Category Archives: Assurance Technology

diacap tarry town

DIACAP Compliance Engineer and Information Assurance Lead Jobs (risk management framework)

Role: DIACAP Compliance Engineer
Location: Tarrytown, NY
Duration: 6+ months

Enterprise Solution Inc.
500 E. Diehl Road, Suite 130, Naperville, IL 60563
Office: # 630-214-9485
E-Mail : pradyut@enterprisesolutioninc.com
Gmail : pradyut10.esi@gmail.com

Title: Information Assurance Lead
Location: Aberdeen, MD
Client: Federal
Duration: Full Time

Home


8251 Greensboro Drive, 9th Floor

McLean VA 22102
yogeshk@etalentnetwork.com

Office: (877) 715-3865 Ext.328

I get people contacting me every week about jobs all around the US! Today, I am going to show you a couple that I received recently. I hope that it will give you some idea of what employers and contracts look for in security compliance professionals.

stack

info assurance

IA
IA

Info assurance is a comprehensive approach to information security.  It included risk management, information protection, operational risk, business risk, assurance technology and much more.

More on “What is Info Assurance”?

Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data.  Information assurance is used as a more complete approach to information security.

Since Info Assurance covers all aspects of the security, all individuals with internal access to an organizations critical access must get info assurance awareness training.  Info Assurance is not just about turning on and configuring Assurance technology, but informing and educating those how have internal access to your system.

Info Assurance has its own complete common body of knowledge, industry, career path and degree programs accepted by the National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency.

By becoming an info assurance specialist you can get work in many parts of the DoD including USAF, US Army, Department of the Navy and many other agencies.  But IA jobs expect specific certification(s), experience and degree.  The IA qualifications come from DoDD 8570 which is being replaced with DoDD 8140.  There are lots of titles that are considered within IA:  System Security Engineer, Info Assurance Analyst, Info Assurance Specialist, Info Assurance Subject Matter Expert (SME), Risk Analyst IT, and many others.

DoD Annex for NIAP Protection Profiles For Mobile Devices1

DoD Annex for NIAP Protection Profiles For Mobile Devices

NIAP assurance technology
NIAP assurance technology

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex for NIAP Protection Profiles for mobile devices.  Mobile Device Fundamentals Protection Profile (MDFPP) is a document created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG Version 1, Release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.

DoD Annex for NIAP Protection Profiles For Mobile Devices
DoD Annex for NIAP Protection Profiles For Mobile Devices

The DoD Annex for NIAP Protection Profiles for mobile devices, MDFPP, is located at http://iase.disa.mil/stigs/niap/index.html.

The scope of the DoD Annex for NIAP Protection Profiles for mobile devices is applicable to all DoD-administered systems and all systems connected to DoD networks.

According to the document:

[DoD Annex for NIAP Protection Profiles for mobile devices] does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria
evaluation will be used to formulate a STIG. The benefit of this approach is that at the
conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the
requisite NIST SP 800-53 controls and the information needed for a STIG will be available

Mobile Device Fundamentals

Approved Protection Profiles

 

More one Assurance Technology

assurance technology common criteria

Assurance Technology

NIAP assurance technology
NIAP assurance technology

Information Assurance technology is in growing demand as security takes center stage for information technology.

According to U.S. Bureau of Labor statistics, Information Security Analyst was among the fastest growing industries in the U.S. in 2012 and projected to grow another 30% by 2022 (bls.gov).  Information Security Analysts work with information assurance technology.  Assurance technology includes technologies like firewalls, intrusion prevention systems, security information & event management systems, web proxies, encryption systems, encryption software, authentication devices, vulnerability scanners, protocol analyzers, and many other devices specifically made to protect the confidentiality, integrity and availability of information.  In defense these systems are known collectively as security products.

Information systems with security features built in are known as security-enabled devices.  Examples would be operating systems, storage devices, internetworking devices such as switches and routers and any other device that can be locked down, secured and hardened with built in information assurance technology.

assurance technology common criteria
assurance technology common criteria

Assurance technology is evaluated to make sure the security features perform as the manufacturers intended.  Typically, agencies, departments and organizations that maintain critical infrastructure make sure that the information assurance technologies that they choose are in the Common Criteria Evaluation database:

  • http://www.commoncriteriaportal.org/products/
  • https://www.niap-ccevs.org/

These are systems that have been vetted in a lab under very specific conditions.  So under specified settings, and under specific conditions, an organization can operate these assured technologies with a high level of confidence.

CommonCriteria-assurance-technology
CommonCriteria-assurance-technology

Protection Profiles have a set of criteria to conduct security evaluation to determine the validity of vendors’ claims.  The product is given a Evaluation Assurance Level (EAL) which is an assurance level between 1 and 7.

Choosing the right information assurance technology is covered in NIST 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products.  Assurance for U.S. defense technology used to be done with a policy called, Trusted Computer System Evaluation Criteria (TCSEC), DoDD 5200.28-STD (aka the Orange Book, AKA DITSCAP).  It eventually got replaced with DoDD 8500.1 on October 24, 2002 and branched in DIACAP, which is NOW DIARMF!  So you see DIARMF is all about not only assurance technology but how those technologies are used.

Works Cited:

U.S. Bureau of Labor Statistics. Fastest growing occupations. U.S. Bureau of Labor Statistics, http://www.bls.gov/emp/ep_table_103.htm date: Accessed: February 03, 2014

 

information-protection

information protection

Information Protection means protecting all layers of access to data not just a firewall.  Information protection means having policies in place that protect physical access to data, limits personnel access, controls how data is used, how information is released and when.  The technological safeguards is just one method of protection.

Another name for “information protection” is defense in depth.  Its not enough to have a firewall and anti-virus.  The more serious an organization is about their assets, the more serious they must be about information protection.

information protection
information protection
information-assurance-services

information assurance services

Information Assurance Services cover all aspects of information system security and beyond.  Information assurance services includes but is not limited to all the domains of the CISSP which is why most Information assurance jobs look for and IT professional with that certification:

    • Access Control
    • Telecommunications and Network Security
    • Information Security Governance and Risk Management
    • Software Development Security
    • Cryptography
    • Security Architecture and Design
    • Operations Security
    • Business Continuity and Disaster Recovery Planning
    • Physical (Environmental) Security

Information Assurance Services Companies

Information Assurance services are such a big task that usually government agencies must rely on several companies and contracts to do all the work.

    • Northrop Grumman
    • Lockheed Martin
    • SAIC

Most of the large contractors provide Information Assurance Services (list of top 100 major govt contractors)