Developing an Industry Supported Computer Security Curriculum

Developing an Industry Supported Computer Security Curriculum

Developing an Industry Supported Computer Security Curriculum Kristen Gates, UC Berkeley Maryanne McCormick, UC Berkeley Sigurd Meldal, SJSU John Mitchell, Stanford Robert Rodriguez TRUST 2nd Year Site Visit, March 19th, 2007 Starting point for initiative March 13, 2006 ITTC Panel Mary Ann Davidson, CSO, Oracle Mark Connelly, CISO, Sun Microsystems Abe Smith, CSO, Xilinx Pat Faith, Visa A challenging comment (as I heard it) The big problem in computer security is that universities dont teach students anything about computer security. Theres no reason we should have to hire programmers who dont know what a buffer overflow is.

What should we do about this? "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 2 Background National Security Agency (NSA) National Centers of Academic Excellence in Information Assurance Education (CAEIAE) Association for Computing Machinery Security as part of existing courses (CS) Network Security 3 hours in networking course Operating system security 2 hours OS course Cryptography algorithms course elective Many fine efforts to develop valuable courses "Security Curriculum", J. Mitchell

TRUST 2nd Year Site Visit, March 19th, 2007 3 Our Goals Provide students with Specific and realistic IT security information Success in their careers, service to industry Curriculum Set of topics Specific objectives and examples for each topic Materials backed by industry leaders to support and accelerate adoption Sample teaching material Case studies Webinars Impact

beyond top 10 research universities "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 4 TRUST team includes Kristen Gates UC Berkeley TRUST Sigurd Meldal San Jose State Robert Rodriguez John Mitchell Stanford Maryanne McCormick, Nick Bambos, Anupam Datta, Ann Miura-Ko , Deirdre Mulligan "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 5 Process Convene industry/academia group Draw on USSS, ITTC, CSO community Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15 Consensus

Identify 8 topic areas Divide and conquer Each area module assembled by two leaders Public presentation: IEEE FIE Panel, Oct 29 Outcome Curriculum modules Internship/summer school Speaker series and video archive "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 6 Industrial contributors include

Sanjay Bahl Ken Baylor James Beeson Jeffrey Camiel Mark Connelly Dave Cullinane Mary Ann Davidson Liz Glasser Jason Hoffman Paul Kurtz Dennis Kushner Paul Kurtz Kemi Macaulay Andrew Neilson Sherry Ryan Abe Smith George Sullivan Johan (Hans) van Tilburg Robert Weaver Robert Rodriguez "Security Curriculum", J. Mitchell

Tata Consultancy Services McAfee -> Symantec General Electric Commercial Finance Jefferson Wells Sun Microsystems Washington Mutual Bank -> eBay CISO Oracle CSIA Greater Bay Bank CSIA Deliotte & Touche CSIA Xilinx Silicon Valley Bank HP Xilinx VP Global IT Security, Visa International Visa ING Former USSS TRUST 2nd Year Site Visit, March 19th, 2007 7 Sample module Security Management (Jason Hoffman, James Beeson) Minimum core coverage time: .. hours Topics:

Core learning outcomes: Security governance Privacy Roles & responsibilities Security education & awareness Policies & standards Security strategy Risk management Security monitoring & reporting Incident response & forensics Security safeguards & controls Elective learning outcomes: "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 8 Sample module

Core learning outcomes: Explain and give examples of security governance in a typical organization and list the components of an information security program. Explain the importance of privacy and how protection of data is critical to the success of the organization, and describe business and user obligations and expectations. List and describe the various security roles and responsibilities at different levels within the organization and explain options for the reporting structure. Describe the relationship between the security organization and other business functions. Describe the different types of security awareness, education, training approaches and tactics essential for every organization and explain how to establish awareness of individual behaviors and how they affect security. Describe the differences among security policies, standards, and guidelines and how they are related to relevant regulatory requirements and privacy legislation. "Security Curriculum", J. Mitchell

TRUST 2nd Year Site Visit, March 19th, 2007 9 Sample module Core learning outcomes: Describe components of security strategy including layered security, how it should be integrated into IT strategy and organizations business strategy. Identify components of security risk management framework and explain how it helps organizations identify and manage security risk. Explain why monitoring and reporting is important in measuring the effectiveness of an information security program and describe various types of reporting such as operational metrics versus senior management dashboards. Describe process for managing a security incident and explain how forensics assists organizations during investigations. List examples of security safeguards and controls in place that provide confidentiality, integrity and availability of information and are based on defense in depth. Identify due diligence needed to assess security of an organizations outsourced service provider and describe the different types of 3rd parties

(i.e. vendors, customers, ASPs, etc) Identify common approaches to selling security to senior management and understand the basics of ROSI (Return on Security Investment) and other payback strategies. "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 10 Sample module Elective learning outcomes: Complete a security risk assessment on a local organization if possible. Design a security awareness program for an organization. Conduct a presentation to senior leadership on the importance of information protection. Design a forensics program. Create an incident response process (with storyboard examples). "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 11 Course Modules

Security Architecture Security Management Host and OS Security Application Security Network Security Secure Software Engineering Risk Management Policy and Legal Compliance Convergence of physical and information security "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 12 Process Convene industry/academia group Draw on USSS, ITTC, CSO community Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15 Consensus Identify

8 topic areas Divide and conquer Each area module assembled by two leaders Public presentation: IEEE FIE Panel, Oct 29 Outcome Curriculum modules Internship/summer school Speaker series and video archive "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 13

Recently Viewed Presentations

  • Aerosol-cloud interaction Anatoli Bogdan Institute of Physical Chemistry,

    Aerosol-cloud interaction Anatoli Bogdan Institute of Physical Chemistry,

    Saturated water vapor pressure is a function of temperature only and independent on the presence of other gases. The temperature dependence is exponential. In the case of water vapor, the semi empirical dependence reads as where temperature is in Kelvin...
  • 幻灯片 1 - Group of Eight

    幻灯片 1 - Group of Eight

    Australian Education 2008 Student Enrolment (FTE) Student/Teacher Ratio Funding Per Student (FTE) Government $ Other $ Primary Public 1,377,193 15.6 11,557
  • PRESENT PAST PAST PARTICIPLE GIVE GAVE GIVEN TAKE

    PRESENT PAST PAST PARTICIPLE GIVE GAVE GIVEN TAKE

    STRONG VERB a main verb that does not need a 't' , 'd', 'ed' to give its past and past participle forms is called as a strong verb Examples. GIVE - GAVE GIVEN TAKE - TOOK TAKEN BREAK - BROKE...
  • Welcome to the Behavioral Interviewing Workshop

    Welcome to the Behavioral Interviewing Workshop

    Successful Interviewing David McMahon '69 Associate Director Experiential Education
  • Game Theory EconC31 - University of Warwick

    Game Theory EconC31 - University of Warwick

    Definition A Bayesian Nash Equilibriumof a Bayesian . game G=(I, W, S, T, u) is a Nash equilibrium of the . strategic game defined as follows. Players . The set of all pairs (i, t. i) where . i. is...
  • Nat Turner - Kidblog Inc.

    Nat Turner - Kidblog Inc.

    Nat Turner was never a rebellious slave, well not until he noticed what was going on, all the signs around him have a reason, but what? starting a rebellion means taking risk for everyone, even his family. Why would he...
  • Compressed Air Safety - Thomas County School District

    Compressed Air Safety - Thomas County School District

    Compressed Air Safety PPE Safety Glasses Face Shield Gloves Hearing Protection Proper Footwear RISKS Eye injuries Embolism Hearing damage Projectiles Always wear proper PPE Check condition of hoses and connectors Lubricate air tools with proper oil before each use BEFORE...
  • Anderson's Business Law 20e - Christian Brothers University

    Anderson's Business Law 20e - Christian Brothers University

    Review Twomey Jennings Anderson's Business Law and the Legal Environment, Comprehensive 20e Anderson's Business Law and the Legal Environment, Standard 20e Business Law: Principles for Today's Commercial Environment 2e Chapter 14 Contracts: Capacity and Genuine Assent Contractual Capacity An agreement...