[ISN] ITL Bulletin for October 2003

From: InfoSec News (isn@private)
Date: Fri Oct 17 2003 - 00:17:22 PDT

  • Next message: InfoSec News: "[ISN] ITL Bulletin for October 2003"

    Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
    
    INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, 
    EDUCATION, AND CERTIFICATION
    By Mark Wilson and Joan Hash
    Computer Security Division
    Information Technology Laboratory
    National Institute of Standards and Technology
    Technology Administration
    U.S. Department of Commerce
    
    Introduction
    Federal agencies and private sector organizations cannot protect the
    confidentiality, integrity, and availability of information in today's
    highly networked systems environment without ensuring that all people
    involved in using and managing information technology (IT):
    
    * Understand their roles and responsibilities related to the
      organizational mission;
    
    * Understand the organization's IT security policy, procedures, and
      practices; and
    
    * Possess at least adequate knowledge of the various management,
      operational, and technical controls required and available to 
      protect the IT resources for which they are responsible.
    
    As cited in audit reports, periodicals, and conference presentations,
    the IT security professional community understands that people are one
    of the weakest links in attempts to secure systems and networks. The
    people factor - not technology - is key to providing an adequate and
    appropriate level of security. If people are the key, but are also a
    weak link, more and better attention must be paid to this asset. A
    robust and enterprisewide awareness and training program is paramount
    to ensuring that people understand their IT security responsibilities,
    and properly use and protect the IT resources entrusted to them.
    
    NIST Special Publication (SP) 800-50, Building an Information
    Technology Security Awareness and Training Program, by Mark Wilson and
    Joan Hash, provides guidelines that can help federal departments and
    agencies meet their security training responsibilities contained in
    the Federal Information Security Management Act (FISMA) and Office of
    Management and Budget (OMB) guidance. The document gives guidance for
    building and maintaining a comprehensive awareness and training
    program, as part of an organization's IT security program. This ITL
    Bulletin summarizes NIST SP 800-50, which is available at
    http://csrc.nist.gov/publications/nistpubs/index.html.
    
    The document is a companion publication to NIST SP 800-16, Information
    Technology Security Training Requirements: A Role- and
    Performance-Based Model (also available at the above website). The two
    publications are complementary; SP 800-50 works at a higher strategic
    level, discussing how to build an IT security awareness and training
    program, while SP 800-16 addresses a more tactical level, describing
    an approach to role-based IT security training.
    
    The agency IT security program policy should contain a clear and
    distinct section devoted to agencywide requirements for the awareness
    and training program. Topics documented within the awareness and
    training program policy should include roles and responsibilities,
    development of program strategy and a program plan, implementation of
    the program plan, and maintenance of the awareness and training
    program.
    
    Components: Awareness, Training, Education, and Certification
    
    A successful IT security program consists of:
    
    * developing IT security policy that reflects business 
      needs tempered by known risks;
    
    * informing users of their IT security responsibilities 
      (through awareness and training), as documented in agency 
      security policy and procedures; and
    
    * establishing processes for monitoring, reviewing, and 
      updating the program.
    
    An awareness and training program is crucial, in that it is the
    vehicle for disseminating information that users, including managers,
    need in order to do their jobs. In the case of an IT security program,
    it is the vehicle to be used to communicate security requirements
    across the enterprise.
    
    An effective IT security awareness and training program explains
    proper rules of behavior for the use of agency IT systems and
    information. The program communicates IT security policies and
    procedures that need to be followed.  This must precede and lay the
    basis for any sanctions imposed due to noncompliance. Through
    awareness and training, users first should be informed of the
    expectations. Accountability must be derived from a fully informed,
    well-trained, and aware workforce.
    
    Awareness: Security awareness efforts are designed to change behavior
    or reinforce good security practices.  Awareness is not training. The
    purpose of awareness presentations is simply to focus attention on
    security.  Awareness presentations are intended to allow individuals
    to recognize IT security concerns and respond accordingly.  Awareness
    relies on reaching broad audiences with attractive packaging
    techniques. Training is more formal, having a goal of building
    knowledge and skills to facilitate the job performance.
    
    Training: Training strives to produce relevant and needed security
    skills and competencies. The most significant difference between
    training and awareness is that training seeks to teach skills that
    allow a person to perform a specific function, while awareness seeks
    to focus an individual's attention on an issue or set of issues.
    
    Education: Education integrates all of the security skills and
    competencies of the various functional specialties into a common body
    of knowledge, adds a multidisciplinary study of concepts, issues, and
    principles (technological and social), and strives to produce IT
    security specialists and professionals capable of vision and proactive
    response.
    
    Certification: Professional development is intended to ensure that
    users, from beginner to the career security professional, possess a
    required level of knowledge and competence necessary for their roles.
    Professional development validates skills through certification. Such
    development and successful certification can be termed
    "professionalization." The preparatory work to testing for such a
    certification normally includes study of a prescribed body of
    knowledge or technical curriculum, and may be supplemented by
    on-the-job experience.
    
    The movement toward professionalization within the IT security field
    can be seen among IT security officers, IT security auditors, IT
    contractors, and system/network administrators and is evolving. There
    are two types of certification: general and technical. The general
    certification focuses on establishing a foundation of knowledge on the
    many aspects of the IT security profession. The technical
    certification focuses primarily on the technical security issues
    related to specific platforms, operating systems, vendor products,
    etc.
    
    Some agencies and organizations focus on IT security professionals
    with certifications as part of their recruitment efforts. Other
    organizations offer pay raises and bonuses to retain employees with
    certifications and encourage others in the IT security field to seek
    certification.
    
    Designing, Developing, and Implementing an Awareness and Training
    Program The development of an IT security awareness and training
    program involves three major steps: 
    
    * designing the program (including the development of the IT security 
      awareness and training program plan), 
    
    * developing the awareness and training material, and 
    
    * implementing the program.
    
    Even a small amount of IT security awareness and training can go a
    long way toward improving the IT security posture of, and vigilance
    within, an organization.
    
    Designing: Awareness and training programs must be designed with the
    organization mission in mind. The awareness and training program must
    support the business needs of the organization and be relevant to the
    organization's culture and IT architecture. The most successful
    programs are those that users feel are relevant to the subject matter
    and issues presented.
    
    Designing an IT security awareness and training program answers the
    question "What is our plan for developing and implementing awareness
    and training opportunities that are compliant with existing
    directives?" In the design step of the program, the agency's awareness
    and training needs are identified, an effective agencywide awareness
    and training plan is developed, organizational buy-in is sought and
    secured, and priorities are established.
    
    Developing: Once the awareness and training program has been designed,
    supporting material can be developed.  Material should be developed
    with the following in mind:
    
    * "What behavior do we want to reinforce?" (awareness); and
    
    * "What skill or skills do we want the audience to learn and apply?"
      (training).
    
    In both cases, the focus should be on specific material that the
    participants should integrate into their jobs.  Attendees will pay
    attention and incorporate what they see or hear in a session if they
    feel that the material was developed specifically for them. Any
    presentation that feels canned - impersonal and so general as to apply
    to any audience - will be filed away as just another of the annual
    "we're here because we have to be here" sessions. An awareness and
    training program can be effective, however, if the material is
    interesting and current.
    
    The awareness audience must include all users in an organization.
    Users may include employees, contractors, foreign or domestic guest
    researchers, other agency personnel, visitors, guests, and other
    collaborators or associates requiring access. The message to be spread
    through an awareness program, or campaign, should make all individuals
    aware of their commonly shared IT security responsibilities. On the
    other hand, the message in a training class is directed at a specific
    audience. The message in training material should include everything
    related to security that attendees need to know in order to perform
    their jobs. Training material is usually far more in-depth than
    material used in an awareness session or campaign.
    
    Implementing: An IT security awareness and training program should be
    implemented only after a needs assessment has been conducted, a
    strategy has been developed, an awareness and training program plan
    for implementing that strategy has been completed, and awareness and
    training material has been developed.
    
    The program's implementation must be fully explained to the
    organization to achieve support for its implementation and commitment
    of necessary resources. This explanation includes expectations of
    agency management and staff support, as well as expected results of
    the program and benefits to the organization. Funding issues must also
    be addressed. For example, agency managers must know if the cost to
    implement the awareness and training program will be totally funded by
    the Chief Information Officer (CIO) or IT security program budget, or
    if their budgets will be impacted to cover their share of the expense
    of implementing the program. It is essential that everyone involved in
    the implementation of the program understand their roles and
    responsibilities. In addition, schedules and completion requirements
    must be communicated.
    
    Once the plan for implementing the awareness and training program has
    been explained to (and accepted by) agency management, the
    implementation can begin. A number of ways exist for awareness and
    training material to be presented and disseminated throughout an
    organization. Agencies should tailor their implementation to the size,
    organization, and complexity of their enterprise. See NIST SP 800-50,
    Section 5, for techniques for delivering awareness and training
    material.
    
    Post-Implementation
    An organization's IT security awareness and training program can
    quickly become obsolete if sufficient attention is not paid to
    technology advancements, IT infrastructure and organizational changes,
    and shifts in organizational mission and priorities. CIOs and IT
    security program managers need to be cognizant of this potential
    problem and incorporate mechanisms into their strategy to ensure the
    program continues to be relevant and compliant with overall
    objectives. Continuous improvement should always be the theme for
    security awareness and training initiatives, as this is one area where
    "you can never do enough."
    
    Monitoring Compliance: Once the program has been implemented,
    processes must be put in place to monitor compliance and
    effectiveness. An automated tracking system should be designed to
    capture key information regarding program activity (e.g., courses,
    dates, audience, costs, sources). The tracking system should capture
    this data at an agency level, so that it can be used to provide
    enterprisewide analysis and reporting regarding awareness, training,
    and education initiatives.
    
    Tracking compliance involves assessing the status of the program as
    indicated by the database information and mapping it to standards
    established by the agency. Reports can be generated and used to
    identify gaps or problems.  Corrective action and necessary follow-up
    can then be taken. This may take the form of formal reminders to
    management; additional awareness, training, or education offerings;
    and/or the establishment of a corrective plan with scheduled
    completion dates.
    
    Evaluation and Feedback: Formal evaluation and feedback mechanisms are
    critical components of any security awareness, training, and education
    program. Continuous improvement cannot occur without a good sense of
    how the existing program is working. In addition, the feedback
    mechanism must be designed to address objectives initially established
    for the program. Once the baseline requirements have been solidified,
    a feedback strategy can be designed and implemented. Various
    evaluation and feedback mechanisms that can be used to update the
    awareness and training program plan include surveys, evaluation forms,
    independent observation, status reports, interviews, focus groups,
    technology shifts, and benchmarking.
    
    A feedback strategy needs to incorporate elements that will address
    quality, scope, deployment method (e.g., web-based, onsite, offsite),
    level of difficulty, ease of use, duration of session, relevancy,
    currency, and suggestions for modification.
    
    Managing Change: It will be necessary to ensure that the program, as
    structured, continues to be updated as new technology and associated
    security issues emerge. Training needs will shift as new skills and
    capabilities become necessary to respond to new architectural and
    technology changes. A change in the organizational mission and/or
    objectives can also influence ideas regarding how best to design
    training venues and content. Emerging issues, such as homeland
    defense, will also impact the nature and extent of security awareness
    activities necessary to keep users informed/educated about the latest
    exploits and countermeasures. New laws and court decisions may also
    impact agency policy that, in turn, may affect the development and/or
    implementation of awareness and training material. Finally, as
    security directives change or are updated, awareness and training
    material should reflect these changes.
    
    Program Success Indicators: CIOs, program officials, and IT security
    program managers should be primary advocates for continuous
    improvement and for supporting an agency's security awareness,
    training, and education program. It is critical that everyone be
    capable and willing to carry out their assigned security roles in the
    organization. In security, the phrase, only as strong as the weakest
    link, is true. Securing an organization's information and
    infrastructure is a team effort. Listed below are some key indicators
    to gauge the support for, and acceptance of, the program.
    
    * Sufficient funding to implement the agreed-upon strategy.
    
    * Appropriate organizational placement to enable those with key
    responsibilities (CIO, program officials, and IT security program
    manager) to effectively implement the strategy.
    
    * Support for broad distribution (e.g., web, e-mail, TV)  and posting
    of security awareness items.
    
    * Executive/senior-level messages to staff regarding security (e.g.,
    staff meetings, broadcasts to all users by agency head).
    
    * Use of metrics (e.g., to indicate a decline in security incidents or
    violations, indicate that the gap between existing awareness and
    training coverage and identified needs is shrinking, the percentage of
    users being exposed to awareness material is increasing, the
    percentage of users with significant security responsibilities being
    appropriately trained is increasing).
    
    * Managers do not use their status in the organization to avoid
      security controls that are consistently adhered to by the rank and
      file.
    
    * Level of attendance at mandatory security forums/briefings.
    
    * Recognition of security contributions (e.g., awards, contests).
    
    * Motivation demonstrated by those playing key roles in
      managing/coordinating the security program.
    
    Conclusion
    Government and industry organizations must protect the
    confidentiality, integrity, and availability of information in today's
    highly networked systems environment. A robust IT security awareness
    and training program, as part of the overall IT security program,
    gives users the needed tools and information to protect an agency's
    vital information resources. Addressing the people factor is key to
    ensuring an adequate and appropriate level of IT security within an
    organization, large or small. We invite you to visit our Computer
    Security Resource Center at http://csrc.nist.gov for more information
    on a wide range of IT security topics.
    
    Disclaimer
    Any mention of commercial products or reference to commercial
    organizations is for information only; it does not imply
    recommendation or endorsement by NIST nor does it imply that the
    products mentioned are necessarily the best available for the purpose.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 17 2003 - 04:30:33 PDT