ConvoCourses

Cyber Security Compliance and IT Jobs

info assurance

info assurance

by Leave a Comment

IA
IA

Info assurance is a comprehensive approach to information security.  It included risk management, information protection, operational risk, business risk, assurance technology and much more.

More on “What is Info Assurance”?

Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data.  Information assurance is used as a more complete approach to information security.

Since Info Assurance covers all aspects of the security, all individuals with internal access to an organizations critical access must get info assurance awareness training.  Info Assurance is not just about turning on and configuring Assurance technology, but informing and educating those how have internal access to your system.

Info Assurance has its own complete common body of knowledge, industry, career path and degree programs accepted by the National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency.

By becoming an info assurance specialist you can get work in many parts of the DoD including USAF, US Army, Department of the Navy and many other agencies.  But IA jobs expect specific certification(s), experience and degree.  The IA qualifications come from DoDD 8570 which is being replaced with DoDD 8140.  There are lots of titles that are considered within IA:  System Security Engineer, Info Assurance Analyst, Info Assurance Specialist, Info Assurance Subject Matter Expert (SME), Risk Analyst IT, and many others.

DoD Annex for NIAP Protection Profiles For Mobile Devices

by Leave a Comment

NIAP assurance technology
NIAP assurance technology

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex for NIAP Protection Profiles for mobile devices.  Mobile Device Fundamentals Protection Profile (MDFPP) is a document created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG Version 1, Release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.

DoD Annex for NIAP Protection Profiles For Mobile Devices
DoD Annex for NIAP Protection Profiles For Mobile Devices

The DoD Annex for NIAP Protection Profiles for mobile devices, MDFPP, is located at http://iase.disa.mil/stigs/niap/index.html.

The scope of the DoD Annex for NIAP Protection Profiles for mobile devices is applicable to all DoD-administered systems and all systems connected to DoD networks.

According to the document:

[DoD Annex for NIAP Protection Profiles for mobile devices] does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria
evaluation will be used to formulate a STIG. The benefit of this approach is that at the
conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the
requisite NIST SP 800-53 controls and the information needed for a STIG will be available

Mobile Device Fundamentals

Approved Protection Profiles

 

More one Assurance Technology

information awareness training army

by Leave a Comment

information awareness training army

Army information awareness training is covered in the following regulation: AR 25-2, Information Assurance

Army Regulation 25-2 is the Army Information Assurance Program (AIAP) which covers information awareness by talking about protecting the confidentiality, integrity and availability of unclassified, sensitive, or classified information stored, processed, accessed, or transmitted by Army Information Systems.  AIAP is the Army’s implementation of DODD 8500.1, DODI 8500.2, and Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01 to align Information Assurance goals.

Like all of the others branches of the US Armed Forces, the Army certification & Accreditation part of the IA program will have to change to a more risk management framework as the DoD changes to a more NIST back Risk Management Frame work. But most of the main best practice system security items won’t change.

information assurance army
information assurance army

Army Information Assurance program describes the responsibilities offices:

  • Chief Information Officer
  • Principal Headquarters, Department of the Army officials and staff
  • Administrative Assistant to the Secretary of the Army
  • Assistant Secretary of the Army for Acquisition, Logistics, and Technology
  • The Deputy Chief of Staff, G-2
  • The Deputy Chief of Staff, G-3
  • The Deputy Chief of Staff, G-4
  • Commanders of Army Commands; Army Service Component Commands; Direct Reporting Units; U.S. Army
  • Reserve; Army National Guard; program executive officers; direct reporting program managers; Regional Chief
  • Information Officers; Functional Chief Information Officers; and the Administrative Assistant to the Secretary of
  • the Army
  • Commander, 1st Information Operations Command
  • Commanding General, Network Enterprise Technology Command/9th Signal Command (Army)
  • Commanding General, U.S. Army Training and Doctrine Command
  • Commanding General, U.S. Army Materiel Command
  • Commanding General, U.S. Army Intelligence and Security Command
  • Commanding General, U.S. Army Criminal Investigation Command
  • Chief, Army National Guard
  • Chief, Army Reserve
  • U.S. Army Reserve Command Chief of Staff
  • U.S. Army Corps of Engineers Chief of Engineers
  • U.S. Army Corps of Engineers Chief Information Officer
  • Commanding General, Eighth Army
  • Commanding General, U.S. Army Europe
  • Commanding General, U.S. Army Medical Command
  • Program executive officers and direct reporting program/project managers
  • Commanders, directors, and managers
  • Garrison commanders
  • U.S. Army Reserve major subordinate command
  • Army National Guard state DOIM/J6/CIO
  • Regional Chief Information Officer
  • Army Reserve command/unit/activity G–6
  • Director of Information Management

AR 25-2 also explains the Army Information Assurance Program Personnel Structure including Information assurance support personnel where contractor fit in the structure.

AR 25-2 is the Information Assurance Policy which includes funding and Information Assurance training.   Mission assurance category, levels of confidentiality, and levels of robustness are explained.

The topics of the Army Information Assurance include:

  • Software Security
  • Security Controls
  • Database management
  • Design and test
  • Hardware, Firmware, and Physical Security
  • Hardware–based security controls
  • Maintenance personnel
  • Security objectives and safeguards
  • Procedural Security
  • Password control
  • Release of information regarding information system infrastructure architecture
  • Personnel Security
  • Personnel security standards
  • Foreign access to information systems
  • Information Systems Media
  • Protection requirements
  • Labeling, marking, and controlling media
  • Clearing, purging (sanitizing), destroying, or disposing of media
  • Network Security
  • Cross-domain security interoperability
  • Network security
  • Incident and Intrusion Reporting
  • Information system incident and intrusion reporting
  • Reporting responsibilities
  • Compromised information systems guidance
  • Information Assurance Vulnerability Management
  • Information assurance vulnerability management reporting process
  • Compliance reporting
  • Compliance verification
  • Operating non-compliant information system
  • Certification & Accreditation
  • Communication Security
  • Risk Management

 

information protection

by 1 Comment

Information Protection means protecting all layers of access to data not just a firewall.  Information protection means having policies in place that protect physical access to data, limits personnel access, controls how data is used, how information is released and when.  The technological safeguards is just one method of protection.

Another name for “information protection” is defense in depth.  Its not enough to have a firewall and anti-virus.  The more serious an organization is about their assets, the more serious they must be about information protection.

information protection
information protection

dod information assurance awareness training

by 1 Comment

Conduct DoD Information Assurance Awareness Training: http://iase.disa.mil/eta/cyberchallenge/launchPage.htm

DoD Information assurance awareness training is an interpretation of the federal law, Federal Information Security Management Act (FISMA).  As each unity, agency and branch of the DoD takes on the responsibility of FISMA compliance, they sometimes come up with their own flavor of DoD information assurance awareness.

DoD Information Assurance Awareness is a requirement in accordance with the FISMA of 2002:

“security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of— ‘‘(A) information security risks associated with their activities; and ‘‘(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks”

FISMA 2012

FISMA 2012 expands the scope if DoD information assurance awareness training and the department of homeland security with a The National Initiative for Cybersecurity Education (NICE).  NICE also includes National Initiative for Cybersecurity Careers and Studies (NICCS) portal25, an online resource for cybersecurity awareness, education, training, and career information open to the public.

“The vision of NICCS portal is to provide a national resource to
elevate cybersecurity awareness and affect the change in the American public; to adopt a culture of cyberspace security and to build a competent cybersecurity workforce. “

DOD Information Assurance Awareness & Security Training
According to FISMA, all Government personnel and contractors must complete annual security awareness training.

DoD 8570/DoD 8140 are directives that spawned as a result of FISMA also requirements to have specialized training for personnel and contractors with significant security responsibilities.

Progress of DoD Information Assurance Awareness Training is tracked and taken VERY seriously.  So much so that if you don’t complete the annual training, you can lose your ability to access systems.

DoD Information Assurance Awareness Training Security Controls

Information Assurance awareness is addressed as an actual security control in NIST SP 800-53 as AT – Awareness & Training and the NIST SP 800-50 is for Building an Information Technology Security Awareness and Training Program.

Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures
AT-2 Security Awareness
AT-3 Security Training
AT-4 Security Training Records
AT-5 Contacts with Security Groups and Associations

 

information assurance services

by Leave a Comment

Information Assurance Services cover all aspects of information system security and beyond.  Information assurance services includes but is not limited to all the domains of the CISSP which is why most Information assurance jobs look for and IT professional with that certification:

    • Access Control
    • Telecommunications and Network Security
    • Information Security Governance and Risk Management
    • Software Development Security
    • Cryptography
    • Security Architecture and Design
    • Operations Security
    • Business Continuity and Disaster Recovery Planning
    • Physical (Environmental) Security

Information Assurance Services Companies

Information Assurance services are such a big task that usually government agencies must rely on several companies and contracts to do all the work.

    • Northrop Grumman
    • Lockheed Martin
    • SAIC

Most of the large contractors provide Information Assurance Services (list of top 100 major govt contractors)