IT Security Essential Body of Knowledge

What is it?

First, here's the technical definition: The IT Security Essential Body of Knowledge, or EBK, is an established framework of concepts, functions and terminology that contribute to both the private and public sector's ability to implement and manage information technology security.

Now, the shorter, plain-English definition: EBK is a collection of what government IT security managers believe are the essential technology and management skills an IT staff should have to protect federal networks from cyberattacks and unauthorized access.

That's what it is. Now, for what it's not. EBK is not a mandate from the Office of Management and Budget. It's not a directive from the president. It's not a law passed by Congress. It's not even guidance issued by the National Institute of Standards and Technology. Rather, the EBK is more of an informal "best practices" document that outlines the skills that anyone who wants to, or is, employed in the information security field in the federal government should have to do be proficient at hardening computer networks against cyberattacks and keeping unauthorized users out of files and databases.

The EBK is similar to the (ISC)2 Common Body of Knowledge. It "establishes a common framework of information security terms and principles, which allows information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding," according to the Web site of (ISC)2, a credentialing and testing organization.

Spearheaded by the Department of Homeland Security, the EBK is the federal government's version of (ISC)2's Common Body of Knowledge. It also drew much of its inspiration from the Defense Department's Information Assurance Skill Standard, which Defense developed as part of its workforce improvement program.

How Long Has It Been Around?

Not long. DHS established the IT Security EBK in 2007 to maintain order in the wide variance in how agencies and private corporations defend networks against the increasing number and complexity of information security risks -- malware, viruses, phishing scams, unknown vulnerabilities and other threats. By imposing some order, DHS and others hope to tighten security.

On Oct. 3, DHS published the draft Notice of Availability in the Federal Register, asking for comments through Dec. 7. Over 600 comments were filed.

What Are the Must-Have Skills, Jobs and Theories?

The document is broken into three main sections. The IT Security Competency Area defines 14 segments of IT security; breaks down each one's key functions; and provides recommendations for management, evaluation, and design and implementation. The segments include:

Data security

Digital forensics

Enterprise continuity

Incident management

IT security training and awareness

IT systems operations and maintenance

Network security and telecommunications

Personnel security

Physical and environmental security


Regulatory and standards compliance

Risk management

Strategic management

System and application security

The second section is the core of the document; it's the IT Security Essential Body of Knowledge. It provides key terms within each competency area that every information security professional should know inside and out and be able to recite effortlessly. Under data security, for example, the EBK lists almost 30 terms, including access control, privacy, user provisioning and security clearance. According to the document, security professionals should at a minimum know, understand and be able to apply the key terms and concepts that relate to the competencies to which their role is linked. A deep understanding of all of the key terms and concepts is the foundation for performance as a "conversant IT security generalist." In other words, you not only have to know your stuff, you've got to talk about it with other security specialists and government executives.

The last section of the document concerns IT Security Roles, Competencies and Functional Perspectives. It outlines the expectations and necessary skill sets for 10 IT professional jobs. While not every agency will have a position for each of the 10 roles, the list provides an insight into what the federal IT community believes are the positions that each enterprise should have to raise information security practices to a strategic level in an enterprise -- and that means beyond the chief information officer. The 10 roles are:

Chief information officer

Digital forensics professional

Information security officer/chief security officer

IT security compliance psrofessionals

IT security engineer

IT systems operations and maintenance professional

IT security professional

Physical security professional

Privacy professional

Procurement professional

Why Should I Care?

Greg Garcia, who, as assistant DHS secretary for cybersecurity and communications, is the leading cybersecurity executive in government, says there are three benefits of the EBK. First, agencies and contractors can use common terms and definitions to articulate what security professionals do and why it is important. Typically, these talks are fractured and jagged because they are littered with dense technical jargon and processes on one hand, and business and financial speak on the other. The two groups don't understand one another. By speaking the same language, federal IT staffers and managers can have conversations with the top (read, nontechnical) executives running the organization that lead to better IT security investments and real results -- that is, better protected systems and information.

Second, EBK promotes a uniform set of what exactly it means to be competent to improve IT security training. And third, EBK provides content to help IT professionals develop their career. In the long term, the goal is to make the guidelines part of the training and education within an agency or corporation, as well as in an academic curriculum.

The EBK intends to inform agency IT managers who may find it difficult to establish security standards and support. Managers can treat the guidelines as a checklist, noting every area that needs to be considered and what skills an individual or group of individuals need to have to manage those requirements. With huge holes in federal IT networks, such a document can help agencies develop a strategic approach to IT security.

What's the Latest Thinking?

The IT Security EBK is brand new, so there's been little feedback from agencies and the private sector on the document's approach. The fact that it received no public comments may be an indication that it will have little impact on improving IT security. But it's still very early.

If agencies incorporate the EBK framework into IT security plans, the effort will be deemed a success, and the framework will be expanded and built on to reflect new technology and requirements. That's the ideal scenario. If agencies don't pay the framework much attention, DHS may have to re-evaluate its approach. More specific action items, which are accompanied by step-by-step instructions to incorporate into an agency's business processes, could make it easier to implement the guidelines. If that doesn't work, legislation is certainly not out of the question.

How Do I Get Started?

First, officials should evaluate the IT security framework, including processes and policies, they have in place in their agencies. Then they should take a close look at the document and apply the various items to their own agencies. Every IT environment is different, which brings different requirements.

Agencies need to then compare and contrast the elements of their existing approach to IT security -- if one exists -- to the EBK framework. Are all of the various competency areas supported? Does the workforce fully understand the information security terminology? Even if the agency does not have each of the positions listed in the document, ask if it has associated responsibilities assigned to someone else. Also, are there enough resources available to support the requirements?

For a lot of agencies, the document could drive a re-evaluation and perhaps a reorganization to make better use of resources. In some cases, duplicate roles may exist, allowing individuals to be reassigned to make better use of time and skills. In other cases, agencies will have to take a serious look at where resources are lacking, and find funds for hiring the skilled individuals called for in the document or outsourcing some of the necessary processes. Still others might find that additional security software and tools are all that's needed. Ideally, the IT Security EBK will provide a standard against which agencies can measure their own infrastructure.