OVERVIEW
Certified Information Assurance Professional
(CIAP)
A Program Offering of the
International Standards Institution of Governors
(ISIG)
Program Description
This training Program is designed to provide
effective mastery of the principles and control objectives embodied
in the four domains of information assurance. Upon completion of
this program the learner will be able to design, plan, deploy and
maintain a complete, detailed, operational and systematic response
to the information security needs of any organization. As a
consequence, this Program also leads to the registration of the
learner as a Certified Information Assurance Professional (CIAP).
This Program is based on the assumption that the
total assurance of corporate information is neither a trivial task,
nor a technology sideshow. Instead it requires the organization to
adopt a management strategy that originates at the top of the
organization. This comprehensive approach is necessary in order to
ensure that all assets of value are included within the protection
scheme. Because of the scope and complexity of the problem, an
expert model is used to guide the process. These frameworks embody
the common best practices for information assurance, as well as a
rational set of control objectives to ensure their proper execution.
Nevertheless, because of the sheer size and complexity of each
model, their purpose, scope and application must be understood in
order to use them effectively. This program will provide that
understanding by offering mastery of the fourteen principles
embodied in the following domains:
Organizational/Policy Domain, composed of the
following principles:
q Organizational Security Policy
q Defined and Documented Security
Infrastructure
q Education
q Asset Management
q Business Continuity
q Regulatory Compliance
q Development Process Security
Managerial/Administrative Domain, composed of
the following principles:
q Development Process Security
q Personnel Security
q Physical Security
Operational/Technical Domain, composed of the
following principles:
q Access Control
q Operations/Network Security
q Application and System Software Security
q Operational Risk Assessment and Control
Community/Contextual Domain, composed of the
following principles:
q Ethics
Program Structure
The Program will be presented in four course modules. These
modules will embody the following topic areas:
Module One: Introduction to Information Assurance
q The Definition of Information Assurance
q Justification and Concerns
q Applications of COMSEC and COMPUSEC
q Applications of INFOSEC and OPSEC
q Applications of IA
Why Information is Particularly Hard to Assure
q The Problem of Complexity
q The Problem of Invisibility
q The Problem of Dispersal
q The Problem of Turf
What Best Practice is and why it is Necessary
q Lessons Learned and why they are Useful
q Expert Advice and the Corporate Novice
q Evolving the Body of Knowledge
q The Role of Standards and Standard Models
q Auditing Compliance
An Overview of Expert Models
q Implementing Best Practice Using Expert Models
q The Problem of Scope in Application of Best Practice
Models
q The Application of Best Practice Models by
Scope
q Models for INFOSEC and OPSEC
q Models for AI and why they are different
q The Role of the Internal Audit Function in
Implementation
COBIT
q The Framework
q Management Guidelines
q Control Objectives
q Auditing Guidelines
GASSP
q Development History
q The Framework
q High Level Objectives
q Detail Objectives
17799/7799
q Development History
q Must Address Areas
q Control Objectives
q Risk Assessment Model
q The Role of 7799 in Implementation
The Ethical Principle in Information Assurance
q What Constitutes and Ethical Violation
q Confidentiality
q Worker Rights
q Protection of Intellectual Property
q Protection of Physical Property/Theft
q The Legal Ramifications of Violations
Module Two: The Organizational/Policy Domain
Organizational Security Policy
q Definition of the Principle
q Approach to Implementation
q Necessary Concerns and Bear-traps
q Control Objectives
Defined and Documented Security Infrastructure
q Definition of the Principle
q Assigning Roles and
Responsibilities
q The Security Manual
q Writing Procedures and Work
Instructions
q Security of Third Party Access
q Outsourcing
q Control Objectives
Education
q Definition of the Principle
q Preparing a Proper Training Plan
q Implementing a Targeted Education Program
q The Management Security Forum
q Publicity and Coercion
q Ongoing Assessment of Needs
Asset Management
q Definition of the Principle
q The Identification and Labeling
Process
q Asset Baseline Formulation
q Threat and Vulnerability Baseline
Formulation
q Control Baseline Formulation
q Libraries
q Authorization Check-Out/Check-In
q Status Reporting and Version
Descriptions
Business Continuity
q Definition of the Principle
q Threat Identification
q Response Formulation
q Contingency Modeling
q Incident Response Planning
q Routine Continuity Execution/Oversight
Regulatory Compliance
q Definition of the Principle
q Monitoring Approaches
q Threat Identification
q Liability Assessment
q Compliance With Legal Requirements
q Reviews of Security Policy and Technical
Compliance
q System Audit Considerations
Module Three: The Managerial/Administrative Domain
Development Process Security
q Definition of the Principle
q Review of Lifecycle Models for Development
q The Role of SQA and the PMO
q Security Planning as Part of the Project Management
Plan
q Lifecycle V&V and IV&V
q Measurement Models
q Security Assurance Management
Personnel Security
q Personnel Security Policy
q Accountability for Violations
q Security in Job Definitions and Resourcing
q Including security in job responsibilities
q Personnel screening and policy
q Confidentiality agreements
q Terms and conditions of employment
q User Training Requirements
q Information security education and training
q Responding to Security Incidents and
Malfunctions
q Reporting security incidents
q Reporting security weaknesses
q Reporting software malfunctions
q Developing Lessons Learned from
incidents
Physical Security
q Physical Security Policy and OPSEC
q Secure Areas
q Physical security perimeter
q Physical entry controls
q Securing offices, rooms and facilities
q Working in secure areas
q Securing Delivery and loading areas
q Equipment siting and protection
q Power supplies
q Cabling security
q Equipment maintenance
q Security of equipment off-premises
q Secure disposal or re-use of equipment
q Clear desk and clear screen policy
q Removal of property
Module Four: The Operational/Technical Domain
Access Control
q Access Control Policy
q User Access Management
q User Responsibilities
q Network Access Control
q Operating System Access Control
q Application Access Control
q Monitoring System Access and Use
q Mobile Computing and Teleworking
Operations Network Security
q Operational Procedures and Responsibilities
q System Planning and Acceptance Policy and Procedure
q Protection Against Malicious Code
q Housekeeping
q Network Management
q Media Handling and Security
q Exchanges of Information and Software
Application and System Software Security
q Input Data validation
q Control of internal processing
q Message authentication
q Output data validation
q Policy on the use of cryptographic controls
q Encryption
q Digital signatures
q Non-repudiation services
q Key management
q Control of operational software
q Protection of system test data
q Access control to program source library
q Change control procedures
q Technical review of operating system changes
q Restrictions on changes to software packages
q Covert channels and Trojan code
q Outsourced software development
Operational Risk Assessment and Control
q Risk Assessment Organization
q Risk Assessment Policy
q Inclusion of Risk Assessment in Business and Project
Planning
q Risk Assessment Processes
q Accountability for Risk
q Resource Tradeoffs and Triage
q Classification of Threats and Vulnerabilities
q Formulating the Threat Baseline
q The Risk Assessment Report
q Relocation of the Security Boundaries
q Closing off Risk Reports
| 
