DHS IT Security EBK: Don't Complain After They Are Published...Comment On Them While You Can!
The Department of Homeland Security (DHS) recently released the draft "IT Security Essential Body of Knowledge (EBK)" for public comment and feedback.
This 45-page document outlines the skill sets the groups working with the DHS have determined as being necessary for different information security topics. Many information security folks asked why another information security EBK was necessary when there was already the CISSP Common Body of Knowledge (CBK).
Well, the most apparent reason is that this is a government initiative as opposed to a private industry initiative, and they want to include a few things that are missing from within the CBK.
And, it is likely the final DHS EBK will weigh heavily in U.S. federal data protection law compliance. If you are a company doing business in the U.S. you should review what the DHS EBK draft says to see how feasible their information security framework is with regard to how you could meet compliance with it within your organization and industry.
Don't wait until after the DHS EBK is finalized to complain about the details...give your constructive input now to try and help make it a reasonable, effective document!
Many of us participating in the Security Catalyst Community (SCC) are banding together to review and comment on the contents of the document. So far the list includes:
Rich Mogull, Ron Woerner, Andrew Hay, Don Weber, Michael Santarcangelo, Andy Willingham, David Mortman, Brett Lewis, Martin McKeay, and Landon Lewis.
One of the resources we have been using is ScribbleWiki.
If you want to join our group response effort, or are too shy to submit your comments to the DHS alone, you can join us in our efforts by providing your input at the Security Catalyst Community’s DHS IT Security EBK Response page.
Whether you want to review and comment alone are as a group, it is important for you to know the comments for the document are due by *December 7, 2007*!
Don't wait until after the document is finalized to provide constructive criticism, or even belly-aching.
Let your voice be heard now, and if you think the final document did not address your expressed concerns, you will be well justified in continuing to give constructive criticism and belly-aching after the fact!
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Is the CISSP CBK freely available? I can't see it from the link you give. Well - I CAN see a list of 10 domains but nothing like the detail published in this draft.
Posted by: dave | November 30, 2007 1:41 PM
Hi Dave,
The CISSP CBK topics listed at that link are freely available, and you can freely get more information about each if you register at the (ISC)^2 site to download a PDF, but you're right; the CBK generally is not nearly detailed as the EBK. However, the "official" (ISC)^2 CISSP study books provide a significant amount more of detail.
Unlike what will be a relatively static EBK, the information within the CISSP CBK domains may be updated each year. As the (ISC)^2 site indicates, "The (ISC)² CBK, from which the (ISC)² credentials are drawn, is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession of information security." (https://www.isc2.org/cgi-bin/content.cgi?category=8) This could very well be why the DHS wanted to create their own, more easily referenceable on an ongoing basis, EBK. This also allows those following the EBK to not need to register with the (ISC)^2 and have to buy their products in order to get more information.
You can find more detailed information about the topics covered within the CISSP CBK domains within the "CISSP Candidate Information Bulletin" at https://www.isc2.org/cgi-bin/request_studyguide.cgi?displaycategory=694
Rebecca
Posted by: Rebecca | December 2, 2007 12:17 PM
thanks - will look into it.
it'll be interesting to see how the EBK stacks up against the NIST docs. Especially the "Guide for the Security Certification and Accreditation of Federal Information Systems" http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf
Posted by: dave | December 2, 2007 6:03 PM