I get people contacting me every week about jobs all around the US! Today, I am going to show you a couple that I received recently. I hope that it will give you some idea of what employers and contracts look for in security compliance professionals.
Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data. Information assurance is used as a more complete approach to information security.
Since Info Assurance covers all aspects of the security, all individuals with internal access to an organizations critical access must get info assurance awareness training. Info Assurance is not just about turning on and configuring Assurance technology, but informing and educating those how have internal access to your system.
Info Assurance has its own complete common body of knowledge, industry, career path and degree programs accepted by the National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency.
By becoming an info assurance specialist you can get work in many parts of the DoD including USAF, US Army, Department of the Navy and many other agencies. But IA jobs expect specific certification(s), experience and degree. The IA qualifications come from DoDD 8570 which is being replaced with DoDD 8140. There are lots of titles that are considered within IA: System Security Engineer, Info Assurance Analyst, Info Assurance Specialist, Info Assurance Subject Matter Expert (SME), Risk Analyst IT, and many others.
The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex for NIAP Protection Profiles for mobile devices. Mobile Device Fundamentals Protection Profile (MDFPP) is a document created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG Version 1, Release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.
The scope of the DoD Annex for NIAP Protection Profiles for mobile devices is applicable to all DoD-administered systems and all systems connected to DoD networks.
According to the document:
[DoD Annex for NIAP Protection Profiles for mobile devices] does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria
evaluation will be used to formulate a STIG. The benefit of this approach is that at the
conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the
requisite NIST SP 800-53 controls and the information needed for a STIG will be available
Information Assurance technology is in growing demand as security takes center stage for information technology.
According to U.S. Bureau of Labor statistics, Information Security Analyst was among the fastest growing industries in the U.S. in 2012 and projected to grow another 30% by 2022 (bls.gov). Information Security Analysts work with information assurance technology. Assurance technology includes technologies like firewalls, intrusion prevention systems, security information & event management systems, web proxies, encryption systems, encryption software, authentication devices, vulnerability scanners, protocol analyzers, and many other devices specifically made to protect the confidentiality, integrity and availability of information. In defense these systems are known collectively as security products.
Information systems with security features built in are known as security-enabled devices. Examples would be operating systems, storage devices, internetworking devices such as switches and routers and any other device that can be locked down, secured and hardened with built in information assurance technology.
Assurance technology is evaluated to make sure the security features perform as the manufacturers intended. Typically, agencies, departments and organizations that maintain critical infrastructure make sure that the information assurance technologies that they choose are in the Common Criteria Evaluation database:
These are systems that have been vetted in a lab under very specific conditions. So under specified settings, and under specific conditions, an organization can operate these assured technologies with a high level of confidence.
Protection Profiles have a set of criteria to conduct security evaluation to determine the validity of vendors’ claims. The product is given a Evaluation Assurance Level (EAL) which is an assurance level between 1 and 7.
Choosing the right information assurance technology is covered in NIST 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products. Assurance for U.S. defense technology used to be done with a policy called, Trusted Computer System Evaluation Criteria (TCSEC), DoDD 5200.28-STD (aka the Orange Book, AKA DITSCAP). It eventually got replaced with DoDD 8500.1 on October 24, 2002 and branched in DIACAP, which is NOW DIARMF! So you see DIARMF is all about not only assurance technology but how those technologies are used.
U.S. Bureau of Labor Statistics. Fastest growing occupations. U.S. Bureau of Labor Statistics, http://www.bls.gov/emp/ep_table_103.htm date: Accessed: February 03, 2014
Information Protection means protecting all layers of access to data not just a firewall. Information protection means having policies in place that protect physical access to data, limits personnel access, controls how data is used, how information is released and when. The technological safeguards is just one method of protection.
Another name for “information protection” is defense in depth. Its not enough to have a firewall and anti-virus. The more serious an organization is about their assets, the more serious they must be about information protection.
Information Assurance Services cover all aspects of information system security and beyond. Information assurance services includes but is not limited to all the domains of the CISSP which is why most Information assurance jobs look for and IT professional with that certification:
Telecommunications and Network Security
Information Security Governance and Risk Management
Software Development Security
Security Architecture and Design
Business Continuity and Disaster Recovery Planning
Physical (Environmental) Security
Information Assurance Services Companies
Information Assurance services are such a big task that usually government agencies must rely on several companies and contracts to do all the work.