Information Security Officer: Job profile, necessary qualifications, and awareness raising explained in a practical way

The Federal Academy of Public Administration within the Federal Ministry of the Interior, Building, and Community (BAköV) has been working with the Federal Office for Information Security (BSI) since 2007 to train and certify IT security officers (IT-SO) for public administration. This successful concept has so far been adopted by only a few universities as part of their training and further edu-cation program. This is probably because the concept and certification relate to public administra-tion, and to federal administration in particular. Under my leadership, the Technical University of Applied Sciences Wildau (TH Wildau), where administrative courses have been an established part of the curriculum since 1997, adopted this certification concept in 2010 and focused on its successful implementation in an appropriate form. From the start, the aim was to make a significant contribu-tion to the quality of information security in the Brandenburg region and beyond. After attaining recognition as a BAköV qualification body, I have since expanded this training for students from a wide variety of courses and for external employees. The course’s content and methodology have been continuously updated. Having integrated information security in the different courses, espe-cially in non-technical contexts, TH Wildau is undoubtedly a pioneer in the field. The certification of students at TH Wildau was funded by the Horst Görtz Foundation (HGS) in the period 2018 to 2020. With almost 3,700 students, TH Wildau is the largest (technical) University of Applied Sciences in the state of Brandenburg. Its attractive range of courses currently comprises forty-one bachelor’s and master’s courses in science and engineering as well as in economic, administrative, and legal disci-plines. Another special feature of the university is its internationality. Some 25 percent of the stu-dents come from more than sixty countries. Partnership agreements and student and lecturer ex-changes connect TH Wildau with over 140 academic educational institutions worldwide. The univer-sity has had a top position in applied research nationwide for years and has a recognized reputation as a center of excellence for important scientific disciplines. We are pleased to have a productive ongoing cooperation with the BAköV and the BSI that provides education and training in infor-mation security and helps raise awareness of the topic. Our range of further training courses and the final certification are based on a manual that was cre-ated by the BAköV and the BSI in cooperation with the Fraunhofer Institute for Secure Information Technology (SIT) and is currently available in a revised version 6.2 [1]. This manual is not public and can only be obtained as part of the BAköV/BSI training. The contents of the manual may only be used in consultation with the BAköV. In devising this book, we have no intention of reduplicating this manual. Rather, we want to acquaint our readers with our diversity of experience in the im-plementation of further education in information security, with the aim of integrating theory and practice. This ranges from the individuals responsible for and involved in security management to the designated information security officers, who are also required to initiate qualification measures themselves as part of their function. We essentially refer to publicly available sources, in particular the international family of standards for information security ISO/IEC 2700x, the national BSI Standards 200-x, and the IT baseline protection (IT-Grundschutz Compendium). To ensure a consistent level of security, it is increasingly important that information security officers (ISO) are properly qualified. It is therefore necessary that this group of people has a defined and solid body of specialist knowledge, a sound training, and the option of obtaining the relevant certification. This includes consideration of how an abstract, theoretical understanding of security information can be conveyed to participants in an advanced training course in a clear and understandable way. The quality of our advanced training with certification is ensured by current, practice-oriented knowledge transfer with interactive and participative teaching/learning methods.
This is supported by the size of the classes, which are limited to a maximum of eight participants. Here, there is also the possibility of individual design, depending on the specific needs of the partic-ipants. This makes the design of the training flexible and takes into account the previous knowledge, professional experience, and areas of responsibility of the target group. Participants also have the opportunity to exchange ideas grounded in their previous experience as a means to solve challenges. Psychologically based research results in the fledgling discipline of corporate in-formation security suggest this is a crucial element in raising awareness in learners with long-lasting effect [2]. In this respect, all the activities undertaken by my research group “Information Security Aware-ness” in developing and applying methods and tools for raising awareness and training in infor-mation security are important for this book—these have been incorporated into teaching and train-ing for years. At the meeting of the BAköV’s and BSI’s partners at TH Wildau in 2017, for example, the participants were impressed by the extensive results of my research group—especially by the way experience-oriented analog and digital learning scenarios on current risk situations such as phishing, password hacking, and social engineering can be integrated into teaching and further training. Such examples from our research projects with different target groups as well as ideas from student projects should also be outlined here as a suggestion for ISOs to raise the awareness of colleagues. In advanced training courses, such experience-based and game-based learning sce-narios can be used as an effective warm-up tool with a serious background, while at the same time serving to consolidate knowledge. To ensure a high level of security in all institutions, whether public or private, the ISOs and every-one responsible for information security must be properly qualified. Ernst-Peter Ehrlich has sup-ported me as a lab engineer in my laboratory for media-integrated administrative informatics at TH Wildau since 2015 and actively contributed to the implementation of the advanced training courses with certification. He is specialized in technical training exercises and also provides valuable input for all readers in this book, especially if they want to or need to work actively as ISOs. It is hoped that this book will enrich the methodology of further training in information security: our experience-oriented scenarios and the teaching we offer in discursive didactics aim to engage par-ticipants in communication and discussion as a basis for action.