PowerPoint Presentation - Computer Security Resource Center - NIST

Document Sample
PowerPoint Presentation - Computer Security Resource Center - NIST Powered By Docstoc

Writing a Strategic Security
Training Plan

                                      FISSEA Target Training in 2005
                                                    March 22, 2005
                                                  Marirose Coulson
              This document is proprietary and is intended solely for classroom use .

                               Security environment

                               Security programs

                               Strategic security training plans

                               Technical writing

FISSEA Target Training 2005                                         1
 The greatest security risks to an agency frequently come
 from the action, inaction, or inadvertent mistakes of people

     Motivated internal threat agents pose the greatest risk due to their access

     External threats pose a risk to vulnerable systems and gaps in network security coverage

     Personnel with significant security responsibilities are lacking high level skills and up to date

                                         It is estimated that 99% of all reported intrusions

                       result through exploitation of known vulnerabilities or configuration errors,

                                  for which safeguards and countermeasures were available.

                              -National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev A,
                                              Risk Management Guide for Information Technology Systems

FISSEA Target Training 2005                                                                                                   2
 Security skills of all employees need to be continuously
 upgraded to reflect changes
      Compliance and legislation

      Policies and procedures

      Mission

      Security goals

      Capital planning, budget, and resources

      Threats and vulnerabilities

      Bodies of knowledge

      Hardware and software

FISSEA Target Training 2005                                 3
 Security is not a one-size fits all role; every level has
 security responsibilities
                                     Senior executives

                                     System owners and program managers

                                     Certification and accreditation agents or
                                      authorization authorities

                                     Information technology staff

                                     Security compliance personnel (Information
                                      System Security Officers and Managers)

                                     System users

FISSEA Target Training 2005                                                        4
 Security training is an effective countermeasure and a critical
 factor for implementing security programs
  Contributes to a skilled and knowledgeable security
   workforce able to perform security tasks

  Establishes or reinforces competency expectations for
   various roles and responsibilities

  Supports departmental functions, policies, and funding

  Promotes professional development, education,
   and certification

  Helps ensure compliance and reduce material weakness in
   information security program’s processes and procedures

  Identifies skill gaps and reinforces other continuous
   improvement or quality control efforts

  Aids in communicating cultural change initiatives

  Often viewed as a benefit or as part of an overall incentive
   package to reward, attract, and retain qualified personnel

FISSEA Target Training 2005                                        5
 Strategic training plans provide an opportunity to connect
 training to mission and present structured learning
 experiences for the entire organization
      Core body of knowledge (CBK) in key areas such as policy, threats, network security,
       and compliance

      Management training to include security controls, writing system security plans, system
       life cycle (SLC), certification and authorization/accreditation (C&A), critical infrastructure
       protection (CIP), and risk management

      Operational training to include security fundamentals, contingency planning, end user
       awareness, incident response, and configuration management (CM)

      Technical training to include system administrator training, network concepts, firewall
       best practices, encryption options, remote connection methods, wireless devices,
       auditing TCP/IP networks, network intrusion fundamentals, vulnerability assessment,
       and hacking

FISSEA Target Training 2005                                                                             6
 Training plans should include learning solutions that are
 customized to fit agency policy and procedure, specific
 audiences, and delivery formats
      Generic or agency specific content

      Role-based

      Instructor-led classroom, web-based, video,
       distance learning

      Duration flexibility (hours, half day, full day,
       multiple days)

      Various levels of interactivity (e.g., lecture,
       hands-on exercises)

FISSEA Target Training 2005                                  7
 Cross collaboration is needed to implement a training plan
                                  Collaborate and develop creative solutions to help
                                   solve security workforce challenges

                                  Leverage existing courses, contracts, and subject-

                                  Create security focused “working groups”

                                  Select robust courses that support overall security
                                   efforts to ensure confidentiality, integrity, and
                                   availability of information and information systems

                                  Communicate in a variety of forums

                                  A coordinated awareness program combined with
                                   security training can effectively change individual
                                   and organization perceptions about the relevance
                                   of security and the consequences of security

                                  Trained employees are your best defense!

FISSEA Target Training 2005                                                              8
 Benefits for the educator (or writer) of the strategic
 training plan
      Identifies critical elements of overall security
       training, education, and awareness program

      Allows alignment of training goals with
       organization mission

      Provides the opportunity to collaborate with
       other departments in requesting information
       or assessing needs

      Outlines budget requirements and resources

      Solidifies next steps by having a plan in

      Serves as a precursor to an implementation
       plan (what and when)

FISSEA Target Training 2005                               9
 An Approach for Writing a Strategic Training Plan
     1. Consider the big picture and scope: who needs what, when, how, for how much (dollars and
        level of effort), and most importantly, WHY? What is the “value-add”?

     2. Determine your overall training education and awareness strategy

     3. Choose the format that is the appropriate style for your audience
         - NIST Template
         - other models

     4. Structure the content
         – Align with mission and goals
         – Integrate with IT/IS policy
         – Factor in budget and resource constraints
         – Consider infrastructure
         – Consider culture

FISSEA Target Training 2005                                                                        10
 NIST SP 800-50 Building an IT Security Awareness and Training
 Program – Appendix C Template, Sections I - V
  I EXECUTIVE SUMMARY                                     V TRAINING/EDUCATION

  II BACKGROUND                                           Role 1: Executives and Managers

  FISMA, OMB A-130, Appendix III, OPM 5 CFR 930           Learning Objectives, Focus Areas, Methods/Activities,
                                                            Schedule, Evaluation Criteria
  Specific department and/or agency policy (and other
    relevant information or rationale that may drive an   Role 2: IT security staff
    awareness and training program and plan)
                                                          Learning Objectives, Focus Areas, Methods/
  III AGENCY IT SECURITY POLICY                             Activities, Schedule, Evaluation Criteria

  Goals, Objectives, Roles/Responsibilities               Role 3: System/Network Administrators

  IV AWARENESS                                            Role 4: Remaining roles with significant IT
                                                            security responsibilities
  Audience (management and all employees), Activities
    and target dates, Schedule, Review and updating
    of materials and methods

FISSEA Target Training 2005                                                                                  11
 The NIST Appendix C Template, Sections VI and VII


      Role 1: IT Security Staff                               Staffing $ xxx

      Learning Objectives, Focus Areas, Methods/Activities,  Contracting Support $ xxx
        Schedule, Evaluation Criteria
                                                             Facilities (e.g., training rooms, teleconferencing
      Role 2: System/Network Administrators                   facility) $ xxx

      Learning Objectives, Focus Areas, Methods/Activities,  Media (e.g., server(s) for web- and computer-based
        Schedule, Evaluation Criteria                         material) $ xxx

      Role 3: Remaining roles with significant IT security

FISSEA Target Training 2005                                                                                        12
 Alternative sample outline for a strategic training plan
  I. Introduction                                   V. Training Approach

  II. Background                                     A. Program Requirements (Goals, Objectives, Action
                                                      Steps/Performance Measure, Standards)
  A. Security Laws and Regulations, B. Agency
   Policy Guidelines, C. Baseline or POA&M           B. Security Course Structure and Curriculum

  III. Purpose and Scope                             C. Skills Inventory/ Gap Analysis

  A. Agency Mission, B. Agency Vision, C.           D. Training to Support Competencies Identified
   Bureau or Office Framework and Strategy
                                                     E. Technology, Delivery, Tracking Mechanisms
  IV. Responsibilities
                                                     F. Feedback and Assessment Strategy
  A. CIO, B. Bureau or Office, C. Field Offices,
   D. DAA/CA, ISSM, ISSO/ ISSC,                     VI. Training Resources
   System/Database Administrators, IT Personnel
                                                     A. Course Administration, B. Resources and Facilities,
                                                      C. Schedules, D. Future Training

                                                    VII. Education Programs/Certifications/Partnerships

FISSEA Target Training 2005                                                                                13
 Use simple writing techniques to make the process easier
 and more efficient

                               “The biggest challenge is
                                   to produce writing,
                                  no software does it.”

                              - EEI (Editorial Experts Inc.)

FISSEA Target Training 2005                                    14
 Three Easy Steps to Effective Technical Writing
     1. Start (today!)

     2. Edit

     3. Proofread

FISSEA Target Training 2005                        15
 Get Started!
                               Do a small piece

                               Write a detailed outline

                               Write easier parts first

                               Avoid editing as you write

                               Reread or reconsider

                               Talk it out

FISSEA Target Training 2005                                  16
 Tips for Easier Editing
                               Know what you’re looking for

                               Mark first, then fix

                               Do several reviews

                               Read a paper copy

                               Avoid rushing

                               Take breaks

                               Use references

FISSEA Target Training 2005                                    17
 Proofreading: Look for Errors
                                  Content

                                  Repeated words

                                  Verb tense

                                  Punctuation

                                  Subject verb agreement

                                  Format, style, parallel structure

                                  What’s left?

FISSEA Target Training 2005                                            18
 Technical Writing Summary
     1. Start (today!)

     2. Edit

     3. Proofread

FISSEA Target Training 2005   19
 Writing a Strategic Training Plan - Session Summary

      Security environment

      Security programs

      Strategic security training plans

      Technical writing

FISSEA Target Training 2005                            20
  IT Security is about people, processes, and technology

                                    Writing a Strategic Security Training Plan

                                                                          FISSEA Target Training 2005
                                                                                      March 22, 2005
                                                                                    Marirose Coulson
                                                                                     w 703-289-5282
This document is proprietary and is intended solely for classroom use .

 FISSEA Target Training 2005                                                                            21

Shared By: