A Global C4                Series Publication
 Chief Security Officer Journal
      
    A Global Career and Data Warehouse for Security Professionals




     CyberSec_2021_Cover



 On-line Educational Opportunities for the Security Professional
                  


1. Stanford University - Introduction to Cryptography
2. Iowa State University - Graduate Certificate in Cybersecurity
3. George Washington University - Master of Engineering (M.Eng) in Cybersecurity Policy & Compliance (endorsed by NSA)
4. James Madison University - M.S. in Computer Science; INFOSEC Concentration (endorsed by NSA)
5. Columbia University - M.S. Computer Science - Computer Security
6. University of Southern California - Master  of Science in Computer Science (Computer Security)
7. Stanford University - Advanced Computer Security Certificate
8. Boston University - Master of Science, Computer Information Systems - Security  (endorsed by NSA)
9. University of London - Master of Science, Cybersecurity
10. Purdue University - Certificate; Information Security
11. Purdue University - Doctor of Technology (Cybersecurity Thesis)
12. Stanford University - Computer & Network Security
13. Carnegie Mellon University - M.S. - Information Technology - Information Assurance & Security
14. Oregon State Universtity - Undergaduate Certificate; Cybersecurity
 15. Georgia Tech - Master of Science - Information Security
16. Seton Hall - Certificate in Privacy Law and Cyber Security
17. University of Massachusetts - Graduate Certificate; Information Security
18. University of Washington - Certificate; Cybersecurity
19. Penn State - Master of Professional Studies; Cybersecurity Analytics & Operations
20. NYU Poly - Master of Science - Cyber Security
21. Carnegie Mellon University - Certificate - CERT Insider Threat Program Manager
22. Boston University - Information Security Graduate Certificate
23. Universtity of Fairfax - Doctorate of Information Assurance
24. James Madison Universtity - M.S. Computer Science (Information Security)
25. University of Texas @ Austin - M.S. Information Security and Privacy
26. University of Southern California - Privacy Law and Cybersecurity Certificate
27. Cornell University - System Security Certificate
28. Massachusettes Institute of Technology (MIT) - Professional Certificate in Cyber Security
29. Harvard University - Online Short Course - Cyber Security: Managing Risk in the Information Age
30. University of California - Irvine - Certificate: Cyber Security
31. Massachusettes Institute of Technology (MIT) - Cybersecurity for Managers: A Playbook
32. University of Oxford - Cybersecurity for Business Leaders Programme
33. Georgetown University - Graduate Certificate in Cybersecurity Risk Management
34. Harvard University - Graduate Certificate; Cybersecurity
35. University of Virginia - Graduate Certificate; Cybersecurity Management


Articles of Interest for Security Practitioners


DoDM 5200.01, Volume 4; Enclosures 3 and 4 - “Controlled UNCLASSIFED Information (CUI)” - Defense Contractors Challenged to Define Applicability and a Realistic, Cost Effective Compliance Strategy

 Does Volume 4 of the Manual Apply to Defense Contractors or Provide Adequate Depth of Detail to Implement Physical and Technical Security Controls for CUI?

 C.L. Freeman, CISSP-ISSAP
October, 2012

The Challenge: Shortly after the U.S. Department of Defense (DoD) announced  DoD 5200.01-R had been superseded by DoDM 5200.01 and the Defense Security Service (DSS) posted Volumes 1-4 to their website , several defense contractors pro-actively took steps to estimate cost and internal policy changes they may need to eventually implement to protect U.S. government Controlled UNCLASSIFIED Information (CUI) under their cognizance (as defined in Volume 4).

Several firms quickly concluded Volume 4, does NOT apply to defense contractors (unless formally declared in the DFAR, a contract DD-254 or other contracts vehicle since protection of CUI is not addressed in the NISPOM and DSS has not, as of October, 2012, formally declared, in writing, mandatory contractor compliance is required.

Other defense contractors have argued it doesn’t make sense DSS would post a DoD policy on their website that doesn’t apply to defense contractors when their primary mission is “support of implementation of all security policy and guidance applicable to Defense Contractors”. They also pointed out DSS declares on their website they are revising their CDSE training curriculum, utilized by Defense Contractors, to align with DODM Volumes 1-4.

Scope of DoD Information and Contractor Managed Systems Involved: When we look closely at Volume 4, Enclosure 3, you’ll notice hardcopy and electronic DoD designated CUI information stored, processed or transmitted is considered in scope. The question at hand is “are contractor or employee owned and operated computing systems, mobile devices and applications that process DoD CUI information also in-scope? The answer to this question is of significant importance when we consider U.S. and foreign owned defense contractors have a large volume of FOR OFFICIAL USE ONLY or other CUI in e-form linked to active and in-active U.S. government contracts.

Strategies Forward: As noted above, several firms have decided to do nothing in the short term concerning implementation of Enclosure 3 and 4 in Volume 4 because they believe the policy only applies to the DoD (unless specifically declared in the DFAR or contract DD-254).

Other defense firms are pro-actively breaking Enclosures 3 and 4 down into individual requirement statements they can apply to author test cases they’ll eventually use to verify compliance if DSS formally communicates Enclosures 3/4 are in-scope for the defense industrial base and other defense contractors obligated to comply with DFAR. They are also classifying each derivative requirement they develop as a “management, operational, physical or technical” control. Once this task is complete, they are evaluating their current corporate information security policy, that defines protection requirements for firm or partner / subcontractor proprietary information, to determine where there are similarities between the two requirements baselines.

They’ll then take the final step  of developing and posting internal corporate guidance concerning protection of DoD CUI that maps directly between Enclosure 3 and 4 requirements and their corporate information protection policy with the understanding customer defined protection requirements that exceed the noted protections take precedence.


Is a Certified Information Systems Security Professional (CISSP) Certification Worth The Time, Money and Effort?

 C.L. Freeman, CISSP-ISSAP


Information Technology (IT) Certification Programs have been around for quite a while. Several started out with a bang and then fizzled out after a few years. The Data Processing Management Association (DPMA) certification is a prime example. The main reason why so many Certification Programs have failed to maintain public / private sector recognition, is due to one primary factor: They did not require on-going, documented, “Skills Maintenance”. The “Certified Information Systems Security Professional (CISSP)” certification, awarded by ISC2, is designed to address this challenge.

After you pass the exam and are awarded the "CISSP" designation, there is a mandatory minimum of points you must submit to ISC2 (every three years) to keep your Certification.

The examination is tough and comprehensive. It requires on-the-job exposure and a clear understanding of a wide range of security technologies / concepts. There are prerequisites that must be validated by ISC2 before you are allowed to take the exam.

Don't assume a CISSP certification will suddenly “launch your career to new heights”. It will not help you understand or effectively apply the most important skill you need: Effective application of "Soft Skills". For example, it won’t make you an effective leader or member of a Team. It will not give you a better attitude about your company or your career. You still need to acknowledge and actively manage your soft skills if you hope to realize the full potential this coveted certification has to offer.

Once you have the Certification, you can let the certificate “hang on the wall” or you can use it in a wide range of ways to benefit both you and your company. CISSP certification can further your professional goals in many ways you may not have considered. If you are willing to apply yourself, you can positively impact not only your career, but the future of your company and the careers of others. You can also have a positive impact on the Information Systems Security Profession. Consider the following possibilities:

1. If You Choose, You Can Influence the Future of the Profession

 You can help Professional Security Organizations communicate their message. You can speak at Conferences, Symposiums, Leadership meetings at your company, etc. You now have a credible voice and you can speak if you desire. You can help ISC2 maintain their CBK Curriculum. You can actively influence the careers of Junior Security practitioners. The opportunities to influence the profession at your company and internationally are available, if you choose to seek out and act on available opportunities.

2. Provides the Opportunity to Support Information Systems Security Organizations (Board Member, etc).

 Joining Professional organizations is easy. Pay the fee and you’re a member. You may want to get involved in your local security professional organizations (ISSA, NCMS, etc). The CISSP designation gives you instant credibility when you request “active” involvement in local activities. It can also help if you choose to campaign for a leadership position on the Board of one of these organizations.

3. You Add Value to your Company (this should be your Number One Priority)

 Your “Value” to your organization should be the focus of your all of your efforts. Decisions made by management (concerning you) are influenced by your real or perceived value to your company. You are responsible for ensuring that your contribution continues to support the mission and goals of the company. The CISSP Certification and your focus on effective maintenance of it will only support the view that you are of real value to the company.

4. Recognition by Companies

 Companies (and the Federal Government) are recognizing the value of the CISSP designation. More CIO’s and IT managers are requiring CISSP designation for their IT Security positions. This is evident for staff, middle management and Executive level positions. Search any job site on the internet and you will see the influence this Certification is having on Job Descriptions.

5. Recognition by Peers and Management

 Recognition by Management has it's benefits in terms of your job description / responsibilities, future salary growth and surviving a downsizing or lay-off exercise. It also helps with your working relationship with peers. They will seek you out to gain your prospective on their challenges and approaches to solving them.

6. Credibility if you Author a Paper or Give a Presentation at a Conference, etc.

 The CISSP designation can immediately offer credibility to White papers or Articles you write for Industry publications. You can also be asked to present on Information Systems Security topics at various conferences, symposiums and professional organizations (Local ISSA meetings, for example). Opportunities like this don’t just happen. You must create them by your own action.

7. Keeps You Focused on Learning New Technology and Security Concepts

This is one of the most powerful features of this Certification. Maintenance of your CISSP requires you to take a class, write an article, attend a conference, etc. If you don't, you can lose the designation. Most certifications do not require "Skills maintenance". You can focus your efforts on concepts you have a handle on or take a risk and focus your attention on technologies or processes you don’t feel confident with.

8. Increases Your Chances for Promotion

 As mentioned before, this is only possible if you are taking care of the “Soft Skills”. If you are, CISSP certification will increase your value to the company, therefore, your company will likely consider you in their Leadership planning.

9. Gives You a View of Where You are Strong and Where You are Weak

 Everyone who takes the CISSP examination has admitted that they were strong in various areas, but weak in others. Most are strong in areas that link to their current job responsibilities. CISSPs now have a unique prospective on the "scope" of technologies and concepts a Security Practitioner needs to remain competitive. The CBK is a great roadmap for your professional development plan. Focus on your weaknesses and continue to care and feed your strengths.

10. You Can Define Effective Training Plans for Your Staff

 As noted above, you can plan your professional development strategy to address your weaknesses. However, you can provide effective training plans for your staff and peers who have chosen Information Systems Security as a career path.

11. You Can Teach or You May be Asked to Conduct Research

 The CISSP credential will offer the opportunity to teach others what you know. Your company may ask you to teach a CBK subject to junior personnel (to support their preparation for the CISSP exam). You may be asked to teach a subject at a conference or professional organization. As stated previously, these opportunities don’t just happen. You must seek out all opportunities to keep your skills sharp.



      C4_Series

  We want to hear from you. Do you have an article of interest for our subscribers? Please contact the Chief Editor at We use a "Question/Answer" format in all articles.