Principles of Information Assurance Engineering and Testing

This three-day course presents a fresh perspective and comprehensive introduction to Information Assurance Testing. As businesses and government rush forward to "electronify" their operations, they need to consider where security fits into their value model. The instructors will provide an introduction to information security principles and then apply these to Information Assurance Testing.

The instruction is organized into a sequence of interactive lessons and practical student exercises illustrating each phase in this cycle. Through these lessons, the participants will gain real-world insights including an appreciation of the problems involved. Each of these sections includes student participatory practical exercises including role-playing exercises and hands-on laboratory exercises.

At the completion of this course, students should understand:

Course Outline

  1. Defining Information Assurance Requirements. This section provides the basis for defining and specifying information security requirements. These are used to define test requirements.
    • INFOSEC Fundamental Concepts. This covers the introductory concepts that will be built upon during the remainder of the course, including the definition of information security objectives, fundamental principles, and organization. These concepts provide the basis for defining information security requirements.
  2. Implementing a Security Architecture. This section provides the basis for designing a Security Architecture to implement security requirements. This architecture includes the systems that are the subject of the testing.
    • Security Architecture and Engineering. Information security requirements are translated and implemented through a security architecture and design. Designs utilize products including firewalls, intrusion detection systems, virtual private networks, and public key infrastructures.
    • Solution Integration. This involves the integration of products, people, and processes to implement the security design. An effective solution uses products within their capabilities to provide "defense -in depth". This lesson covers the configuration and testing of the products and the use of their capabilities as part of the e-business solution.
  3. Test Planning. This section includes areas needed for developing and implementing an effective information assurance test.
    • Types of Testing. Testing can be done at different points during the design, deployment, operation, or improvement of an information system and can address either the as-built system configuration or proposed systems.
    • Test Methods. Test methods include both operational and technical methods. Tests can be conducted with different degrees of knowledge and access. In general these include the Landscape discovery process, vulnerability scanning, penetration testing, blind testing, and insider testing, among others.
  4. Test Metrics. This section includes qualitative and quantitative methods of measuring and assessing information assurance test results.
    • Vulnerability Metrics. This method of measuring test results is the most basic and is implemented in most scanning tools. It is popular because of its universal applicability.
    • Requirement Metrics. This method maps metrics to information security requirements. It is useful in providing traceability.
    • Operational Metrics. These provide end-to-end measures of end-to-end operational system effectiveness. Assess defense-in-depth implementation.


Dr. Myron Cramer, Lead Instructor, is the Executive Director of the Information Assurance Division at Windermere. He is a recognized expert on Internet security, and information warfare. He brings over 30 years of experience developing and managing government and commercial assignments. Current programs include information assurance product integration and operations support to the Defense Department, the Intelligence Community, and commercial sponsors. Activities include network topology mapping, boundary protection, intrusion detection, vulnerability analysis, virtual private network operation, and enterprise security management. His commercial experience has included leading projects for Fortune 500 companies in the telecommunications, banking, and automotive sectors. His defense research has included electronic warfare, advanced sensor technologies, and signal processing. He has led research and development programs addressing system requirements analysis, specification, design, development, and testing.

Continuing Education Credit

This program meets the criteria for the nationally accepted Continuing Education Unit (CEU). Each participant successfully completing this 3 day course will earn 2.1 CEUs. These CEUs apply to the elective requirements for the TEREC Test & Evaluation Certificate.

Schedule and Fees

This class is not currently scheduled. Persons interested in taking the class may email their interest to Dr. Steven Gordon. When enough interest is shown, we will schedule the course and contact interested parties.

Course Last Offered

15-17 October 2002, Annapolis, MD

Related Links

Testing for Information Assurance Conference

Last Updated September 29, 2011