1

VA ISO Infrastructure Development Office of Cyber and Information Security

Cyber Security Professionalization (CSP) Program:

It’s ALL About People! FISSEA ‘04

Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison

2

Agenda

Background ObjectivesProgram Elements

3

Background: VA“. . .for them who shall have borne the battle. . .”

VA: Largest Civilian Department

230,000 Employees, plus Contractors, Volunteers, Students. . .

Health Services, Benefits, Memorial Services, and supporting Staff Offices for 26 Million Veterans, Plus Beneficiaries.

Spend $60 Billion Annually

COG, National Infrastructure, Emergency Preparedness

4

Background: VA Cyber Security

Responsible for Cyber Security for entire Department.

Bruce A. Brody, ADAS for Cyber and Information Security (Within OI&T, direct report to CIO)

Recently Consolidated.

TEAP (Training, Education, Awareness, and Professionalization)

VA InfoSec Conferences, Universal Awareness, CISSP, National LMS

5

Background: Official Story

June 2002: Promise to Congress (Congressman Buyer, Chairman, Subcommittee on Oversight and Investigations) Implement a “rigorous qualifications and certification program for ISOs…”

September 2002: Information Security Officer (ISO) Infrastructure Development Support contract awarded.

6

Background: The Back Story

Unflattering Congressional “Report Cards”.

Persistent OIG Material Weakness

Rampant Internet Worms

Et Cetera. [Fill in you own Cyber Nightmares.]

Incomplete transition to unified IT organizational structure.

No direct line authority to the VA field security community.

7

Agenda

Background ObjectivesProgram Elements

8

Objectives of CSP Program

The training and certification is on current standards and best practices established by:– VA cyber security program– VA cyber security policies and procedures – National Institute of Standards and

Technology (NIST) The program targets the core body of

knowledge (CBK) required to perform the requisite duties of a CSP [Available on demand. . .just ask!]

9

Agenda

Background ObjectivesProgram Elements

10

Program Elements

Directive and Handbook

Position Descriptions (PDs)

Career Paths Certification Program

– Training Incentive Program Credential Program

11

Program Elements

Directive and Handbook

Describes the sub-elements of the program– Types of Cyber Security Practitioners– Certification– Credential– Incentive

12

Program Elements

Types of Cyber Security Practitioners (CSP)

InformationSecurity

Manager (ISM)

InformationSecurity

Officer(ISO)

TechnicalSecurityOfficer (TSO)

ISMmanage the departmental cyber security program

TSOmanage/implement security program elements that are system (e.g., hardware/ software) related

ISOmanage/implement security

program elements that are not hardware or software

related

13

Program Elements

Position Descriptions–Purpose

Generic position descriptions (PDs) – Related performance standards – Performance metrics– Rating factors

Flexibility to assign resources more effectively Ability to establish a career path with both vertical

and horizontal progression Ability to accommodate IT personnel who wish to

transition to the security field PDs to Human Resources Classifiers Available on demand. . .just ask!

14

Program Elements

7 Categories of PDs

ROLEManage Departmental Cyber Security Program

SuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSuperviseTeam LeadStaffSr. StaffTeam LeadStaff

GRADESES GS-15, and GS-14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14 GS-13/14GS-13/14GS-12/13/14GS-13/14GS-13/14GS-12/13/14 GS-12/13GS-11GS-7/9

POSITIONInfo. Sec.

Manager (ISM)

RegionalISO

RegionalTSO

ISO

TSO

Sr. Staff ISOStaff ISO

SupervisePerforms annual review, hire/fireTeam LeadAllows a GS-n to provide work direction to another GS-nStaffImplementspolicy/procedure

15

Program Elements

Career Paths–Purpose

Identify movement for CSPs– Within and between local VA facilities– From local VA facilities to OCS regional support

centers– Between and within OCS regional support

centers– From OCS regional support centers to VACO– Within VACO OCS

Identify sources of CSPs to fill openings

16

• Will be developed after the PDs are written and the level structure of the ISO positions has been completed

• Will clearly identify options for vertical and horizontal movement

E III Within E III

E II Within E II

E I Within E I

• Critical for retention of certified staff

• Essential for recruiting highly qualified cyber security practitioners

Program Elements

Career Paths–Approach

17

Program Elements

Certification Program–Purpose

The certification program for VA information security professionals will establish a realistic standard for information security practitioners

The certification program is composed of successful completion of specific training including completion of certification quizzes throughout the training

Once CSP’s have successfully completed training and testing certifications will be awarded.

The objective was to have 320 Full-time CSPs certified by 10/01/03; Achieved / Moving On.

18

Program Elements

Certification Program–Approach

Develop a framework to allow for flexibility and growth Provide training to initiate the certification program Provide quizzes throughout the training that ensure

CSPs have the minimum level of knowledge required on each subject to perform the duties of their position

Provide guidance on additional training and certifications that can provide growth within the framework

19

Program Elements

Certification Program–Training

Training tailored to VA, limited Federal policy and basic security concepts

Objectives directly linked to source documents for tracking purposes

Pre-test and training target the same objectives and can be used for self-assessment and training evaluation (non-attributable score)

Delivery by Web as well as some stand-up at InfoSec Conference

20

Program Elements

Core Body of Knowledge (CBK)

1. InfoSec Concepts 2. VA’s IT security programs 3. VA’s IT security policies and procedures 4. Risk management 5. System development life cycle

6. System environment 7. System Interconnections (physical) 8. Information sharing (logical) 9. Defense in depth at VA10. Risk assessment

11. Security plans12. Certification and accreditation13. Technical controls14. Operational controls 15. Incident Management16. Security Awareness and Training17. Internal audit18. External audit

InfoSecConcepts

NetworkingConcepts

MajorISO Tasks

21

Program Elements

Incentive Program

Work with representatives from VA HR, OCS, OI&T and with OPM to develop appropriate reward/retention options in draft form Options may include:– Compensation

• Advance payment for new hires• Recruitment and relocation bonuses• Retention allowances• Superior qualification appointments

– Training– Career development

• Vertical movement• Horizontal movement

– Flexible work arrangements

22

Program Elements

Credential Program

One credential for all Cyber Security Practitioners (e.g., ISM, ISO, and TSO)

Credentialing criteria– Successful completion of ISO training course=certification– Experience– Ascribe to code of ethics– Satisfactory background investigation– Having no extant cyber security related adverse actions

Credential identifies CSPs and gives them authority to act for the CIO in reporting security incidents and assisting in investigations as required

23

What Do We Want You to Leave With?

VA is on it’s way.– The whole Department is watching!

Battles Fought / Victories Gained.

Battles Fought / Lessons Learned / Scars Earned.

Find Partners / Leverage Benefits.

Introduce Ourselves.

24

Contact Us

Terri Cinnamon, Team Leader TEAP304-262-7314terri.cinnamon@med.va.gov

Michael Arant, Cyber Security Liaison304-262-7326michael.arant@mail.va.gov

VA Office of Cyber and Information Security

25

VA ISO Infrastructure Development Office of Cyber and Information Security

Cyber Security Professionalization (CSP) Program:

It’s ALL About People! FISSEA ‘04

Terri Cinnamon, Team Leader TEAP Michael Arant, Cyber Security Liaison