Commentary by Mark Wahl, CISA
Information Assurance for CS undergrads at UT Austin (20080104)
In 2004 the Center for Information Assurance and Security (CIAS) was founded at UT Austin. Their plans included having UT Austin become a National Academic Center of Excellence in Information Assurance Education, participate in a multi-university cybersecurity exercise and competition, and increase collaborations with business, government and academia
. In the NSA's National IA Education and Training Program, institutions wishing to be designated as a National Center of Academic Excellence in Information Assurance Education are required to be certified for providing courses covering the material of NSTISSI 4011 (National Training Standard for INFOSEC Professionals) and one other CNSS standard.
In September 2005 the CIAS director Dr. Fred Chang left UT Austin to be Director of Research at the NSA, and so I came in to write and teach a new course, CS 378: Information Assurance and Security, to help the university meet the courseware requirements for NSTISSI 4011. I followed this in the spring of 2006 with another new CS 378 course Computer Security Auditing and Certification for the requirements of the CNSS standard NSTISSI 4015 (National Training Standard for System Certifiers).
Even though the these standards had been established with the goal of training specialists charged with protecting the information processing systems of US federal government agencies and incorporated many terms and elements which aren't found outside of this domain, in my first lecture of each class I discussed why I felt that awareness of the concepts and approach Information Assurance was basic knowledge for practicing computer security scientists and engineers, regardless of whether they were working with government or industry systems:
- Information Assurance includes considerations for non-security threats that could impact information systems, such as acts of nature, and the process of recovery from incidents.
- Information Assurance has an emphasis on management, process, and human involvement, and is not focused exclusively on technology.
- Deployments of Information Assurance may incorporate multiple disciplines of security, not just computer security but also communications security, operations security, and in some cases emanations or transmission security.
Similarly, in my course for meeting the training requirement of the "certifier" role in the certification and acredentiation of federal computer systems, I presented a sceptical approach that
...introduces students to a new approach to computer security: How to look beyond the scare tactics and hype surrounding security and determine how to assess security vulnerabilities and threats, diagnose, and effectively defend against them. The course covers the techniques organizations will use to recognize threats, vulnerabilities and attacks in computer networks. The projects in this course will provide the students with hands-on experience with expert open source tools that are widely used for analyzing networks and detecting intruders, insider attacks and performing computer forensics.
A mapping of the material from my two courses and related prerequisite CS courses was submitted to the NSA for review, and in April 2007 the NSA IAD Information Assurance Courseware Evaluation Review committee notified the UT CIAS that they had achieved courseware certification.
This spring, Dr. Bill Young, who is also teaching CS 361 Introduction to Computer Security, will again be teaching an Information Assurance course. He writes in the syllabus that:
1. Introduction to Information Assurance
Our approach will be to cover selected topics from this very broad area of study with the goal of preparing the student to think critically about security from a wholistic perspective, rather than a purely technical perspective. Topics may include:
2. Metrics for Information Assurance
3. Networking and Cryptography
4. Information Assurance Planning and Deployment
5. Vulnerabilities and Protection
6. Identity and Trust Technologies
7. Verification and Evaluation
8. Incident Response
9. Human Factors
10. Legal, Ethical, and Social Implications