Developing an Industry Supported Computer Security Curriculum

Developing an Industry Supported Computer Security Curriculum

Developing an Industry Supported Computer Security Curriculum Kristen Gates, UC Berkeley Maryanne McCormick, UC Berkeley Sigurd Meldal, SJSU John Mitchell, Stanford Robert Rodriguez TRUST 2nd Year Site Visit, March 19th, 2007 Starting point for initiative March 13, 2006 ITTC Panel Mary Ann Davidson, CSO, Oracle Mark Connelly, CISO, Sun Microsystems Abe Smith, CSO, Xilinx Pat Faith, Visa A challenging comment (as I heard it) The big problem in computer security is that universities dont teach students anything about computer security. Theres no reason we should have to hire programmers who dont know what a buffer overflow is.

What should we do about this? "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 2 Background National Security Agency (NSA) National Centers of Academic Excellence in Information Assurance Education (CAEIAE) Association for Computing Machinery Security as part of existing courses (CS) Network Security 3 hours in networking course Operating system security 2 hours OS course Cryptography algorithms course elective Many fine efforts to develop valuable courses "Security Curriculum", J. Mitchell

TRUST 2nd Year Site Visit, March 19th, 2007 3 Our Goals Provide students with Specific and realistic IT security information Success in their careers, service to industry Curriculum Set of topics Specific objectives and examples for each topic Materials backed by industry leaders to support and accelerate adoption Sample teaching material Case studies Webinars Impact

beyond top 10 research universities "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 4 TRUST team includes Kristen Gates UC Berkeley TRUST Sigurd Meldal San Jose State Robert Rodriguez John Mitchell Stanford Maryanne McCormick, Nick Bambos, Anupam Datta, Ann Miura-Ko , Deirdre Mulligan "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 5 Process Convene industry/academia group Draw on USSS, ITTC, CSO community Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15 Consensus

Identify 8 topic areas Divide and conquer Each area module assembled by two leaders Public presentation: IEEE FIE Panel, Oct 29 Outcome Curriculum modules Internship/summer school Speaker series and video archive "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 6 Industrial contributors include

Sanjay Bahl Ken Baylor James Beeson Jeffrey Camiel Mark Connelly Dave Cullinane Mary Ann Davidson Liz Glasser Jason Hoffman Paul Kurtz Dennis Kushner Paul Kurtz Kemi Macaulay Andrew Neilson Sherry Ryan Abe Smith George Sullivan Johan (Hans) van Tilburg Robert Weaver Robert Rodriguez "Security Curriculum", J. Mitchell

Tata Consultancy Services McAfee -> Symantec General Electric Commercial Finance Jefferson Wells Sun Microsystems Washington Mutual Bank -> eBay CISO Oracle CSIA Greater Bay Bank CSIA Deliotte & Touche CSIA Xilinx Silicon Valley Bank HP Xilinx VP Global IT Security, Visa International Visa ING Former USSS TRUST 2nd Year Site Visit, March 19th, 2007 7 Sample module Security Management (Jason Hoffman, James Beeson) Minimum core coverage time: .. hours Topics:

Core learning outcomes: Security governance Privacy Roles & responsibilities Security education & awareness Policies & standards Security strategy Risk management Security monitoring & reporting Incident response & forensics Security safeguards & controls Elective learning outcomes: "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 8 Sample module

Core learning outcomes: Explain and give examples of security governance in a typical organization and list the components of an information security program. Explain the importance of privacy and how protection of data is critical to the success of the organization, and describe business and user obligations and expectations. List and describe the various security roles and responsibilities at different levels within the organization and explain options for the reporting structure. Describe the relationship between the security organization and other business functions. Describe the different types of security awareness, education, training approaches and tactics essential for every organization and explain how to establish awareness of individual behaviors and how they affect security. Describe the differences among security policies, standards, and guidelines and how they are related to relevant regulatory requirements and privacy legislation. "Security Curriculum", J. Mitchell

TRUST 2nd Year Site Visit, March 19th, 2007 9 Sample module Core learning outcomes: Describe components of security strategy including layered security, how it should be integrated into IT strategy and organizations business strategy. Identify components of security risk management framework and explain how it helps organizations identify and manage security risk. Explain why monitoring and reporting is important in measuring the effectiveness of an information security program and describe various types of reporting such as operational metrics versus senior management dashboards. Describe process for managing a security incident and explain how forensics assists organizations during investigations. List examples of security safeguards and controls in place that provide confidentiality, integrity and availability of information and are based on defense in depth. Identify due diligence needed to assess security of an organizations outsourced service provider and describe the different types of 3rd parties

(i.e. vendors, customers, ASPs, etc) Identify common approaches to selling security to senior management and understand the basics of ROSI (Return on Security Investment) and other payback strategies. "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 10 Sample module Elective learning outcomes: Complete a security risk assessment on a local organization if possible. Design a security awareness program for an organization. Conduct a presentation to senior leadership on the importance of information protection. Design a forensics program. Create an incident response process (with storyboard examples). "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 11 Course Modules

Security Architecture Security Management Host and OS Security Application Security Network Security Secure Software Engineering Risk Management Policy and Legal Compliance Convergence of physical and information security "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 12 Process Convene industry/academia group Draw on USSS, ITTC, CSO community Meet: Sept 26, Nov 13, Dec 13, Feb 12, Mar 15 Consensus Identify

8 topic areas Divide and conquer Each area module assembled by two leaders Public presentation: IEEE FIE Panel, Oct 29 Outcome Curriculum modules Internship/summer school Speaker series and video archive "Security Curriculum", J. Mitchell TRUST 2nd Year Site Visit, March 19th, 2007 13

Recently Viewed Presentations

  • Smokeless Tobacco 101  Stanford University In this presentation

    Smokeless Tobacco 101 Stanford University In this presentation

    Oral cancers, including the area immediately behind the mouth, known as the pharynx (pharyngeal cancer). (C. lick) Mucosal lesions, which are membranes that line various cavities that suffer from injuries, through wounds, ulcers, and tumors, etc. (C. lick) Gingival keratosis,...
  • CprE / ComS 583 Reconfigurable Computing Prof. Joseph

    CprE / ComS 583 Reconfigurable Computing Prof. Joseph

    CprE / ComS 583 Reconfigurable Computing Prof. Joseph Zambreno Department of Electrical and Computer Engineering Iowa State University Lecture #6 - Modern FPGA Devices
  • Review and Importance CS 111 Signals  Analog vs

    Review and Importance CS 111 Signals Analog vs

    Color Reproducibility. Color Gamuts. Tone mapping operators. Dithering. Color management in additive devices. Device Specifications. Gamut transformation and matching
  • CSE 403 Lecture Slides - University of Washington

    CSE 403 Lecture Slides - University of Washington

    Lecture 19 Reliability Testing slides created by Marty Stepp http://www.cs.washington.edu/403/
  • Diapositiva 1 - fisioterapia-pavia.myblog.it

    Diapositiva 1 - fisioterapia-pavia.myblog.it

    LE AFASIE Lateralizzazione emisferica I due emisferi sono funzionalmente simmetrici? Nel secolo scorso una serie di osservazioni di tipo anatomo-clinico evidenziò la superiorità dell'emisfero sinistro per il linguaggio (nacque il concetto di dominanza emisferica) Lateralizzazione emisferica 1863 Paul Broca descriveva...
  • Professional Services Review Process

    Professional Services Review Process

    Slide 5 Slide 6 Early history Features Growing database Colours Publisher and journal search Data and searching 'Controlled vocabulary' Funder compliance indicators API Publisher PDF's Paid-for OA options RoMEO characteristics Internationalisation Slide 20 Slide 21 JULIET Future development of RoMEO...
  • CLaSSBitesize: Effective Presentations - De Montfort University

    CLaSSBitesize: Effective Presentations - De Montfort University

    Planning: It's all in the small details . . . When is the presentation? How long is the presentation? What is the topic and focus? What is being assessed?
  • Advanced CPT (Java)

    Advanced CPT (Java)

    Specular reflection adds highlights to the reflection (the shiny area). The amount of specular reflection that the user sees depends on the angle θ between r (the direction of a perfect reflector vector) and v (the direction of the viewer)....