The document discusses the importance of developing an information security workforce framework for Thailand. It notes challenges like the small number of qualified professionals and lack of clear career paths. It introduces the Thailand Information Security Association (TISA) and its first competency profiling test. International frameworks for workforce development from the US Department of Defense and Department of Homeland Security are also summarized that emphasize common competencies and certifications. The document argues a framework is needed to address Thailand's challenges and properly develop the information security workforce.
Infosec Workforce Development Framework For Thailand
1. 5th August 2010
Infosec Workforce Development
Framework for Thailand
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
August 2010
2. Name: Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Title: Chief Security Officer (CSO)
Company: PTT ICT Solutions Company Limited
A Company of PTT Group
Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
• Honoree in the Senior Information Security Professional category for
the 2010 Asia-Pacific Information Security Leadership Achievements (ISLA)
by (ISC)2
• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)
• Contribute to Thailand Cyber Crime Act B.E.2550
• Workgroup for CA service standard development
chaiyakorna@hotmail.com
• Committee of national standard adoption of ISO27001/ISO27002
• Committee of Thailand Information Security Association (TISA)
• Committee of Cybersecurity workforce development,
Division of Skill Development, Ministry of Labour
3. Agenda
The importance and challenges
TISA and The 1st Competency Profiling Test
(TISET)
The framework
5. Lack of Information Security
Impact to Business
Lost of business opportunity Out of business
Higher operation cost
Lost of trust
Damage to reputation
Incompliance
6. Lack of Information Security
Impact to Individual
Lost of privacy
Humiliation
Lost of life
Impact to the Country
National Security
Intelligence
Critical infrastructure
Wellbeingness of citizen
Trustworthiness
7. 2-side Coin
Infosec knowledge can be used
for good and for bad.
Once one learns how to use a gun, he can
use it for good and for bad.
This profession needs to be monitored and
controlled as well as lawyer and doctor.
8. Current Challenges in Thailand
• Small/inadequate number of qualified workforce
• Value recognition of Information Security practitioner
HR thinks it’s just another IT position, what make it so important???
• Unclear career path
Only few organizations has CSO, CISO or dedicate division/department to handle Infosec in the
organization
• Under pay
Asia-pacific got about 10-20 times less than in US.
• Incentive is not yet attractive to motivate people to jump into
this field
why do they have to work harder with the same pay or only small raise?
• High cost of being certified, but small to no support from the
organization
• English Language
8
11. Institutes Certificates
The Computing Technology Industry Association, Inc.
Global Information Assurance Certification
The SANS Institute GIAC Certified Firewall Analyst GIAC Assessing Wireless Networks GIAC Certified Forensics Analyst GIAC Certified Intrusion Analyst
International Information Systems Security
Certification Consortium, Inc. Certified Secure Software Lifecycle Certified Information Systems Security Systems Security Certified Certification and Accreditation
Professional Professional Practitioner Professional
Information Systems Audit and Control Association
o Principal Auditor
International Register of Certificated Auditors
o Lead Auditor
o Auditor
o Provisional Auditor
Information Technology
Infrastructure Library
Office Of Government Commerce (OGC)
11
12. CompTIA Certifications
For individuals, attaining certifications means increased job security, additional career opportunities and
increased credibility in the workplace. For businesses, hiring certified workers means higher customer
satisfaction, increased productivity and lower employee turnover.
CompTIA A+
For entry-level IT technicians, the CompTIA A+ exam covers preventative maintenance, basic networking,
installation, troubleshooting, communication and professionalism.
CompTIA Network+
For networking professionals, the CompTIA Network+ exam covers managing, maintaining,
troubleshooting, operating and configuring basic network infrastructure.
CompTIA Security+
For experienced security professionals, the CompTIA Security+ exam covers system
security, network infrastructure, cryptography, assessments and audits.
CompTIA Server+
For experienced IT professionals, the CompTIA Server+ exam covers areas such as RAID, SCSI, managing
multiple CPUs and disaster recovery.
CompTIA Linux+
For experienced Linux professionals, the CompTIA Linux+ exam covers user administration, file
permissions, software configurations and the fundamental management of Linux systems.
CompTIA is the non-profit trade CompTIA PDI+
For entry-level printer and document-imaging technicians, the CompTIA PDI+ exam covers basic
association advancing the global electromechanical components and tools, print engine and scan processes, color theory and networking.
interests of information technology
(IT) professionals and companies
including manufacturers, distributors,
resellers, and educational institutions
12
13. CompTIA Certifications
(cont.)
CompTIA RFID+
For RFID professionals, the CompTIA RFID+ exam covers installation, maintenance, repair and
troubleshooting of RFID products.
CompTIA Convergence+
For experienced convergence professionals, the CompTIA Convergence+ exam covers designing,
implementing and managing voice and data networks.
CompTIA CTT+
For technical instructors, the CompTIA CTT+ exam covers classroom preparation, presentation,
communication, facilitation and evaluation in both traditional classroom and virtual classroom
environments.
CompTIA CDIA+
For document imaging solutions sellers, the CompTIA CDIA+ exam covers planning, designing and
specifying a document imaging management system.
CEA-CompTIA DHTI+
For experienced home technology professionals, the CEA-CompTIA DHTI+ certification covers
configuring, integrating, maintaining and troubleshooting electronic and digital home systems.
CompTIA is the non-profit trade CompTIA Project+
association advancing the global For project managers, the CompTIA Project+ certification covers the entire process of project
interests of information technology management, including initiation, planning, execution, acceptance, support and closure.
(IT) professionals and companies
including manufacturers, distributors,
resellers, and educational institutions
13
15. Global Information Assurance Certification
Gold Certifications
GIAC Certified ISO-17799 Specialist (G7799) - GOLD Certificates:
GIAC Assessing Wireless Networks (GAWN) - GOLD GIAC Auditing Wireless Networks - Certificate (GAWN-C)
GIAC Certified Forensics Analyst (GCFA) - GOLD GIAC Business Law and Computer Security (GBLC)
GIAC Certified Firewall Analyst (GCFW) - GOLD GIAC Contracting for Data Security (GCDS)
GIAC Certified Intrusion Analyst (GCIA) - GOLD GIAC Critical Infrastructure Protection (GCIP)
GIAC Certified Incident Handler (GCIH) - GOLD GIAC E-warfare (GEWF)
GIAC Certified UNIX Security Administrator (GCUX) - GOLD GIAC Fundamentals of Information Security Policy (GFSP)
GIAC Certified Windows Security Administrator (GCWN) - GOLD Securing Windows 2000 - The Gold Standard (GGSC-0100)
GIAC Information Security Fundamentals (GISF) - GOLD Securing Solaris - The Gold Standard (GGSC-0200)
GIAC .Net (GNET) - GOLD Auditing Cisco Routers - The Gold Standard (GGSC-0400)
GIAC Certified Penetration Tester (GPEN) - GOLD GIAC HIPAA Security Implementation (GHSC)
GIAC Reverse Engineering Malware (GREM) - GOLD GIAC Cutting Edge Hacking Techniques (GHTQ)
GIAC Security Essentials Certification (GSEC) - GOLD GIAC Intrusion Prevention (GIPS)
GIAC Law of Fraud (GLFR)
GIAC Secure Internet Presence (GSIP) - GOLD
GIAC Legal Issues in Information Technologies (GLIT)
GIAC Systems and Network Auditor (GSNA) - GOLD
15
16. International Information Systems
Security Certification Consortium, Inc.
Certified Information Systems
Systems Security Certified
Security Professional (CISSP®)
Practitioner (SSCP®)
and related concentrations
Certification and Information Systems Security
Accreditation Professional Architecture Professional
(CAP®) (CISSP-ISSAP®)
Certified Secure Software Information Systems Security
Lifecycle Professional Engineering Professional
(CSSLPCM) (CISSP-ISSEP®)
Information Systems Security
Management Professional
(CISSP-ISSMP®)
16
17. Typical Job Path:
• University graduate - Information
security administrator, eligible for
Associate of (ISC)2 program
• 1+ years work experience – Information
security administrator, eligible for SSCP®
certification
• 4+ years work experience – Information
security analyst/engineer, eligible for
CISSP® certification
• 7+ years work experience – Information
security manager
• 9+ years work experience – Director of
IT or information security, chief security
officer (CSO) or chief information
security officer (CISO)
17
18. Information Systems Audit and Control
Association
The Certified in the Governance of Enterprise IT® (CGEIT®)
The Certified Information Security Manager® (CISM®)
The Certified Information Systems Auditor® (CISA®)
The Control Objectives for Information and related Technology (COBIT)
18
19. Well-known Certifications in Thailand
* Only those available in Thailand
The Institute of Internal Auditors (IIA)
CIA - The Certified Internal Auditor
CCSA - Certification in Control Self-Assessment
CFSA - Certified Financial Service Auditor
Association of Certified Fraud Examiners (ACFE)
CFE - Certified Fraud Examiners
The Bank Administration Institute (BAI)
CBA - Certified Bank Auditor
Information Systems Audit and Control Assoc. (ISACA)
CISA - Certified Information Systems Auditor
CISM - Certified Information Security Manager
Intl Information Systems Security Certification Consortium (ISC)2
CISSP - The Certified Information Systems Security
Professional
20. Agenda
The importance and challenges
TISA and The 1st Competency Profiling Test
(TISET)
The framework
22. TISA (Thailand Information Security Association)
Vision
– Thailand and Asia community have been
recognized that we are safe and secure in
information security from global point of
view.
Mission
– To develop internationally accepted process
and information security practitioners
25. TISA Activities 2008-2009
1st TISA Seminar : Information Security Seminar on topic : “How The New
Thailand ICT Law effect IT industry” over 400 Attendees attended at Sasin,
Chulalongkorn Univeristy.
In-Depth Study on “Information Security Rating for IT/Infosec Professional in
Thailand”
– NIST SP800-16
– DHS - EBK 2008 (September, 2008)
– DoD Directive 8570.01-M (May 15, 2008)
– CISSP, SSCP, CISA, CISM, SANS GIAC certification
In-Depth Study on Thailand Information Security Testing Programme for
IT/Information Security Professional
– TISA Management Level I
– TISA Management Level II
– TISA Management Level III
– TISA Technical Level I
– TISA Technical Level II
– TISA Technical Level III
25
29. Information Technology (IT) Security
Essential Body of Knowledge (EBK)
A Competency and Functional Framework
for IT Security Workforce Development
United States Department of Homeland Security
September 2008
29
30. Purpose of EBK
Articulates functions that professionals within the IT
security workforce perform in a common format and
language.
Provides a reference for comparing the content of IT
security certifications, which have been developed
independently according to varying criteria
Promotes uniform competencies to increase the
overall efficiency of IT security education, training,
and professional development
30
31. Purpose of EBK (cont.)
Offers a way to further substantiate the wide
acceptance of existing certifications so that they can
be leveraged appropriately as credentials
Provides content that can be used to facilitate cost-
effective professional development of the IT security
workforce, including skills training, academic
curricula, and other affiliated human resource
activities.
31
32. Why was the EBK established?
Rapid evolution of technology
Various aspects and expertise are increasingly required
Standard or common guideline in recruiting, training
and retaining of workforce
Knowledge and skill baseline
Linkage between competencies and job functions
For public and private sectors
32
36. Competency Areas (MDIE in each)
1. Data Security 8. Personnel Security
2. Digital Forensics 9. Physical and Environmental
3. Enterprise Continuity Security
4. Incident Management 10. Procurement
5. IT Security Training and 11. Regulatory and Standards
Awareness Compliance
6. IT System Operations and 12. Security Risk Management
Maintenance 13. Strategic Security
7. Network and Management
Telecommunication Security 14. System and Application
Security
36
37. Roles of Information Security
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and
Maintenance Professional
8. Physical Security Professional
9. Privacy Professional
10. Procurement Professional
37
40. EBK Analysis IT Security Roles
Executive Functional Corollary
IT Security EBK:
A Competency and
IT Security Compliance Officer
Physical Security Professional
Digital Forensics Professional
Functional Framework
Information Security Officer
IT Systems Operations and
Procurement Professional
Maintenance Professional
Chief Information Officer
IT Security Professional
IT Security Engineer
Privacy Professional
Functional Perspectives
M - Manage
D - Design
I - Implement
E - Evaluate
M 11 12 0 1 2 1 0 1 3 1
D 2 7 1 3 4 6 4 2 6 1
I 0 1 2 5 8 3 4 4 4 1
E 3 10 14 3 5 7 2 3 5 1
Total Competency Units 16 30 17 12 19 17 10 10 18 4
Managerial Professional
Level Level
Entry Level
40
42. The Example of TISA TISET Exam
Information Security Competency Score Card
42
43. Enterprise Infosec Competency Profile
* Organization assess Infosec competency
Enterprise/ requirement against EBK
Personnel * Assess current competency within the
Capability enterprise
* Identify competency gap training
requirement, recruitment
EBK
Infosec training provider Training
Provider
maps training courses to EBK
44. TISET Development
Study and develop test item according to DHS-IT Security
EBK 2008
Matching test items with corresponding competency and
functional perspective (MDIE).
Refer to CISSP, SSCP, CISA, CISM, CIA and PMP knowledge
Initial Plan Arp-09 May-09 Jun-09 Jul-09 Aug-09
Current Plan Oct-09 Dec-09 Feb-10
1 Lot items (8/CU) X
Peer review X
rescrubbing X
Committee review X
1st pilot exam X
Finalize x
1st launch x
45. TISA TISET Exam Item Development Restriction
1. None of the item development committee has access to all developed
items
2. Item development committee shall only see the item they developed
and those when peer-reviewed.
3. TISA reserved the right not to disclose any or all of the developed
items to those who does not involve with the item development
process.
4. Item development committee must abide to the signed Non-
disclosure Agreement (NDA).
Storage encryption technique was used (AES 128 bits)
2-Man dual control mechanism was practiced
(one hold the key file and one hold the pass-phrase)
Secure Erase, ANTI-Forensic (US DoD 5220.22-M 3 Pass) was practiced45
46. Thailand Information Security Association
TISA ITS-EBK Model
TISA TISET Pilot Exam Summary
17-Oct-2009
http://www.tisa.or.th
46
47. TISA TISET Pilot Exam Methodology
All 500 items in databank were tested
There were 4 sets of question papers (A-B-C-D)
Each question set contains 125 questions
Each question set contains all 14 competencies with 4
detail functional perspectives (14x4=56 CU’s)
2.5 hours to finish
2B Carbon pencil answer sheet (like CISSP,CISA Exam)
47
48. TISA TISET Pilot Exam Summary: TISA ITS-EBK Model
Pilot Test Date: 17 Oct. 2009
Pilot Test Group: 4 Groups (125 Questions each group (set), 2:30 hrs.)
Knowledge-base: IT Security Essential Body of Knowledge (EBK)
IT Security Essential Body of Knowledge
Fourteen Competency Areas Four Functional Perspectives Ten IT Security Roles
1. Data Security • Manage (M) • Chief Information Officer
2. Digital Forensics • Design (D) • Information Security Officer
3. Enterprise Continuity • IT Security Compliance Officer
• Implement (I)
4. Incident Management • Digital Forensics Professional
5. IT Security Training and • Evaluate (E) • IT Systems Operations and
Awareness Maintenance Professional
6. IT System Operations and • IT Security Professional
Maintenance • IT Security Engineer
7. Network and Telecommunication • Physical Security Professional
Security • Privacy Professional
8. Personnel Security • Procurement Professional
9. Physical and Environmental
Security
10. Procurement
11. Regulatory and Standards 48
Compliance
50. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Total Candidates : 90 persons
Candidates: 90 persons Any Experiences related to
information security:
Education Level
Education Level:
Yes = 77%
• Undergraduates Graduate/MBA
= 48%
Undergraduate) 0% No = 23%
• Graduates 48% = 52% 52%
Graduate/MBA)
Others) Undergraduate
The NO Answers are those haven’t
experiences related to information
security in their jobs. They are:
Reasons & Motivation in Pilot
Participation • R&D/QA Engineer,
• Programmer, SA,
6%
• IT Staff/Operations, IT Support,
YES
• Researcher, IT instructors / students,
NO
• and those hadn’t specified.
94%
50
51. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Total Candidates: 90 persons IT Professional Certificates:
Yes 40% = 36 persons
IT Association Membership: No 50% = 54 persons
Yes = 20 persons
Those 36 persons have hold 78
No = 70 persons
professional certificates:
• CISSP = 2 persons
Those 20 of 90 persons are IT • CISA = 5 persons
association members of: • CISM = 0 persons
• TISA = 3 persons • Security+ = 23 persons
• (ISC)2 = 2 persons • MCSE = 5 persons
• ISACA = 5 persons • CCNA = 2 persons
• CEH = 4 persons
• IIA = 3 persons
• ITIL = 4 persons
• ITSMF = 5 persons
• PMP = 1 persons
• Others = 2 persons • Others = 26 persons
51
52. Candidate Profile : IT and Information Security
Professional Certificates
35
31
30
25 23
20
15
15
10
5
5 3
2
0
0
CISSP CISA CISM Security+ MCSE CCNA Others:
52
53. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
The Standards, Best Practices and IT Topics that the
candidates currently are interested Interested Topics
to the most:
Standards & Best Practices
ISMS = 22.7%
ITIL = 19.6% 6.2%
24.7%
COBIT = 16.0% COSO
COSO ERM = 6.2% Others:
-Professional certificates
ERM 16.0%
a) CO
BCM = 9.3% -Network Security
-Forensics COBIT b) CO
ITSM = 1.5% -Penetration Test
-Vulnerabilities Assessment
c) ITIL
Others = 24.7% d) BS2
e) ISO
ITIL
ISMS f) ISO
Others topics include: 19.6%
g) Oth
• CISSP = 6.2% 22.7%
• CEH = 2.1% ITSM BCM
• CISA = 2.1%
• Network security = 2.0% 1.5% 9.3%
• VA, Penetration Test = 2.0%
• Forensics = 1.5%
• Others (each < 1%) = 8.8%
53
54. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Involvement in Present Work & Future Career
60
50
40
30
20
10 Present work
Future career
0
54
55. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Interesting Topics (EBK Domains)
by Management vs. Technical Perspectives
70
60
50
40
30
20
10 Management
Technical
0
55
58. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Candidates’ Comments
100
90 88
86
79 79
80 76
70
60
52
50
40 38
No Answer
30
No
20 Yes
12
10 10
10
2 2 3
0 0 1 1 1
0 Prefer to Take a Prefer o introduce Prefer TISA Exam The Test is The Exam Want to enroll
real TISA Exam friends to take a Questions in Thai relevant to the Questions is fine TISA membership
real TISA Exam Language essential and in assessable
knowledge to the knowledge
58
59. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
Comments on Level of Difficulties/Hard of Questions and Appropriateness of Time & Venue
Overall Questions Questions are Questions are English language is Appropriatenes Appropriateness of
are quite difficult difficult in difficult by in normal work s of Time Place/Venue
technical terms language
(in English) Most of the candidates (46%) have
In technical terms, almost of the candidates (92%) said English language in their normal
questions are hard (44%) and very hard (48%) respectively. work, but they (52%) still said the
questions in English are quite hard
By overall, about three-fourth of the candidates (72%) said the / difficult.
questions are hard, and almost one-fifth (21%) said the questions
are very hard/difficult. 59
60. TISA Pilot Exam Summary:Pre-test & Post-test Questionnaires
The barrier of LANGUAGE is significant.
Since all of questions are in English, 72% of candidates pointed that
the exam questions were quite hard although 69% admitted that
English language is in their normal work. (By Language, 52% said
it’s hard, and 20% said it’s very hard respectively)
The exam questions in OVERALL seemed quite hard/difficult
Most candidates (93%) said the questions were quite hard;
- Three-fourth (72%) said it’s hard; One-fifth (21%) said it’s very
hard
In TECHNICAL terms, the exam questions are rated hard/difficult
Most candidates (92%) said questions appeared quite hard;
- About 44% said it’s hard, and about 48% said it’s very hard
60
61. TISA Pilot Exam Summary: Results Report
Scattering of Scores
Number of Candidates (persons)
Scoring in percentage
61
62. Competency Profile
Max Score Min Score
Avg Score
1. Data Security
2. Digital Forensics 8. Personnel Security
3. Enterprise Continuity 9. Physical and Environmental Security
4. Incident Management 10. Procurement
5. IT Security Training and Awareness 11. Regulatory and Standards
Compliance
6. IT System Operations and Maintenance
12. Security Risk Management
7. Network and Telecommunication
13. Strategic Security Management
Security
14. System and Application Security
62
63. IT Security Role Match
Max Score Min Score
Avg Score
M – Manage
D – Design
I – Implement
E - Evaluate
63
67. TISA Pilot Exam Summary: Results Report
The Top Performer, scoring 78%
• The IT Auditor, with a background of Engineering,
having 7 professional certificates (CISSP, CISA, Security+, CCNA, CEH, MCITP, PMP)
The Top Ten performers, scoring range 55%-78%
• The Top Five scores 60%-80%
• Those only 1 PMPs listed at the Top ranking
• Those only 2 CISSPs listed in the Top Ten Ranking
• Those only 5 CISAs listed in the Top Ten Ranking
• The Two of Top performers didn’t specify having any certificate
• Five of Top Ten performers are InfoSec Consultants,
which Four of them are ACIS staff
First ACIS : CISSP, CISA, Security+, CCNA, GCIA
Second ACIS : CISA
Third ACIS : Security+
Fourth ACIS : Security+, SSCP
Another Consultant : IT Audit/Consultant without specifying any certificate
67
68. TISA Pilot Exam Summary: Next Target
First Launch of a real TISA ITS-EBK Exam
• In the first quarter of 2010 (about February 2010)
Accrue a Databank of TISA Exam questions
• Volunteers of qualified professional in developing more exam
questions
• Qualify the exam questions
• Localize the exam questions in Thai language
• Promote Information Security practitioners to sit for an examination
Accredit to the TISA TISET Examination
• Supported and Accredited by Government Agents
• Endorsed by TISA and Thailand Information Security Professional
Council 68
76. TISA Pilot Exam Summary: Certification Roadmap
Audit Management Technical
EXPERT
ADVANCE
International Certified IT & Information Security Professional
Step to CISSP,SSCP, CISA,CISM
FOUNDATION (Localized) TISA TISET Certification
on IT / Information Security
Competencies Test TISA TISET Exam
76
77. TISA TISET Exam : Mission and The Next Target
TISA Exam
First Launch
Pilot Test
2011
Q1
Infosec
Q4 2010 Professional
Increase Council
number of
Infosec
2009 professional
TISA EBK across
Assessment industries
Exam
77
78. Agenda
The importance and challenges
TISA and The 1st Competency Profiling Test
(TISET)
The framework
80. Framework Considerations
• Critical Components
– Job description + qualification i.e. Gov. CSO
– Career path
– Competency assessment and certification
– Training
– Professional council
– Professional community/forum
– Funding and promotion
– Indexes
81. Framework Considerations
• Example of indexes
– For country
• Number of certified/registered workforce
• Growth rate
– For corporate
• Organization Capability Index (OCI)
• Annual budget/expense in professional training
– For individual
• Competency benchmarking
82. Short/Mid/Long Term Plan
• For organization (public/private sector)
– Develop job description and competency requirement
– Assess current competency
– Identify training requirement
• For training center
– Certified program
– Certified trainer
– Certified training center/institute
(Certified Infosec Excellence Center)
83. Short/Mid/Long Term Plan
• For academy
– Develop under-graduation program or major
– Develop graduation program or major
– To apply for being an Excellence Center
– To apply for being a test center
• For individual
– Assess current competency
– Training plan
– Career development plan