The Russian Experience – Information Security Education
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof. Moscow State Engineering Physics Institute
[email protected],
[email protected]
Abstract:
The basic features of the expert training system on information security created in Russia are examined. The structure of organizational, normative and legal, educational and methodical maintenance of the expert training on the basis of higher education, re-training courses, second education and postgraduate institutions is given. Trends of the further development of the Russian expert training system on information security are considered.
Key words:
information security, expert training system, organizational, normative and legal, educational and methodical maintenance, trends of development
1.
INTRODUCTION
The expert training on information security at the Russian universities has the certain history [1, 2]. It is possible to assert that the basis of the state system of the expert training in this field have been created in Russia now. The system features are the organizational maintenance, the normative and legal maintenance, and the educational and methodical maintenance of the expert training. Here we give an information on the Russian experience of creating the expert training system on information security and also analyze the problems which exist and which is necessary to solve at the further development of the system.
1
2
2.
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
ORGANIZATIONAL MAINTENANCE
An educational activity type determines the organizational maintenance of the expert training on information security in Russia. Today the prevailing types are: 1. the expert training on the basis of higher education, 2. the expert re-training with the purpose of acquiring the second higher education, 3. the expert re-training on the basis of professional improvement courses, 4. the post-graduate institutions (for training staff with the highest qualification such as candidates and doctors of sciences). The expert training (namely engineers) on the basis of higher education is conducted at the higher educational institutions. There were more than 70 such higher educational institutions located practically in all regions of Russia to the beginning of 2001. Moreover despite of the appearing a great number of non-state universities in Russia, the expert training is conducted only at the state higher educational institutions. It is possible to explain this situation by the several reasons. First, short term of existence of non-state universities. Secondly, difficulties of support by a sufficient number of the skilled teaching staff. Thirdly, insufficient technical and methodical assets of these higher educational institutions. By developing a considered direction of an educational activity we do not exclude the variants of deployment of the expert training on information security at non-state universities as well. Some of such universities have declared their readiness. The duration of the expert training on the basis of higher education on information security is 5 or 5,5 years depending on a speciality and opportunities of a certain university. For that the stipulated form of the expert training is only a classroom instruction. It is necessary to pay attention that all the cycle of the expert training have been conducted even once and the final examination have taken place only at approximately 20 percent of the educational institutions. Other high schools are now conducting student training at the initial courses and their finals will be carried out the next few years. It is expected that the given percent of the high schools will be essentially increased during the nearest years. Taking into account the importance of a considered direction of the expert training, the Russian Ministry of Education (RME) has created a network of regional educational and research centers on the base of the most successfully working universities (16 centers). They are located in all the most developed regions of Russia with a head educational and research center in Moscow on the base of the Moscow State Engineering Physics
The Russian Experience – Information Security Education
3
Institute (Technical University) (MEPhI). Their task is to supply the needs of the appropriate region by the experts and to support the universities, located in this region and conducting the expert training on information security. The necessity of the expert training with the purpose of acquiring the second higher education is determined by the working market requirements. There is a deficiency in the experts on information security which can be satisfied partially at the expense of training those who has finished higher educational institutions on the neighboring specialities (for example, on information technologies) earlier. In this case it is possible to prepare the expert on a speciality concerning information security for a shorter term (for example 2 - 2,5 years), using the individual educational schedule. Such form of an educational activity is carried out at those universities, in which the expert training under the complete program is already conducted. It is necessary to note that the acquisition of the second higher education is extremely paid form of training. It is explained by the fact that the Russian state guarantees to the citizens only the first free-of-charge higher education. All subsequent "educations" require payment by a trainee. The universities actively support such form of training because it is an additional source of funding for an educational activity of the state high schools. Professional re-training on information security (for example, for financial and banking sector [2]) is connected to the necessity of getting the knowledge and practical skills on the newest methods and technologies of information security maintenance in short terms (from one to four weeks). The organizations, in which these technologies are introducing, are as a rule interested in it. The need is satisfied via the activity of the state universities and non-state educational institutions created as usual at the large corporations, engaged into introducing the modern information technologies and specialized in the field of information security. The education with the purpose of professional re-training is the extremely paid form of knowledge acquisition in Russia. The personnel training with highest qualification is carried out at the post-graduate institutions (called "aspirantura" and "doctorantura" in Russian) of the universities with the purpose of supporting an educational sphere by the teachers and a scientific research sphere by qualified science officers. The duration of the training is three years for classroom instruction and four years for the correspondence courses. After the training is finished a thesis of a candidate or doctor of sciences is presented. The training at the post-graduate institutions is as a rule free-of-charge for a trainee at successful passing the entrance examinations and competitive selection. However in some cases (for example, for a purposeful training for a certain non-state organization or at the individual initiative without passing competitive selection) it is paid.
4
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
The activity of the educational institutions on all mentioned above directions is controlled by the RME and is coordinated by the Educational and Methodical Association. The Association created by the RME consists of the representatives of the educational institutions conducting the expert training on information security.
3.
NORMATIVE AND LEGAL MAINTENANCE
The RME carries out the normative and legal support of the expert training on information security. Structure of normative maintenance includes the formulation of the training specialities and state standards on each speciality. All the training directions and specialities of the Russian higher educational system are formulated in the document "The List of Training Directions and Specialities for Higher Vocational Training", authorized by the RME. The given list was essentially advanced in 2000. The necessity of the existence in the list of a separate group of the specialities (with the number 075000 and the title "Specialities in the field of information security") was recognized. The speciality structure now includes five specialities listed in the table 1. Table 1. Speciality code 075200 075300 075400 075500 075600
Speciality title
Qualification
Computer security Organization and technology of information protection Complex protection of informatization objects Complex maintenance of automated system information security Information security of telecommunication systems
Mathematician Expert on information protection Expert on information protection Expert on information protection Expert on information protection
Educational step 3 3 3 3 3
Each speciality has its own code, title, qualification and educational step. The three-step system of higher education is accepted in Russia. The first step - the first two years of training in a higher educational institution (called base education). The second step - the bachelors (4 years of training under the separate programs). The third step - the experts on a certain speciality (4 - 5,5 years of training) or masters (2 years of training after the bachelor degree).
The Russian Experience – Information Security Education
5
The state educational standard of the higher vocational training on each speciality is developed and authorized. The standard contains the following sections: 1. The general speciality characteristics. 2. The requirements to an applicant preliminary educational level. 3. The general requirements to the basic educational program of the graduate preparation. 4. The requirements to an obligatory content minimum of the basic educational program on the following cycles (including discipline titles, basic sections and volume of studies in hours): – general humanitarian and social and economic disciplines; – general mathematical disciplines and natural sciences; – general professional disciplines; – disciplines of specialization. 5. The terms of study of an educational program. 6. The requirements to the development and implementation of the basic educational program. 7. The requirements to a graduate educational level. The standard is a basis of the development of a certain educational plan of the speciality and educational programs of the separate disciplines. The formation of a specialization is possible within the framework of each speciality. A certain university accepts such a decision. In some cases the specificity of a higher educational institution does not allow to open a new speciality on information security. In this case another variant, connected to a choice of a speciality not from mentioned above group but from the other groups, is possible. There can be the specialities, natural sciences and general professional cycles of disciplines of which can consist a sufficient basis for the expert training on a specialization related to information security. For opening a new specialization it is sufficient the decision of a higher educational institution with the subsequent registration of a specialization at the educational and methodical association, to which the chosen speciality concerns. About 20 high schools of Russia followed such a way. The same approach is realized in the lawyer training for a sphere of activity concerning information security. For example, the experts on a "Jurisprudence" speciality ("Computer Law" specialization) are trained at MEPhI for some years. They combine knowledge in the field of the law with technical knowledge on methods and tools ensuring information security. These experts (base education for them nevertheless is the jurisprudence) can work as the organizers of processes of information security maintenance in a commercial environment. In other words a modern lawyer, who will wish to carry out his/her professional activity in the field of
6
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
telecommunications, information resources exchange, electronic commerce etc., should have the whole complex of technical knowledge. Such experts are trained at MEPhI (the information was given by Doctor of Jurisprudence Alexei Fatianov - the Head of the General Jurisprudence and Legal Bases of Security Department of MEPhI). The expert training on information security with higher education on the basis of the state educational standards implementation provides the appropriate certification level of this preparation. The graduates receive a "diploma" of a nation wide sample after finishing a higher educational institution. The professional improvement courses do not require the state certification. More often after the re-training course trainees get the certificates of that educational center, in which the re-training was carried out. The opportunity of the certification by the RME of a certain educational re-training course program is stipulated in the educational system of Russia. If volume of the course exceeds 72 educational hours, an educational center has the right to give out a certificate of a nation wide sample to any person who finished the re-training successfully. The expert training with the highest qualification also requires the certification. For this purpose there is authorized at a state level list of scientific specialities, on which the post-graduate students and also specialized councils, accepting a thesis on competition of scientific degrees of a candidate or a doctor of sciences on separate branches (technical, physical and mathematical, legal etc.), can work. There is only one scientific speciality on information security titled "Methods and Systems of Information Protection. Information Security". It was included into the state list in 1995. For the expired time hundreds of thesises of a various level on this speciality have been written. In Russia a legal basis for the expert training in any field of knowledge, including information security, is a received from the RME license on an educational activity of the expert training on a certain speciality (experts with high education, experts of the highest qualification) or on a certain program (professional improvement courses and re-training).
4.
EDUCATIONAL AND METHODICAL MAINTENANCE
The expert training on any speciality requires the appropriate educational and methodical base, which structure was worked out during a long time of
The Russian Experience – Information Security Education
7
functioning of a certain educational system. The widening of new directions of an educational activity, to which it is undoubtedly possible to add on the expert training on information security, requires the individual approaches to educational and methodical maintenance creation. This conclusion is based first of all on the factors, which are determined by specificity of the chosen direction and high intensity of its development. In this case the practical experience saved at the educational centers of Russia becomes urgent and can be of great interest to the educational centers of the other countries. An educational activity type determines a structure of the educational and methodical maintenance (EMM). In this case we will consider the features of the EMM of the expert training with higher education and post-graduate or continued education (so called professional re-training). Such a division reflects the various approaches to training process organization. For the first type of the training it is represented expediently to pick out the following two groups of the EMM: the "base" EMM and the "working" EMM. Such an approach (though it is conditional enough) and the offered names allow to carry out primary classification of the EMM. The EMM of a state level (authorized by the RME) is concerned to the base EMM. It consists of: – the state educational standards of the higher vocational training, – provisional educational plans of certain specialities, – provisional educational plans of disciplines concerning a federal component of the educational programs of the specialities, and – the textbooks admitted or recommended by the RME for the students of the higher educational institutions, training on a certain direction or a speciality. The given EMM is a basis of development of the second group EMM. The documents confirmed at a level of a certain higher educational institution could be regarded as the working EMM. To this group of the EMM we can ascribe: 1. for a speciality chosen by a high school - a working educational plan of a speciality, educational plans of specializations, lists of themes for research and degree works; 2. for a certain discipline - an educational program, materials for progress testing (examination tickets, offset questions, colloquium questions, tasks for control works, lists of home tasks), lists of themes for course projects, educational and methodical manuals, laboratory practical works etc. By preparation of the working educational plan on the chosen speciality filling the sections, concerning a regional component, courses at a student’s choice and disciplines of specialization, by the certain disciplines, makes the certain complexity. These disciplines require approximately 25-30 % from the total amount of hours of the theoretical training. The decision of the
8
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
allocated problem lays in taking into account the specificity of a certain high school (features of the base education, opportunity of the teaching staff) and needs of a region, where this higher educational institution is located. These features can be reflected in formation of the working educational plan of a specialization, within the framework of the chosen speciality. Such a specialization can be known indeed (you can make a suitable request to the Educational and Methodical Association and reveal that fact) or again generated. In the latter case it must be registered in the Association. The necessary registration condition is the uniqueness of a title and not less than 50 percent difference in the contents of the educational courses of a new specialization from the earlier registered specializations. The teachers of the separate departments are usually engaged in developing the EMM for the certain educational courses. Thus it is necessary to take into account the contents of the provisional educational programs of the courses, concerning a federal component, developed by the Educational and Methodical Association and authorized by the RME. The EMM for the continued education has essentially smaller nomenclature. It consists first of all of: – the educational programs of the certain educational courses which as a rule are developed by a certain educational institution, – the educational and methodical materials supporting realization of educational occupations, and – the educational editions for the additional vocational training, which can have or not have the appropriate signature stamp of the RME. It is necessary to note the presence of a serious problem in creating the EMM for the expert training on information security. It means support of the educational process by the textbooks and manuals. Unfortunately, it is possible to recognize the fact that the textbooks do not suffice both under the nomenclature and by number, because of the large intensity of development of the examined field of knowledge. In this case two approaches are realized in Russia: 1. preparation and edition of the textbooks at a certain educational center; 2. preparation and edition of the textbooks at a federal level for use at all educational centers. The first approach provides the current needs of a certain high school and does not require the large edition and high level of typographical execution. Plenty of the educational and methodical manuals is issued at the Russian educational centers. At the second approach only those textbooks are issued for rather large edition, which concern to the wide subjects and do not require essential
The Russian Experience – Information Security Education
9
correction during a long time. It is not a lot of such editions in Russia. In this case we shall list only the titles of the textbooks and year of their edition: 1. Basis of information protection (1997). 2. Theoretical bases of computer security (2000). 3. Protection of programs and data (2000). 4. Protection in operational systems (2000). 5. Intranets: Internet Access, Security (2000). 6. Intranets: Intrusion Detection (2001). It is necessary to note that the introduction of new educational technologies changes the EMM form essentially. It is connected first of all to development of the distance learning forms, which assumes the use of the electronic textbooks and remote methods of progress testing. The certain experience of creation such textbooks at the universities of Russia is already existed [3, 4]. Thus, it is possible to speak about formation of one more EMM group - the electronic EMM.
5.
FURTHER DEVELOPMENT TRENDS FOR THE RUSSIAN SYSTEM OF THE EXPERT TRAINING ON INFORMATION SECURITY
The further development of the expert training system on information security, created in Russia, should take into account the basic statements of the Doctrines of Information Security of the Russian Federation, authorized by the President of Russia in September 2000. The document represents the set of the official instructional sights, which make a basis of information security for Russia. The questions connected to the preparation of the qualified staff and to the education of the appropriate legal culture are also reflected in the document. It means the creation of the uniform expert training system in the field of information security and information technologies. The unity of the system reflects the saved practical experience in the field of information protection. If some information technologies and tools of their protection are developed independently, the decision of a task of information security maintenance becomes complicated many times. It should be done in indissoluble unity with each other. The same is true for the field of education. There should be a uniform cycle of study of information technologies both methods and tools of information protection. In this case it is possible to allocate the following perfection directions of the expert training system, professional improvement courses and re-training of the staff in the field of information security maintenance [5]: 1. Development of measure system aimed at the state regulation of the training, professional improvement courses and re-training of the staff.
10
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
2. Perfection of the nomenclature of specialities and directions of the higher vocational training. 3. Ordering and widening of the list of the high qualification specialities and the expert training programs for them. 4. Development of new and perfection of the existing state educational standards. 5. Development of educational-scientific and methodical materials for the expert training system. 6. Development of the professional improvement courses and re-training of the staff. It is necessary to add to this list the widening of the use of new educational technologies such as distance learning, electronic textbooks, automated progress testing systems etc.
6.
EXAMPLES OF ACTIVITY ON THE EXPERT TRAINING ON INFORMATION SECURITY OF SOME RUSSIAN EDUCATIONAL CENTERS
The Moscow State Engineering Physics Institute (Technical University). The Information Security Faculty (6 departments) of MEPhI is a Head educational and scientific center on information security of the RME (www.fis.mephi.edu). It conducts the expert training and professional retraining on the following directions: 1. The speciality - "Complex maintenance of automated system information security". Qualification - an expert in information protection. Duration of training - 5,5 years. The training will be carried out on the specializations: – "Open information system security"; – "Information security of the banking automated systems"; – "Designing, monitoring and auditing of complex information security systems"; – "Application of crypthological methods in information protection systems". 2. The speciality - "Complex protection of informatization objects". Qualification - an expert in information protection. Duration of training 5,5 years. 3. The speciality - "Jurisprudence". Qualification - a lawyer. Duration of training - 5 years. Specialization - "Computer law".
The Russian Experience – Information Security Education
11
4. The speciality - "Security and non-proliferation of nuclear materials". Qualification - an engineer-physician. Duration of training - 5,5 years. Specialization - "Physical protection of nuclear objects". There is a large cycle connected to information protection in automated systems of physical protection in the curriculum. 5. The direction - "Physical and technical problems of atomic engineering". The educational master program - "Physical protection, accounting and control of nuclear materials". The educational course "Information security in physical protection, accounting and control of nuclear material systems" is included in the curriculum. 6. The re-training courses for the experts from financial and banking sphere. The course catalogue contains more than 30 educational programs with duration of training from 5 to 12 days (40-96 educational hours). 7. The post-graduate training on a speciality "Methods and systems of information protection. Information security". Annual number of postgraduate students - 10. 8. The frontal training of all the students of the university under the program "Information security bases". The St.-Petersburg State Technical University. The Computer System Information Security Faculty is a Regional educational and scientific center on information security of the RME in the northwest region (www.ssl.stu.neva.ru). It conducts the expert training and re-training on the following directions (information was given by Professor Peter Zegzhda the Head of the center,
[email protected]): 1. The speciality - "Computer security". Qualification - a mathematician. 2. The speciality - "Complex maintenance of automated system information security". Qualification - an expert in information protection. 3. The educational master program - "Information security and protection". The State University of Radio-engineering (Taganrog). The Information Technologies Security Department is a Regional educational and scientific center on information security of the RME in the southwest region (www.tsure.ru). It conducts the expert training and re-training on the following directions (information was given by Professor O.B.Makarevich the Head of the center,
[email protected]): 1. The speciality - "Organization and technology of information protection". Qualification - an expert in information protection. 2. The re-training courses for the experts in information protection. The Scientific & Technical Center (Moscow). The Association of the Russian banks (ARB) with several organizations created a necessary base for practical solving the marking problems of information protection in automatic systems of commercial organizations from financial and banking sphere. The opening of the scholastic class equipped by up-to-date protected
12
Anatolij Maljuk, Associate Prof., Member of the IAI Alexander Tolstoi, Associate Prof., Associate Member of the IAI Natalia Miloslavskaia, Associate Prof.
computers was happened recently in Moscow. The ARB implemented this scholastic class on the base of its Scientific & Technical Center (STC of ARB). Practical occupations are conducted within the framework of the base program "Practical ensuring of complex security of information automatic system resources of data processing in a commercial bank". It is reasonable to note that the program is suitable for the re-training of the specialists from the others, not bank, organizations, which process proprietary information containing no state secret. For instance, bank officers designed the first group of courses together with the specialists of the Russian stocks market. The courses are oriented basically on the study of applied questions of automated banking system (ABS) information ensuring. A technical base of the courses is a scholastic stand, prototyping the most widespread conditions of ABS operation and its subsystems for information resource protection. The most used in banks hardware-software tools are examined. It is possible to reconfiguring scholastic stand quickly and painlessly. Complex security of ABS information is created on the base of the use of information protection cryptoapplications (the information was given by the STC Executive Director Ph.D. Boris Skorodumov, www.stcarb.comcor.ru).
7.
REFERENCES
[1] Maljuk A., Tolstoi A. Personnel Training for Information Security Maintenance in Russia. Proceedings of the IFIP TC11 WG 11.8 First World Conference on Information Security Education, 17-19 June 1999, Kista, Sweden, pp. 39-48. [2] Tolstoi A. Security training in Russian Financial and Banking sector. Proceeding of Information Security Summit, 30-31 May 2000, Prague, pp. 141-158. [3] Miloslaskaia N., Tolstoi A. On the Experience of Creating the Electronic Tutorial “Vulnerability and Protection Methods in the Global Internet Network” in Moscow State Engineering Physics Institute for Education of IT-Security Professionals. Proceedings of the IFIP TC11 WG 11.8 First World Conference on Information Security Education, 17-19 June 1999, Kista, Sweden, pp. 99-109. [4] Miloslavskaia N., Tolstoi A. The Educational Course “Vulnerability and Protection Methods in the Global Internet Network” – the Experience of then Moscow State Engineering Physics Institute. Proceeding of the International Conference "Telecommunications for Education and Training", 8-11 June 1999, Gjovik, Norway, pp. 92-98. [5] About the Doctrine of the Information Security of the Russian Federation. Information Technology Security, 2000, № 3, pp. 21-25.
