The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. This Institute develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. For example, one of NIST’s roles is to develop guidelines on how companies can align with Federal Information Security Management Act (FISMA).The FISMA guidelines can be applied to almost any organization in both the public and private sectors. NIST’s regulations can help companies align with other compliance guidelines like HIPAA, SOX, ITAR, and more. NIST provides guidance documents and recommendations through its Special Publications (SP) 800-series. Agencies must comply with NIST guidance, unless they are national security programs and systems. In this post, we are going to review one of the most important SP 800-series articles: SP 800-50.
The title of this article is: Building an Information Technology Security Awareness and Training Program. This publication published in October 2003 and The PDF file of this document consists of 70 pages and six chapters. These chapters are:
- Chapter 1: Introduction
- Chapter 2: Components: Awareness, Training, And Education
- Chapter 3: Designing an Awareness and Training Program
- Chapter 4: Developing Awareness and Training Material
- Chapter 5: Implementing the Awareness and Training Program
- Chapter 6: Post-Implementation
In fact, the document identifies the four critical steps in the life cycle of an IT security awareness and training program:
- Awareness and training program design
- Awareness and training material development
- Program implementation
This article is a summary from of the nist.gov website. With the following link:
For more info please refer to nist.gov
Federal agencies and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:
- Understand their roles and responsibilities related to the organizational mission
- Understand the organization’s IT security policy, procedures, and practices
- Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.
In other words, people are one of the weakest links in attempts to secure systems and networks. So, a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, and organizational policies.
This chapter has some sections:
1- Purpose: This document provides guidelines for building and maintaining a comprehensive awareness and training program, and it also describes how to: (1) Select awareness and training topics, (2) Find sources of awareness and training material, (3) Implement awareness and training material, using a variety of methods, (4) Evaluate the effectiveness of the program, and (5) Update and improve the focus as technology and organizational priorities change.
2- Audience: This guidance is including, but not limited to: the CIO, the IT security program manager and staff, managers and their contractors, and agency training coordinators.
3- Scope: The scope of this guideline covers awareness and training needs of all users of an organization’s IT, from employees to supervisors and functional managers, to executive-level managers. The guideline also discusses professional development (i.e., professionalization) and certification issues. The document is a companion publication to NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model. The two publications are complementary.
4- Policy: Within the agency IT security program policy, there should be a clear and distinct section devoted to agency wide requirements for the awareness and training program. Topics documented within the awareness and training program policy should include roles and responsibilities, development of program strategy and a program plan, implementation of the program plan, and maintenance of the awareness and training program.
5- Roles and Responsibilities: This section identifies and describes those within an organization that have responsibility for IT security awareness and training. One way to help ensure that a program matures is to develop and document IT security awareness and training responsibilities for those key positions upon which the success of the program depends.
Agency heads must ensure that high priority is given to effective security awareness and training for the workforce. This includes implementation of a viable IT security program with a strong awareness and training component. Agency heads should:
- Designate a CIO
- Assign responsibility for IT security
- Ensure that an agency wide IT security program is implemented, is well-supported by resources and budget, and is effective
- Ensure that the agency has enough sufficiently trained personnel to protect its IT resources.
Chief Information Officers (CIOs) are tasked by the FISMA to administer training and oversee personnel with significant responsibilities for information security. CIOs should work with the agency IT security program manager to:
- Establish overall strategy for the IT security awareness and training program
- Ensure that the agency head, senior managers, system and data owners, and others understand the concepts and strategy of the security awareness and training program, and are informed of the progress of the program’s implementation
- Ensure that the agency’s IT security awareness and training program is funded
- Ensure the training of agency personnel with significant security responsibilities
- Ensure that all users are sufficiently trained in their security responsibilities
- Ensure that effective tracking and reporting mechanisms are in place.
The IT security program manager has tactical-level responsibility for the awareness and training program. In this role, the program manager should:
- Ensure that awareness and training material developed is appropriate and timely for the intended audiences
- Ensure that awareness and training material is effectively deployed to reach the intended audience
- Ensure that users and managers have an effective way to provide feedback on the awareness and training material and its presentation
- Ensure that awareness and training material is reviewed periodically and updated when necessary
- Assist in establishing a tracking and reporting strategy
- Work with the CIO and IT security program manager to meet shared responsibilities
- Serve in the role of system owner and/or data owner, where applicable
- Consider developing individual development plans (IDPs) for users in roles with significant security responsibilities
- Promote the professional development and certification of the IT security program staff, full-time or part-time security officers, and others with significant security responsibilities
- Ensure that all users (including contractors) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their security responsibilities before allowing them access
- Ensure that users (including contractors) understand specific rules of each system and application they use
- Work to reduce errors and omissions by users due to lack of awareness and/or training
Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors, guests, and other collaborators or associates requiring access. Users must:
- Understand and comply with agency security policies and procedures
- Be appropriately trained in the rules of behavior for the systems and applications to which they have access
- Work with management to meet training needs
- Keep software/ applications updated with security patches
- Be aware of actions they can take to better protect their agency’s information. These actions include, but are not limited to: proper password usage, data backup, proper antivirus protection, reporting any suspected incidents or violations of security policy, and following rules established to avoid social engineering attacks and rules to deter the spread of spam or viruses and worms
This article is a summary from of the nist.gov website. With the following link:
For more info please refer to nist.gov
Components: Awareness, Training, Education
A successful IT security program consists of:
- Developing IT security policy that reflects business needs tempered by known risks
- Informing users of their IT security responsibilities, as documented in agency security policy and procedures
- Establishing processes for monitoring and reviewing the program.
This chapter describes the relationship between awareness, training, and education – the awareness-training-education continuum. This chapter include five section:
1- The Continuum: Learning is a continuum; it starts with awareness, builds to training, and evolves into education.
Awareness: An example of a topic for an awareness session is virus protection. The subject can simply and briefly be addressed by describing what a virus is, what can happen if a virus infects a user’s system, what the user should do to protect the system, and what the user should do if a virus is discovered.
2- Training: Training strives to produce relevant and needed security skills and competencies. An example of training is an IT security course for system administrators, which should address in detail the management controls (policy, IT security program management, risk management, and life-cycle security) , operational controls (personnel and user issues, contingency planning, incident handling, awareness and training, computer support and operations, and physical and environmental security issues.), and technical controls (identification and authentication, logical access controls, audit trails, and cryptography) that should be implemented.
3- Education: An example of education is a degree program at a college or university. Some people take a course or several courses to develop or enhance their skills in a particular discipline. This is training as opposed to education. Many colleges and universities offer certificate programs. Often, these certificate programs are conducted as a joint effort between schools and software or hardware vendors. These programs are more characteristic of training than education. Those responsible for security training need to assess both types of programs and decide which one better addresses identified needs.
4- Professional Development: This process validates skills through certification. Such development and successful certification can be termed “professionalization.” There are two types of certification: general and technical. The general certification focuses on establishing a foundation of knowledge on the many aspects of the IT security profession. The technical certification focuses primarily on the technical security issues related to specific platforms, operating systems, vendor products, etc.
Designing an Awareness and Training Program
There are three major steps in the development of an IT security awareness and training program:
- Designing the program
- Developing the awareness and training material
- Implementing the program.
Awareness and training programs must be designed with the organization mission in mind. It is important that the awareness and training program supports the business needs of the organization and be relevant to the organization’s culture and IT architecture.
This chapter include six section:
1- Structuring an Agency Awareness and Training Program: An awareness and training program may be designed, developed, and implemented in many different ways. Three common approaches or models are described below:
- Model 1: Centralized policy, strategy, and implementation. In this model, responsibility and budget for the entire organization’s IT security awareness and training program is given to a central authority. All directives, strategy development, planning, and scheduling is coordinated through this “security awareness and training” authority.
- Model 2: Centralized policy and strategy, distributed implementation. In this model, security awareness and training policy and strategy are defined by a central authority, but implementation is delegated to line management officials in the organization. Awareness and training budget allocation, material development, and scheduling are the responsibilities of these officials.
- Model 3: Centralized policy, distributed strategy and implementation. In this model, the central security awareness and training authority (CIO/IT security program manager) disseminates broad policy and expectations regarding security awareness and training requirements, but gives responsibility for executing the entire program to other organizational units. This normally means creation of a subsystem of CIOs and IT security program managers subordinate to the central CIO and IT security officer.
2- Conducting a Needs Assessment: A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs. In conducting a needs assessment, it is important that key personnel be involved. As a minimum, the following roles should be addressed in terms of any special training needs:
- Executive Management
- Security Personnel (security program managers and security officers)
- System Owners
- System Administrators and IT Support Personnel
- Operational Managers and System Users
3- Developing an Awareness and Training Strategy and Plan: This plan is the working document containing the elements that make up the strategy. The plan should discuss the following elements:
- Existing national and local policy that requires the awareness and training to be accomplished
- Scope of the awareness and training program
- Roles and responsibilities of agency personnel who should design, develop, implement, and maintain the awareness and training material, and who should ensure that the appropriate users attend or view the applicable material
- Goals to be accomplished for each aspect of the program
- Target audiences for each aspect of the program
- Mandatory (and if applicable, optional) courses or material for each target audience
- Learning objectives for each aspect of the program
- Topics to be addressed in each session or course
- Deployment methods to be used for each aspect of the program;
- Documentation, feedback, and evidence of learning for each aspect of the program
- Evaluation and update of material for each aspect of the program
- Frequency that each target audience should be exposed to material
4- Establishing Priorities: Once the security awareness and training strategy and plan have been finalized, an implementation schedule must be established. Therefore, the priorities must be determined in order to determine the order in which the processes are performed. Some Factors are effective in determining the priority of processes. Key factors to consider are:
- Availability of Material/Resources: If awareness and training material and necessary resources are readily available, key initiatives in the plan can be scheduled early.
- Role and Organizational Impact: It is very common to address priority in terms of organizational role and risk. Broad-based awareness initiatives that address the enterprise wide mandate may receive high priority because the rules of good security practices can be delivered to the workforce quickly.
- State of Current Compliance: This involves looking at major gaps in the awareness and training program.
- Critical Project Dependencies: If there are projects dependent upon a segment of security training in order to prepare the necessary requirements for the system involved (e.g., new operating system, firewalls, virtual private networks [VPNs]), the training schedule needs to ensure that the training occurs within the stipulated timeframe necessary to address these dependencies.
5- Setting the Bar: It means that a decision must be made as to the complexity of the material that will be developed. Setting the bar applies to all three types of learning (awareness, training, and education). The complexity must be commensurate with the role of the person who will undergo the learning effort. Material should be developed based on two important criteria:
- The target attendee’s position within the organization
- Knowledge of the security skills required for that position.
When setting the bar for an awareness effort, the focus should be on the expected rules of behavior for using systems. These rules, which should come directly from agency policy, apply to everyone in the organization.
6- Funding the Security Awareness and Training Program: Once an awareness and training strategy has been agreed upon and priorities established, funding requirements must be added to the plan. Approaches used to express the funding requirement may include:
- Percent of overall training budget
- Allocation per user by role (e.g., training for key security personnel and system administrators will be more costly than general security training for those in the organization not performing security-specific functions)
- Percent of overall IT budget; or
- Explicit dollar allocations by component based on overall implementation costs.
It is the responsibility of the CIO to assess competing priorities and develop a strategy to address any shortfall in funding that may impact the agency’s ability to comply with existing security training requirements.
Developing Awareness and Training Material
Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind:
- “What behavior do we want to reinforce?” (Awareness)
- “What skill or skills do we want the audience to learn and apply?” (Training).
This chapter includes two main section:
1- Developing Awareness Material: The question to be answered when beginning to develop material for an organization wide awareness program or campaign is, “What do we want all agency personnel to be aware of regarding IT security?” The awareness and training plan should contain a list of topics.
A significant number of topics can be mentioned and briefly discussed in any awareness session or campaign. Topics may include:
- Password usage and management: including creation, frequency of changes, and protection
- Protection from all malware: scanning, updating definitions
- Unknown e-mail/attachments
- Web usage: allowed versus prohibited; monitoring of user activity
- Data backup and storage: centralized or decentralized approach
- Social engineering
- Incident response: contact whom? “What do I do?”
- Inventory and property transfer: identify responsible organization and user responsibilities (e.g., media sanitization)
- Use of encryption and the transmission of sensitive/confidential information over the Internet
- Laptop security while on travel: address both physical and information security issues
- Software license restriction issues: address when copies are allowed and not allowed
- Access control issues: address least privilege and separation of duties
- E-mail list etiquette: attached files and other rules.
There are a variety of sources of material on security awareness that can be incorporated into an awareness program:
- E-mail advisories issued by industry-hosted news groups, academic institutions, or the organization’s IT security office
- Professional organizations and vendors
- Online IT security daily news websites
- Conferences, seminars, and courses
2- Developing Training Material: The awareness and training plan should identify an audience, or several audiences, that should receive training tailored to address their IT security responsibilities. This section provides background information on the purpose of the publication and describes how to use the methodology to develop training courses.
Implementing the Awareness and Training Program
An IT security awareness and training program should be implemented only after:
- A needs assessment has been conducted;
- A strategy has been developed;
- An awareness and training program plan for implementing that strategy has been completed; and
- Awareness and training material has been developed
This chapter includes three section:
1- Communicating the Plan: The program’s implementation must be fully explained to the organization to achieve support for its implementation and commitment of necessary resources. This explanation includes expectations of agency management and staff support, as well as expected results of the program and benefits to the organization. Funding issues must also be addressed.
Communication of the plan can be mapped to the three implementation models. Typical scenarios follow:
- Centralized Program Model Communication Scenario: In this model, the CIO and/or IT security program manager develop all agency IT security awareness and training policy, develop the strategy and program plan, and implement the program. Therefore, all necessary funding for material development and implementation is controlled and provided by the CIO and IT security program manager.
- Partially Decentralized Program Model Communication Scenario: In this model, the CIO and/or the IT security program manager develop all agency IT security awareness and training policy and develop the strategy. They also conduct the needs assessment, from which the strategy is derived. Organizational unit managers are then given an awareness and training budget, develop training plans for their own unit, and implement the program.
- Decentralized Program Model Communication Scenario: In this model, the CIO and/or IT security program manager disseminate broad policy and expectations regarding the IT security awareness and training program. Execution of the remainder of the program is the responsibility of the organizational units. The organizational unit managers are expected to conduct a needs assessment, formulate a strategy, develop a training plan, develop awareness and training material, and implement the awareness and training program.
2- Techniques for Delivering Awareness Material: Many techniques exist to get an IT security awareness message, or a series of messages, disseminated throughout an agency:
- Messages on awareness tools (e.g., pens, key fobs, post-it notes, notepads, first aid kits, clean-up kits, diskettes with a message, bookmarks, Frisbees, clocks, “gotcha” cards)
- Posters, “do and don’t lists,” or checklists
- Screensavers and warning banners/messages
- Desk-to-desk alerts (such as a hardcopy, bright-colored, one-page bulletin)
- Agency wide e-mail messages
- Web-based sessions
3- Techniques for Delivering Training Material: Techniques for effectively delivering training material should take advantage of technology that supports the following features:
- Ease of use
- Broad base of industry support
Some of the more common techniques that agencies can employ include:
- Interactive video training (IVT)
- Web-based training
- Non-web, computer-based training
- Onsite, instructor-led training (including peer presentations and mentoring)
An organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements, IT infrastructure and organizational changes, and shifts in organizational mission and priorities. CIOs and IT security program managers need to be cognizant of this potential problem.
This chapter includes five section:
1- Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and effectiveness. An automated tracking system should be designed to capture key information regarding program activity. Typical users of such a database would include:
- IT Security Program Managers
- Human Resource Departments
- Agency Training Departments
- Functional Managers
- Chief Financial Officers (CFOs)
2- Evaluation and Feedback: Formal evaluation and feedback mechanisms are critical components of any security awareness, training, and education program. Once the baseline requirements have been solidified, a feedback strategy can be designed and implemented.
3- Managing Change: It will be necessary to ensure that the program, as structured, continues to be updated as new technology and associated security issues emerge. A change in the organizational mission and/or objectives can also influence ideas regarding how best to design training venues and content. Emerging issues, such as homeland defense, will also impact the nature and extent of security awareness activities necessary to keep users informed/educated about the latest exploits and countermeasures.
4- Ongoing Improvement (“Raising the Bar”): This stage of the program is focused on creating a level of security awareness and excellence that achieves a pervasive security presence in the organization. Monitoring, follow-up, and corrective procedures are well defined and seamless. Finally, in this stage, agencies have incorporated into their awareness and training program formal mechanisms for ongoing research in areas of technology advancement, good practices, and benchmarking opportunities.
5- Program Success Indicators: CIOs, program officials, and IT security program managers should be primary advocates for continuous improvement and for supporting an agency’s security awareness, training, and education program. It is critical that everyone be capable and willing to carry out their assigned security roles in the organization. Listed below are some key indicators to gauge the support for, and acceptance of, the program.
- Sufficient funding to implement the agreed-upon strategy
- Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy.
- Support for broad distribution (e.g., web, e-mail, TV) and posting of security awareness items.
- Executive/senior level messages to staff regarding security (e.g., staff meetings, broadcasts to all users by agency head).
- Use of metrics (for example to indicate a decline in security incidents or violations)
- Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file.
- Level of attendance at mandatory security forums/briefings
- Recognition of security contributions (e.g., awards, contests)
- Motivation demonstrated by those playing key roles in managing/coordinating the security program.
This article is a summary from of the nist.gov website. With the following link:
For more info please refer to nist.gov