REVIEW FOR EXISTING LESSON PLANS FOR COMPUTER SECURITY COURSES

Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9 UNCLASSIFIED 8 September 1977 STAT TO: (Chairman DCI Computer Security. Subcommittee National Security Agency Fort Meade, Maryland 20755 FROM: Mr. George S. Herrmann, State MemberoS,_ DCI Computer Security Subcommittee U.S. Department of State Washington, D.C. 20520 SUBJ: Review of Existing Lesson Plans for Computer Security Courses During the week of August 29 through September 2 1977, I reviewed three lesson plans developed for computer security training courses. These courses are taught by the National Security Agency at Ft. Meade, by the U.S. Army Logistics Management Center at Ft. Lee, Virginia, and by the Department of Defense Computer Institute in Washington, D.C. The objective of my study was to determine the degree to which these courses overlap, and to glean from the overlap a basic structure for a course in computer security which might be established for interagency participation under the auspices of the Computer Security Subcommittee. As might be expected, there were a number of topics common to all three courses: these are listed in Annex A. Several topics were common to two of the three courses; these appear in Annex B. Some topics were unique to each course: I found these to be the most interesting topics, and have included them in Annex C. The DODCI course-is a four-day offering, aimed apparently at mid- level management. The NSA and Ft. Lee courses last, respectively, one week and two weeks. These relatively long course times allow student resolution of class problems at NSA and problem workshops at Ft. Lee. These practical exercises strike me as valuable training tools which help reinforce security practices presented in the lecture courses. Ft. Lee brings in guest speakers from private industry`to lecture on the strengths and weaknesses of various computer systems. I was unable to determine whether Ft. Meade does this or not, but I forsee some scheduling problems with this approach. UNCLASSIFIED Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9  Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9 2 U The Ft. Lee course features 5 1/2 hours of instruction on computer fraud. It is my opinion that this course might be of interest to the Department of the Treasury and FBI representatives to the Subcommittee, if they have not already taken the course. Conclusions: The Ft. Lee and DODCI courses are open to personnel from other government agencies on a space available basis; this is presumably true of the course at NSA. The existing courses seem adequate: I believe that it would be premature at this point to establish a separate interagency computer security course unless there are important topics of concern to us which are not taught by the existing schools. I suspect that there are.additional computer security courses available at other government agencies of which I am presently unaware, and that the cirreculums for these courses should be reviewed before we consider establishing a new course geared expressly to the needs of the Intelligence Community. I do recommend that Annex A to this paper, listing topics common to the three courses I examined., should serve as a starting point for any computer security course we consider creating. I would also suggest that the administrative office for each of the three schools be asked to keep the Chairman, CSS informed of their projected class schedules, so that Subcommittee members may propose personnel for these courses in advance of course starting dates. With the permission of the Chairman, I will continue to make the rounds of government agencies offering computer security courses in an effort to compile a more complete list of course offerings. When I have what I feel is a complete list, I will again compare cirreculums. I would hope that the Subcommittee, in reviewing the final list of course offerings, can uncover areas of concern to the Intelligence Community that are not offered by an existing school. In my opinion, we should then pursue topics of concern to us for which no instruction is currently available. Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9  Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9 ANNEX A 3 TOPICS COMMON TO ALL THREE COURSES Course Orientation Documentation Guidelines, Regulations and Requirements Computer Security Analysis and Design Physical Security Considerations Personnel Security Considerations Privacy Act Requirements Computer System Auditing Data Base Integrity Commencement Exercises Declassified in Part - Sanitized Copy Approved for Release 2013/01/30: CIA-RDP89B01354R000200310016-9