so that users of the program may successfully perform their duties as Information Assurance Officers/Managers (IAO/M) or System Administrators in accordance with DOD guidance pertaining to the defense of information systems.” The descriptive text explains that topics include “policy and oversight, inspection and audit… prevention, detection and eradication of viruses; execution and evaluation of system audit records; access control; disposition of Information Systems (IS) media; and development and compliance with the risk managed approval of system operations (certification and accreditation) plans.”

* Web Security: This course “covers legal issues, DOD policy and guidance, information protection, server side security and client side security.”

* Database Security v1.1: “Topics… include database structures and management systems, Structured Query Language (SQL), administration tools, and database security methods. In addition, the course covers database concepts and terms, discusses privileges and roles used in controlling data access, and introduces profiles and tablespaces, which are used to limit system resources.”

* Active Defense: An Executive’s Guide to Information Assurance v1.0: “This course presents the goals of an information assurance program, explains why meeting these goals is essential to success, and distinguishes [among] the roles and responsibilities of all members of the organization.” The course also explains how to identify and manage risks to information systems. Valuable checklists are provided at the end of each section.

Some of the products to which we can look forward include:

* A set of network-building, attack and defense scenarios and simulations.

* A cyberlaw course to be released in 2004.

In addition to the newer products, there are dozens of older yet valuable titles, including videos that can spice up your information security awareness classes or your school, college or university classes in IA. In particular, my students seem to enjoy the video “Solar Sunrise, Dawn of a New Threat / Risky Business.” Both parts have fast TV-news-style action, pounding music tracks and lots of exciting images of military installations, FBI agents showing up to arrest hackers, and so on. They are especially suitable for younger people.