sec it education study guide
Building an Information Technology Security Awareness and Training Program, is another NIST document related to information security awareness and training. The four main areas in NIST SP 800-50 are as follows:
Awareness—A continuous process to help keep all personnel vigilant. This can include acceptable use policy (AUP), reminders, logon banners, posters, email messages, and any other techniques to keep personnel thinking about security. 1112 Training—Teach necessary security skills and competency to the staff as a whole as well as those whose jobs are in IT. Education—Integrate security skills and competencies into a common body of knowledge. Professional development (organizations and certifications)—Meet a standard by applying evaluation or measurement criteria.
The PCI DSS v3.2 standard for self-assessment questionnaire (SAQ) Requirement 12.6 states the following:
"Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures." This PCI DSS v3.2 requirement must be supported with new hire training and at least annual security awareness training updates. In addition, PCI DSS v3.2 requires that personnel acknowledge at least annually that they have read and understood the security policy and procedure
The following elements are typically included in an organization's new-hire security awareness training course.
****************** Compliance with regulatory requirements and laws—Security awareness training typically includes topics regarding your organization's regulatory compliance and legal requirements as an employee. This may 1117 include regulatory compliance and protection of sensitive data such as personally identifiable information (PII), protected health care information (PHI), or cardholder data (credit card numbers). *********** Password behaviors—The organization's password management policy and complex password requirements are typically reviewed in annual security awareness training. ****************** Information/data classification, handling, and labeling—This is an important part of security awareness training that reminds employees of proper handling for regulated sensitive data versus nonregulated data. ************** Clean desk policies—Security awareness training should remind employees to ensure confidentiality by not leaving any sensitive information or documents on their desks. Prevent tailgating—Employees should be reminded not to let secure doorways or entranceways be compromised by individuals approaching behind them. Personally owned devices—Organizations that permit the use of personally owned devices such as laptop computers or smartphones must address the bring-yourown-device (BYOD) policy in annual security awareness training. 1118 ****************** New threats and new security trends/alerts —Security awareness training is a good tool for educating employees on new attack methods and trends from hackers and perpetrators. ***************** New viruses (e.g., ransomware, cryptolocker, etc.)—Security awareness training is a good tool to educate employees on new attack viruses and malicious software such as ransomware and cryptolocker software. ****************** Phishing attacks—Reminders about phishing emails and targeted phishing emails are typically communicated in annual security awareness training. ****************** Zero-day exploits—Malware and malicious software that may not have an anti-malware solution can cause a zero-day exploit that may force your organization to remove an IT asset from production. Zero-day attacks and exploits are typically communicated in annual security awareness training. ************* Use of social networking and peer-to-peer communications—Both are typically prohibited in the AUP and in other policy definitions; hence, this topic is commonly shared in annual security awareness training. 1119 Without periodic security awareness training, employees will not be aware of new policies and procedures regarding security and privacy
The Health Insurance Portability and Accountability Act (HIPAA) also includes directives that require security awareness and training. Implementation specifications include the following:
Establishing a security awareness program Providing training in malicious software 1111 Providing training on logon monitoring procedures Providing training on password management
Security Awareness Training
Every organization, regardless of the industry vertical or regulatory compliance law requirement, must have a new-hire and ongoing or annual security awareness training program. This security awareness training course must be part of an organization's security awareness ® ® ® 1116 campaign.
The National Centers of Academic Excellence in Information Assurance Education (CAE/IAE) program
CAE/IAE program identifies educational institutions that meet the program's information assurance educational guidelines.
The U.S. Office of Personnel Management (OPM)
requires that federal agencies provide training suggested by the NIST guidelines.
Bachelor's degree programs with cybersecurity concentrations.
TABLE 13-3 Bachelor's degree programs with cybersecurity concentrations. INSTITUTION DESCRIPTION ITT Technical Institute ITT Tech offers online and classroom-delivered BS degrees in information systems security and information 1101 systems and cybersecurity. For more information, visit www.itt-tech.edu/programs/. Capella University Capella University offers online BS degrees in information technology with information assurance and security specialization. Capella University has earned an NSA and Homeland Security designation. For more information, visit www.capella.edu/businesstechnology-degrees/undergraduate/programs/. George Washington University George Washington University (GWU) offers a BS degree in cybersecurity for students with associate's or nontechnical bachelor's degrees. For more information, visit https://cps.gwu.edu/cybersecurity-bachelors. Kaplan University Kaplan University offers online BS degrees in information technology with the opportunity to focus on security and forensics concentrations. For more information, visit http://www.kaplanuniversity.edu/programs/bachelorsdegrees.aspx. University of Maryland/University College The University of Maryland/University College offers a BS degree program in cybersecurity management and policy, computer networks and cybersecurity, and software development and security. Each concentration is designed to help you reach your career goals. For more information, visit www.umuc.edu/cybersecurity/academics/bachelorsdegrees.cfm. Southern New Hampshire University Southern New Hampshire University's online BS degrees can include an IT security, information assurance, or forensics concentration. Learn to defend and protect networks and information systems against cyberattacks with the cyber security concentration in the BS in Information Technologies online degree. For more information, visit http://www.snhu.edu/online1102 degrees/bachelors/bs-in-informationtechnologies/cybersecurity. University of Phoenix The University of Phoenix offers online and classroomdelivered IT BS degrees. These IT BS degrees can include IT security, information assurance, or forensics concentrations. For more information, visit www.phoenix.edu/programs/degreeprograms/technology/bachelors/bsit-iss.html. Strayer University Online and classroom-delivered BS degrees in information systems are offered with specific concentrations in forensics, cybersecurity, and homeland security. For more information, visit www.strayer.edu/degree/bachelors-degree/bachelorscience-information-systems/.
The National Centers of Academic Excellence in Research (CAE/R) program—
The CAE/R program, available at the same URL, identifies institutions that meet the research guidelines
the OPM requirements, agencies must also provide training whenever any of the following conditions occur:
There is a significant change in the agency's IT security environment. There is a significant change in the agency's security procedures. An employee enters a new position that deals with sensitive information.
Doctoral degree programs.
Capella University Capella University offers an online PhD in information assurance. This PhD program is designed to advance your information security expertise in a way that fits your career. It provides opportunities for advanced skill development and doctoral research in such topics as information confidentiality, integrity, governance, compliance, and risk management. For more information, visit www.capella.edu/online-degrees/phdinformation-assurance-security/. Colorado Technical University Colorado Technical University (CTU) offers an online PhD program in computer science with an information assurance concentration. CTU's program is designed to help develop the theoretical, research, and applications capabilities needed to manage and forecast future issues and developments in this field. It will challenge students to demonstrate expertise in a subdiscipline of information assurance by selecting and conducting research on an important problem, then communicating results and preparing them for publication. For more information, visit www.coloradotech.edu/degrees/doctorates/computerscience/information-assurance/. Dakota State University Dakota State University offers an online PhD in information assurance that specializes in cyber operations activities, including data collection, software exploitation, analysis of malicious code, and reverse engineering. These technologies are critical to intelligence, military, and law enforcement organizations, as well as to employers in other data-driven industries. 1108 For more information, visit http://dsu.edu/graduatestudents/dsccs/. Northcentral University Northcentral University offers an online PhD in business administration with a concentration in computer and information security. The specialization focuses on developing best practices for forensic investigations and evidence handling, federal and state privacy, intellectual property, search and seizure process, and cybercrime laws. For more information, visit www.ncu.edu/schoolof-business-and-technology/doctor-of-businessadministration/computer-and-information-security/. Nova Southeastern University Nova Southeastern University offers an online and classroom-delivered PhD degree program in information assurance. This graduate program is a comprehensive, multi-disciplinary research program that prepares graduates for key positions in academia; in federal, state, and local government agencies; and in business and industry. The curriculum combines both technically intensive and management-focused security courses in a comprehensive approach to the study of information assurance/information security. For more information, visit http://cec.nova.edu/doctoral/dia/index.html.
Master of business administration degree programs with cybersecurity concentrations
INSTITUTION DESCRIPTION George Washington University George Washington University offers a global MBA with a cybersecurity specialization. Experts at the top echelons of the field teach the students enrolled in the program to focus on the dimensions of cybersecurity most relevant to 1105 them, from liability and legal regimes to information assurance technology and practices. For more information, visit http://business.gwu.edu/brave-new-world-ofcyber-security/. Ferris State University Ferris State University's Master's in Information Security and Intelligence program prepares students for careers in business intelligence, proactive and reactive incident response, and project management utilizing secure practices. For more information, visit www.ferris.edu/business/program/misi/. James Madison University James Madison University offers an MBA degree with information security. This MBA degree not only provides students with a sound foundation in all of the business principles, it also ensures they have a strong understanding of the business implications of information security. For more information, visit www.jmu.edu/academics/graduate/programs/businessadministration.shtml. DeVry/Keller Graduate School of Management Keller University offers an online and classroom-delivered MBA, with a concentration in information security. Its MBA in Information Security program was designed to provide students with sought-after skills and knowledge to fill this increasingly important role in today's business world, including coursework in information protection, intrusion detection, security procedures, and legal and ethical considerations within the field. For more information, visit www.keller.edu/graduate-degree-programs/mbaprogram/mba-in-information-security.html.
Associate's degree programs with cybersecurity concentrations.
INSTITUTION DESCRIPTION ITT Technical Institute ITT offers online and classroom-delivered twoyear associate's degrees in computer network administration. The program covers TCP/IP and computer networking. Students investigate these topics through classroom theory and hands-on labs. For more information, visit www.itt-tech.edu/programs/. Strayer University Strayer University offers online and classroomdelivered information systems degrees. For more information, visit www.strayer.edu/academic-programfinder/associate. Herzing University Herzing University offers online and classroomdelivered associate's degrees in computer science. For more information, visit www.herzing.edu/careerprograms/undergraduatedegrees/technology. Northern Virginia Community College (NOVA) Northern Virginia Community College offers a two-year AAS cybersecurity degree. "This curriculum is designed for those who seek employment in the field of cybersecurity (information assurance), for those who are presently in IT or a security field and who desire to increase their knowledge and update their skills, and for those who must augment their abilities in other fields with knowledge and skills in information security. The curriculum is mapped to the NSA/DHS Knowledge Units 1099 necessary for NOVA's designation as a Center of Academic Excellence." For more information, visit http://www.nvcc.edu/cybersecurity/cae.html. Edmonds Community College Edmonds Community College offers online and classroom-delivered associate's degrees in computer information systems, information security, and digital forensics. For more information, visit http://catalog.edcc.edu/content.php? catoid=14&navoid=5902
Master of science degree programs with cybersecurity concentrations
INSTITUTION DESCRIPTION SANS Institute SANS Institute offers online, self-study, and classroombased information technology degrees. SANS enables students to master communications, project management, teaching, mentoring, and persuasive skills. For more information, visit www.sans.edu. Note: SANS, highly regarded in the field, is authorized by the State of Maryland to grant master's degrees. Capella University Capella is one of the select four-year colleges and graduate-level universities designated as a National Center of Academic Excellence in Information Assurance Education (CAE/IAE) by the National Security Agency. In addition, Capella offers unique MS degrees with specific security concentrations. For more information, visit 1103 http://www.capella.edu/online-informationtechnology-degrees/masters-programs/. Kaplan University Kaplan University offers an online MS degree in cybersecurity management with the opportunity to specialize in information security and assurance. For more information, visit www.kaplanuniversity.edu/informationtechnology/cybersecurity-management-masterdegree.aspx. University of Phoenix The University of Phoenix offers online and classroomdelivered MS management information system (MIS) degrees. This program can include information assurance or cybersecurity concentrations. For more information, visit www.phoenix.edu/programs/degreeprograms/technology/masters/mis.html. Southern New Hampshire University Southern New Hampshire University offers an online MS degree in information technology with an information security concentration. Students learn how to enforce network-level security policies and how to properly secure an organization's IT infrastructure. For more information, visit www.snhu.edu/campusmajors/graduate/ms-informationtechnology/information-security/. Strayer University Strayer University offers online and classroom-delivered MS degrees in information systems with a computer security management or computer forensics management concentration. For more information, visit www.strayer.edu/degree/mastersdegree/information-systems/. Liberty University Liberty University offers an online MS degree in information technology with network and security concentrations. For more information, visit 1104 www.liberty.edu/online/degrees/masters/informationtechnology-network-design-and-security/.
Security training vendors
SANS Institute SANS is one of the largest and most trusted sources for information security training in the world. It offers classes on many security topics that cover development, implementation, management, and auditing roles. SANS classes range from a half day to six days, are available globally, and tend to be very handson and focused. For more information, visit the SANS website at www.sans.org. IT Professional Group, Inc. (ITPG) ITPG has been delivering and fulfilling professional certification programs for the International Information Systems Security Certification Consortium, known as (ISC) , globally and throughout North America. Visit the ITPG website at http://itpg.org for more information. InfoSec Institute InfoSec Institute is a large security training organization that holds regular classes across the United States. Its goal is to provide the best possible hands-on training for students in topics ranging from certification preparation to very specific technical security topics. You can get more information at the InfoSec Institute's website, www.infosecinstitute.com. 2 1115 Information Systems Audit and Control Association (ISACA) ISACA is a nonprofit global organization that promotes "the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems." It holds conferences and training events related to information systems auditing and management around the world. Visit the ISACA website for more information: www.isaca.org. Phoenix TS Phoenix Technology Solutions (Phoenix TS) provides cost-effective, hands-on computer training, IT certification, and management courses to government and commercial organizations in the Maryland, Virginia, and Washington, DC, area. For more information, visit www.phoenixts.com/. Security Evolutions, Inc. (SEI) SEI provides online, e-learning, self-study, and live virtual instructor delivery of various professional certification programs in IT security and information assurance. These include Security+ , SSCP , CISSP , NSA 4011, and NSA 4013-Advanced. For more information, visit www.securityevolutions.com/.