A Comparison of Academic and Government Information Security Curriculum Standards

Daniel Manson1
Computer Information Systems Department
California State Polytechnic University
Pomona, CA  91768, USA

and 

Steven S. Curl2
Computer Information Systems Department
California State Polytechnic University
Pomona, CA  91768, USA



Abstract

This paper compares the ISECON model curriculum approach and topic areas to the National Security Agency’s most common standard for information assurance certification – the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4011.  Comparing these two standards provides a unique vantage point to better examine the merits of government and academic/industry expectations in the information security area.

Keywords: security, standards, curriculum




1. OVERVIEW

In industry, certification provides a standard for skills and competency.  The main goal of academia is to provide students with education to better prepare them for life.  However, many information systems programs today include course content that to varying degrees prepares students for certification exams.  An increasing number of academic programs are going further, seeking and obtaining certification of their information security curricula.  

As information systems grow to become more interconnected, so does the potential for damage caused by unauthorized access.  The result of this trend is a burgeoning need for information security education and with it, the increasing importance of academic security curriculum standards.  While varying security standards do exist, there is at present little agreement on how institutions of higher learning should implement them in their curricula.  A 1999 paper from Carnegie Mellon states that  “there apparently is no systematic agreement on the knowledge, skills, and abilities required to formulate a curriculum for information assurance and security professionals that enjoys broad-based support across organizations.”

In response to this challenge, the National Security Agency (NSA) Deputy Director for Information Systems Security created the National INFOSEC Education and Training Program (NIETP).  The NIETP’s mission is “to be a leading advocate for improving national security Information Systems Security (INFOSEC) education and training nationwide.”  The NIETP evaluates university information security curricula and compares them to a set of government-established standards for Information Systems Security professionals.  The number of schools receiving NIETP security curriculum certification has been increasing for several years, and totals over sixty in 2003.  Certified schools represent some of the top university information systems and computer science programs in the country, including Purdue University, University of California, Davis and the Carnegie Mellon Institute.   A complete list of NIETP certified institutions is available at the NIETP web site at:
http://www.nsa.gov/isso/programs/nietp/cert_instit.htm.

With respect to academic information security standards, no such certification exists.  The result is that academic institutions are left to evaluate their own degree programs and find themselves worthy or not.  There is also no official means to designate whether or not that same school’s information security program, or those who graduate from it, have passed muster with respect to any existing academic standard.

A case in point is ISECON’s recently approved and updated undergraduate model curriculum in information systems.  This new undergraduate curriculum does much to keep pace with the times, and provides considerable help in guiding schools to revamp their information systems curricula.  However, ISECON remains resolutely focused on information systems, not information security.  The result is that while considerable overlap exists between the two standards, they differ significantly in how information security is addressed.  ISECON’s model briefly mentions information security at various points throughout its curriculum, while the NIETP model covers a wide range of computer hardware, software, network, and system development topics – all within an information security context.

The NIETP has promulgated a number of standards for information security professionals.  Collectively known as the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) standards, these standards comprise the benchmark by which the U.S. government judges the worthiness of information security education among institutions of higher learning.  So much so, in fact, that the U.S. government offers potentially higher starting salaries to graduates of institutions carrying this distinction.

To better examine the similarities and differences of the ISECON and NIETP model curricula, we have chosen to study them in light of National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4011.  ISECON states that the 2002 model curriculum “is grounded in the expected requirements of industry, represents the views of organizations employing the graduates, and is supported by other interested organizations.”  (IS 2002 Model Curriculum and Guidelines for Undergraduate Degree Programs in Information Systems, 2002, page iii).  In contrast, NSTISSI No. 4011 says that it “provides the minimum course content for the training of information systems security professionals in the disciplines of telecommunications security and automated information systems (AIS) security.” (NSTISSI No. 4011, 1994, Forward).

2. ISECON MODEL CURRICULUM

The ISECON 2002 Model Curriculum is considered a reference model, that “represents a reasonable consensus of the IS community.”  The curriculum includes 11 courses, that taken together are designed to “produce graduates equipped to function in entry level information systems positions with a strong basis for continued career growth.”  Table 1 lists the 11 courses.


3. NSTISSI No. 4011

NIETP curriculum is expected to provide two levels of knowledge, involving awareness and performance. The awareness level “creates a sensitivity to the threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.” 
(http://www.nstissc.gov/Assets/pdf/4011.pdf, page 2)

The performance level “provides the employee with the skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices. This level of understanding will ensure that employees are able to apply security concepts while performing their tasks.” (http://www.nstissc.gov/Assets/pdf/4011.pdf, page 2).  NIETP topic areas and levels of knowledge are shown in Table 2. 

4. COMPARING THE TWO STANDARDS

Each ISECON course is described in terms of Catalog, Scope, Topics and Discussion.  One way to compare ISECON courses with NIETP standards is by examining NIETP topical content to ISECON course topics.  All of the ISECON 2002 Model Curriculum courses include some information security components.  A list of ISECON courses fol-lows, with security components in quotes.
 
IS 2002.P0 – Personal Productivity with IS Technology – “accessing organizational and external data” 

IS 2002.1 – Fundamentals of Information Systems – “information security, crime, and ethics. Practical exercises may include developing macros, designing and imple-menting user interfaces and reports; de-veloping a solution using database soft-ware” 


IS 2002.2 -  Electronic Business Strategy – Architecture and Design - “information pri-vacy and security, transborder data flows, information accuracy and error handling, disaster planning and recovery”

IS 2002.3 – IS Theory and Practice - “so-cietal and ethical issues related to informa-tion systems design and use”

IS 2002.4 – Information Technology Hard-ware and Systems Software - “hardware: CPU architecture, memory, registers, ad-dressing modes, busses, instruction sets, multi processors versus single processors; peripheral devices: hard disks and other storage devices, video display monitors, device controllers, input/output; operating systems functions and types; operating system modules: processes, process man-agement, memory and file system man-agement; examples and contrasts of hard-ware architectures and operating systems”

IS 2002.5 - Programming, Data, File and Object Structures -  “program correctness, verification, and validation”

IS 2002.6 - Networks and Telecommunica-tion - “privacy, security, firewalls, reliabil-ity; installation and configuration of net-works; monitoring and management of networks”
IS 2002.7 – Analysis and Logical Design - “Life cycle phases: requirements determi-nation, logical design, physical design, and implementation planning”

IS 2002.8 – Physical Design and Imple-mentation with DBMS - “database imple-mentation including user interface and re-ports; multi-tier planning and implementa-tion; data conversion and post implemen-tation review”

IS 2002.9 – Physical Design and Imple-mentation in Emerging Environments - “testing; software quality assurance; sys-tem implementation; user training; system delivery; post implementation review; con-figuration management”

IS 2002.10 – Project Management and Practice -  “managing the system life cycle: requirements determination, design, im-plementation; system and database inte-gration issues; network management; pro-ject tracking, metrics, and system per-formance evaluation”

The ISECON security components can be mapped to NIETP topical content areas.  Table 3 shows this comparison.
 

What is interesting to note are the philoso-phical differences between the two curric-ula.  The NIETP standard focuses solely on security, and as such, omits much of the richness found in the ISECON curriculum model.  The ISECON model, while a broader and more comprehensive stan-dard, appears to undervalue the impor-tance of security in today’s post-September 11th world.  The fact that the U.S. government pays a premium to graduates of academic programs bearing the NSA certification attests to the impor-tance that the NIETP model curriculum can play in the affairs of institutions of higher education and their students.  Aside from the obvious public relations benefits be-stowed upon those institutions bearing the NSA seal of approval, the NSA-designated institutions are also well on their way to receiving funding support from the federal government.

One theme common to both NIETP and ISECON is the view that standards are a justification for education and training re-sources.  The NIETP standards are de-signed to be used by federal departments and agencies to implement training pro-grams for INFOSEC professionals, provid-ing “minimum training and education stan-dards which are being developed to assist departments and agencies in meeting their responsibilities in these areas.”  ISECON states that academic executives for whom the information systems program reports should use the model curriculum require-ments to justify faculty resource require-ments, physical space requirements, and computing infrastructure requirements.

5. CONCLUSIONS

After reviewing the two curriculum models, it is easy to conclude that both the NIETP and ISECON curricula go a great distance toward improving the quality of information systems education.  Both models also come with significant constituencies: The NIETP standard is backed by the U.S. gov-ernment; the ISECON 2002 model curricu-lum standards benefit from broad input and support from both academia and in-dustry.  

However, the NIETP certification standards provide the following advantages over ISECON standards:

– ISECON currently has no mechanism to certify institutions as meeting ISECON model curriculum standards

– Although NIETP is limited to govern-ment standards for information assur-ance professionals, the certification process is very appealing to institutions seeking a “seal of approval” for their curriculum

In brief, ISECON is now in a position to advance its model curriculum standards to include a certification process similar to NIETP.  By providing an objective outside review process, institutions in compliance with the ISECON standard could identify themselves as such, thereby increasing the value of their graduates’ degrees.  

One of the fastest growing segments in Information Systems today is working adults.  As information security opportuni-ties continue to grow, there will be a need to provide working professionals with a way to upgrade their information security skill sets.  Both ISECON and NIETP can provide a way for these professionals to use academic programs, instead of the more common vendor certification courses, to achieve these skills.

While the two standards are not incom-patible, there is nothing at present to indi-cate that an institution meeting one stan-dard does, or does not, meet the standard of the other.  Since the process of meeting the NIETP standard is done at the level of the topic of instruction, not the course, it is quite conceivable that institutions meeting the broader ISECON standard could likely meet the NIETP standard as well.  ISECON should partner with government agencies to address the specific needs of U.S. gov-ernment information system professionals.  Such a partnership would facilitate the adoption, and extend the reach, of ISECON’s model curriculum.  NIETP should also work with ISECON to help the ISECON model curriculum standards better address information assurance curriculum needs.

ISECON and NIETP can also benefit from standards developed in the more mature Project Management area.   For example, the Project Management Institute (PMI) has achieved ISO 9001 certification in Quality Management Systems in its PMI certification program.

Another opportunity for ISECON and NIETP exists in looking at information security in European Universities.   A recent study by the Institute for Prospective Technological Studies reviewed information security cur-riculum in Belgium, France, Germany, Greece, Italy and the United Kingdom.    The study found 119 undergraduate and graduate courses in information security.    Future research should focus on interna-tional standards for teaching information security.

We live in a world increasingly dependent on information technology.  Information security has lagged behind information technology, as usability has been consid-ered a greater priority than security.  The events of September 11 have shown us that lack of security is a luxury increasingly hard to afford.  The ability for information security to catch up with information tech-nology depends greatly on how well uni-versities teach information security stan-dards in information technology programs.  Certification can help provide assurance of teaching to a standard. 

6. REFERENCES

Clairet, Gabriel, Cybersecurity curricula in European universities Study commissioned by IPTS, Second Workshop Cyber-Security Skills and Training Needs, Institute for Prospective Technological Studies, December 2, 2002.
Gorgone, John T., Davis, Gordon B., Valacich, Joseph S., Topi, Heikki, Feinstein, David L., Longenecker, Jr., Herbert E., IS 2002 Model Curriculum and Guidelines for Undergraduate Degree Programs in Information System 2002.

Laswell, Barbara S., Simmel, Derek, Behrens, Sandra G., Information Assurance Curriculum and Certification: State of the Practice, CMU/SEI-99-TR-021, September 1999,
http://www.sei.cmu.edu/publications/documents/99.reports/99tr021/99tr021title.html.

National INFOSEC Education & Training Program, http://www.nsa.gov/isso/programs/nietp/corseval.htm.

National INFOSEC Education & Training Program, http://www.nsacom.net:1952/txt/Website_Mirrors/Spooks/www.nsa.gov/isso/programs/nietp/.

National Training Standard for Information Systems Security (INFOSEC) Professionals, NSTISSI No. 4011,
http://www.nstissc.gov/Assets/pdf/4011.pdf.

Project Management Institute, PMI Certifications, 
http://www.pmi.org/info/PDC_CertificationsOverview.asp.





1 dmanson@csupomona.edu
2 scurl@csupomona.edu