What is IAM?

The IAM is a detailed and systematic way of examining cyber vulnerabilities and was developed by experienced NSA and Commercial INFOSEC assessors. NSA is providing the IAM to assist both INFOSEC assessment suppliers and consumers requiring assessments. This market was originally created by the PDD-63 requirement for vulnerability assessments of automated information systems that support the U.S. infrastructure. In addition to assisting the governmental and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fostering a commitment to improve organizations' security posture.

Individuals will be trained in the IAM so they can use their INFOSEC analysis skills along with the IAM training to provide the standardized IAM assessment service. Since the IAM is a baseline methodology, the final results of the assessment service are highly dependent on the INFOSEC and analytic skills of the assessors. For this reason it is suggested that individuals have either the proper experience or take additional INFOSEC training prior to taking the IAM course. Currently, companies and government organizations looking for outside help assessing the security posture of their information systems can choose from dozens of commercial firms that advertise INFOSEC assessment capabilities. Although these contractors all provide INFOSEC assessment services, their processes, terminology, scope and costs vary widely. The IAM course was developed for the benefit of organizations trying to obtain an INFOSEC assessment which meets their needs.

The IAM is a two-day course for experienced Information Systems Security analysts who conduct, or are interested in conducting INFOSEC assessments of information systems. The course teaches NSA's INFOSEC assessment process, a high-level, non-intrusive process for identifying and correcting security weaknesses in information systems and networks.