Element

Document Sample
Element Powered By Docstoc
					   Element                      Tip of the Day                         Awareness Course
  Ease of Use
Navigation          No navigation is required.                Navigation is intuitive and also clearly
                    Optional navigation is intuitive          marked.
Readability         Limited number of words                   Vocabulary and syntax tested for clarity
                    good use of graphics                      for worldwide users.
                    actionable content.                       Interaction required.
                                                              Help screens clearly explain process.
Speed/Interaction   Operates worldwide in 80 of the poorest   Operates worldwide to 250 locations.
                    countries with adequate performance       Low bandwidth areas occasionally
                                                              experience slow response time.
                                                              Course designed to support low
                                                              bandwidth customers.
Registration        Automatic with initial logon to network   Cyber course registration looks to
                                                              Department HR data supplied.
                                                              Needed for all known users.
Completeness
Content             800-53 Categories covered                 800-53 Categories covered
                    Flexible updates                          800-50 Compliant
                    Content Subject Matter Experts are        Flexible updates
                    Information Security professionals        Content Subject Matter Experts are
                                                              Information Security professionals
Adaptation          24-hour turnaround                        Annual review/updates
                    Frequency Negotiable                      Emergency content changes quickly (time
                                                              determined by nature and scope of
                                                              change)
                                                              Course design supports customer add-
                                                              ins/add-ons
                                                              Registration system can be modified to
                                                              customer requirements
                                                              SLA-dependent
  Management
 Reports            Administrators can view continuous         Preset reports
                    progress                                   Ad hoc report creation by ISSOs and
                    Users can view and review test             System administrators
                    history/questions                          Export to Excel option
                                                               Users can view, print, and e-mail
                                                               completion certificate
 Notification       Tasks can be configured to notify users    System provides several automatic
                    when they miss a question (or not)         notifications to user a month before
                                                               his/her certification expires.
   Technical
  Environment
   Model Area             Tip of the Day Components               Awareness Course Components
Access Channels   User – IE Web Browser HTML V3              IE Web Browser HTML V3
                  Administrator – Citrix Client and IE Web
                  Browser
Delivery Channels User authentication by automatic OS –      Application integration and access via
                  Application integration and access via     standard IE.
                  standard IE.                               Authentication based on role.
                  Admin authentication by RSA 2 factor
                  methods and access remote access Citrix/IE
Service Transport HTTP or HTTPS (SSL or TLS)                 HTTP or HTTPS (SSL)
                  SMTP used for user feedback and remote SMTP used for user feedback.
                  error logging.
Database Storage SQL-Server and/or Oracle 10g                SQL Server
Delivery Servers   IIS and Oracle Application Server           IIS and SQL Server Application Server
                   Windows Platforms                           Windows Platforms
Hardware/          Mature configurations designed to promote   Configurations based upon Diplomatic
Infrastructure     security which are regularly scanned for    Security guidelines which are regularly
                   vulnerabilities (then graded and            scanned for vulnerabilities (then graded and


                                                                                                              2
   Technical
  Environment
   Model Area             Tip of the Day Components               Awareness Course Components
                    remediated).                              remediated)

SW Engineering   Mature processes with ample testing,          Design and development processes based
                 configuration management, and project         upon latest web development technology
                 management.                                   and project management principles
SW Architectures Mature simple industry standard platform Industry standard platform architecture
                 architectures
Business Logic   The business logic layer is maintained in The business logic layer is maintained in
                 the software between the database and the the software between the database and the
                 presentation layers. (The database is also presentation layers.
                 used to check referential integrity and other
                 important constraints).
Data Interchange Data interchange between the presentation Data interchange between the presentation
                 layer and the database is managed by          layer and the database is managed by
                 structured software between the business structured software between the business
                 model and the database                        model and the database
Data             The data model is well normalized and uses The data model is well normalized and uses
Administration   standard naming conventions.                  standard naming conventions.
Presentation/    The presentation layer is provided via        The presentation layer is provided via
Interface        Internet Explorer. Standard methods are Internet Explorer. Standard methods are
                 used to generate the HTML pages: these used to generate the HTML pages: these
                 include ASP and JSP pages                     include ASP and JSP pages
Integration      Planned use of information broker             System is designed to be easily integrated
                 technology to provide SOA interface with with other sources of data and other
                 feeder systems of data about users in         applications (currently integrates with
                 customer agencies. Team has successfully Department training corporate systems)
                 used this technology to integrate custom
                 budgeting systems with Agency COTS


                                                                                                            3
   Technical
  Environment
   Model Area             Tip of the Day Components                Awareness Course Components
                   funds control systems.
                   Downloads to standard tools (such as Excel
                   available) using COTS components.
                   .
Interoperability   Proposed SOA will provide this capability, Downloads to standard tools (such as Excel
                   as needed.                                 available) using COTS components.


    Security                  Tip of the Day                           Awareness Course
 Privacy           No PII required; Only UII—Agency,         PII used, protected by SSL and controlled
                   domain, account, results                  access to database and data
                   Minimal optional PII data—organization,   EHRI data has to be collected on all
                   name, addresses, admin roles              training

 Authentication    User: obtained from network operating     User is verified against HR data, where
                   system                                    applicable.
                   Admin: Two-factor (Password & RSA         ISSOs require logonID issued by
                   Token)                                    Information Assurance Office
                                                             Admin require logonID issued by FSI
                                                             Corporate Software Division
                                                             Against STMS database then to STMS
                                                             first then to Cyber (for contractors)




                                                                                                           4
    Security                  Tip of the Day                            Awareness Course
Confidentiality   Data protected by securely configured        Firewall & secure MS SQL Server DB;
                  Oracle DB behind secure firewall. Roles      data access restricted by role.
                  and separation of duties further protect     SSL Secure SQL DB
                  confidentiality.                             ISSOs have limited access granted by IA
                  Organizational roles limit scope of data     User
                  visible to managers.                         ISS OS
                                                               System Administrator
                                                               IA Office
Integrity         Only the executable code has the ability     Users can modify some of their own
                  to write results. Results are not            personal data (but not SSN or DOB or
                  modifiable.                                  Name); ISSOs have read-only access
                                                               Exam results are not modifiable
                                                               SSNs do not show
Availability      System has a high availability rate          Availability is 92%.
                  (>97.5% and increasing).


 NIST 800-50                  Tip of the Day                            Awareness Course
Linkage           Generic training content is compliant with   Generic training content is compliant with
                  directions from Congress and oversight       directions from Congress and oversight
                  groups like NIST required to protect both    groups like NIST required to protect both
                  individual privacy and the government's      individual privacy and the government's
                  deliberative and procurement processes.      deliberative and procurement processes.
                  The training media offered are flexible      The training media offered are flexible
                  enough to adapt content to the mission       enough to adapt content to the mission
                  specific needs of each customer Agency.      specific needs of each customer Agency




                                                                                                            5
 NIST 800-50                Tip of the Day                            Awareness Course
Needs           Both the Awareness Course and the Daily      Subject Matter Experts (SME) for the
Assessment      Reminders delivery mechanisms have           course are staff of both the Information
                built-in surveys and feedback                Assurance and Computer Security Offices
                mechanisms to collect survey information     who keep current with best practices.
                and unstructured comments from users of      Instructional Systems Designers (ISD)
                the training.                                keep the course to best instructional
                The daily reminders allows content           practices.
                managers to rapidly issue new content        User surveys are offered each time the
                when current events or other needs           exam is completed.
                assessment activities make a new need        ISSOs are polled by the IA organization.
                apparent.
Policy          Both delivery mechanisms have                Both delivery mechanisms have
Integration     content closely tied to Federal policy, as   content closely tied to Federal policy, as
                outlined in the presentation, and are        outlined in the presentation, and are
                flexible enough to allow easy addition of    flexible enough to allow easy addition of
                content to address customer-specific         content to address customer-specific
                policies.                                    policies.
Learning        Content in both mechanisms are clearly       Content in both mechanisms are clearly
objectives      tied to behavioral learning objectives,      tied to behavioral learning objectives,
                which tie to specific behaviors that each    which tie to specific behaviors that each
                Tier I training recipient should follow.     Tier I training recipient should follow.
                                                             Instructional Systems Designers (ISD)
                                                             ensure that course learning objectives are
                                                             presented to the user, are addressed in the
                                                             course content, and are addressed in the
                                                             exam.
Degree of Fit   The existing generic content meets the       Learning objectives for the course focus
                basic NIST requirements, and can easily      on NIST awareness topics; the exam
                be adapted to meet DoD and IC                confirms that the user has an acceptable
                requirements.t                               level of awareness



                                                                                                           6
NIST 800-50               Tip of the Day                            Awareness Course
Metrics       Both Mechanisms provide automated            Both Mechanisms provide automated
              metrics to measure                           metrics to measure

                    levels of awareness at the                  levels of awareness at the
                     individual and organizational                individual and organizational
                     level.                                       level.
                    quality of content at the item,             quality of content at the item,
                     category and user role levels.               category and user role levels.

              Reviews of course material by subject        Reviews of course material by subject
              matter experts measure the completeness      matter experts measure the completeness
              and accuracy of content                      and accuracy of content
              Daily metrics can be used to identify        Exam results can be used to map long-
              awareness gaps, trends, and level of         term trends and to identify areas of less
              overall success                              than acceptable understanding
Feedback      Both mechanisms provide for                  Both mechanisms provide for
              configuration by end users, as well as       configuration by end users, as well as
              ample configuration by organizational        ample configuration by organizational
              customers.                                   customers.
              Both provide mechanisms for collecting       Both provide mechanisms for collecting
              customer feedback and using that             customer feedback and using that
              feedback to assess overall course quality    feedback to assess overall course quality
              (as well as item level quality)              (as well as item level quality)
              Tip of the Day content can be                30,000 users have completed end or
              reconfigured on a real-time basis in         course surveys; 7,000 have offered
              response to incidents or policy changes or   additional suggestions and comments.
              user comments.                               These are reviewed and incorporated
                                                           where suitable in the annual content
                                                           review.




                                                                                                       7
 NIST 800-50                Tip of the Day                            Awareness Course
Scalability     Standard web server and DBMS                 Based on web architecture and industry-
                components that are highly scalable.         standard ASP and MS SQL Server, the
                                                             registration system is easily expandable
Communication   Both mechanisms have user and                Both mechanisms have user and
materials       organizational level promotional             organizational level promotional
                materials, user's manuals, configuration     materials, user's manuals, configuration
                guides, and outlines for projects to roll-   guides, and outlines for projects to roll-
                out the use of the mechanisms in a new       out the use of the mechanisms in a new
                organization. We would be happy to           organization.
                present these details, on request            As an authorized OPM e-Training Service
                                                             Provider as well as a long-standing
                                                             marketer of classroom training to other
                                                             federal agencies, FSI has existing avenues
                                                             and processes for successful marketing of
                                                             the JSAS package.




                                                                                                          8

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:11/29/2011
language:English
pages:8