fissea target training in 2005 march 22, 2005 marirose coulson [email protected] proprietary...
TRANSCRIPT
FISSEA Target Training in 2005March 22, 2005
Marirose [email protected]
Proprietary
Writing a Strategic Security Training Plan
This document is proprietary and is intended solely for classroom use.
2FISSEA Target Training 2005
Agenda
Security environment
Security programs
Strategic security training plans
Technical writing
3FISSEA Target Training 2005
Motivated internal threat agents pose the greatest risk due to their access
External threats pose a risk to vulnerable systems and gaps in network security coverage
Personnel with significant security responsibilities are lacking high level skills and up to date knowledge
The greatest security risks to an agency frequently come from the action, inaction, or inadvertent mistakes of people
It is estimated that 99% of all reported intrusions
result through exploitation of known vulnerabilities or configuration errors,
for which safeguards and countermeasures were available.
-National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev A,
Risk Management Guide for Information Technology Systems
4FISSEA Target Training 2005
Security skills of all employees need to be continuously upgraded to reflect changes
Compliance and legislation
Policies and procedures
Mission
Security goals
Capital planning, budget, and resources
Threats and vulnerabilities
Bodies of knowledge
Hardware and software
5FISSEA Target Training 2005
Security is not a one-size fits all role; every level has security responsibilities
Senior executives
System owners and program managers
Certification and accreditation agents or authorization authorities
Information technology staff
Security compliance personnel (Information System Security Officers and Managers)
System users
6FISSEA Target Training 2005
Security training is an effective countermeasure and a critical factor for implementing security programs
Contributes to a skilled and knowledgeable security workforce able to perform security tasks
Establishes or reinforces competency expectations for various roles and responsibilities
Supports departmental functions, policies, and funding requirements
Promotes professional development, education,and certification
Helps ensure compliance and reduce material weakness in information security program’s processes and procedures
Identifies skill gaps and reinforces other continuous improvement or quality control efforts
Aids in communicating cultural change initiatives
Often viewed as a benefit or as part of an overall incentive package to reward, attract, and retain qualified personnel
7FISSEA Target Training 2005
Strategic training plans provide an opportunity to connect training to mission and present structured learning experiences for the entire organization
Core body of knowledge (CBK) in key areas such as policy, threats, network security, and compliance
Management training to include security controls, writing system security plans, system life cycle (SLC), certification and authorization/accreditation (C&A), critical infrastructure protection (CIP), and risk management
Operational training to include security fundamentals, contingency planning, end user awareness, incident response, and configuration management (CM)
Technical training to include system administrator training, network concepts, firewall best practices, encryption options, remote connection methods, wireless devices, auditing TCP/IP networks, network intrusion fundamentals, vulnerability assessment, and hacking
8FISSEA Target Training 2005
Training plans should include learning solutions that are customized to fit agency policy and procedure, specific audiences, and delivery formats
Generic or agency specific content
Role-based
Instructor-led classroom, web-based, video, distance learning
Duration flexibility (hours, half day, full day, multiple days)
Various levels of interactivity (e.g., lecture, hands-on exercises)
9FISSEA Target Training 2005
Cross collaboration is needed to implement a training plan
Collaborate and develop creative solutions to help solve security workforce challenges
Leverage existing courses, contracts, and subject-matter-experts
Create security focused “working groups”
Select robust courses that support overall security efforts to ensure confidentiality, integrity, and availability of information and information systems
Communicate in a variety of forums
A coordinated awareness program combined with security training can effectively change individual and organization perceptions about the relevance of security and the consequences of security failures
Trained employees are your best defense!
10FISSEA Target Training 2005
Benefits for the educator (or writer) of the strategic training plan
Identifies critical elements of overall security training, education, and awareness program
Allows alignment of training goals with organization mission
Provides the opportunity to collaborate with other departments in requesting informationor assessing needs
Outlines budget requirements and resources
Solidifies next steps by having a plan in place
Serves as a precursor to an implementation plan (what and when)
11FISSEA Target Training 2005
An Approach for Writing a Strategic Training Plan
1. Consider the big picture and scope: who needs what, when, how, for how much (dollars and level of effort), and most importantly, WHY? What is the “value-add”?
2. Determine your overall training education and awareness strategy
3. Choose the format that is the appropriate style for your audience
- NIST Template
- other models
4. Structure the content
– Align with mission and goals
– Integrate with IT/IS policy
– Factor in budget and resource constraints
– Consider infrastructure
– Consider culture
12FISSEA Target Training 2005
NIST SP 800-50 Building an IT Security Awareness and Training Program – Appendix C Template, Sections I - V
I EXECUTIVE SUMMARY
II BACKGROUND
FISMA, OMB A-130, Appendix III, OPM 5 CFR 930
Specific department and/or agency policy (and other relevant information or rationale that may drive an awareness and training program and plan)
III AGENCY IT SECURITY POLICY
Goals, Objectives, Roles/Responsibilities
IV AWARENESS
Audience (management and all employees), Activities and target dates, Schedule, Review and updatingof materials and methods
V TRAINING/EDUCATION
Role 1: Executives and Managers
Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria
Role 2: IT security staff
Learning Objectives, Focus Areas, Methods/ Activities, Schedule, Evaluation Criteria
Role 3: System/Network Administrators
Role 4: Remaining roles with significant IT security responsibilities
13FISSEA Target Training 2005
The NIST Appendix C Template, Sections VI and VII
VI PROFESSIONAL CERTIFICATION
Role 1: IT Security Staff
Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria
Role 2: System/Network Administrators
Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria
Role 3: Remaining roles with significant IT security responsibilities
VII RESOURCE REQUIREMENTS COST
Staffing $ xxx
Contracting Support $ xxx
Facilities (e.g., training rooms, teleconferencing facility) $ xxx
Media (e.g., server(s) for web- and computer-based material) $ xxx
14FISSEA Target Training 2005
Alternative sample outline for a strategic training plan
I. Introduction
II. Background
A. Security Laws and Regulations, B. Agency Policy Guidelines, C. Baseline or POA&M
III. Purpose and Scope
A. Agency Mission, B. Agency Vision, C. Bureau or Office Framework and Strategy
IV. Responsibilities
A. CIO, B. Bureau or Office, C. Field Offices,D. DAA/CA, ISSM, ISSO/ ISSC, System/Database Administrators, IT Personnel
V. Training Approach
A. Program Requirements (Goals, Objectives, Action Steps/Performance Measure, Standards)
B. Security Course Structure and Curriculum
C. Skills Inventory/ Gap Analysis
D. Training to Support Competencies Identified
E. Technology, Delivery, Tracking Mechanisms
F. Feedback and Assessment Strategy
VI. Training Resources
A. Course Administration, B. Resources and Facilities, C. Schedules, D. Future Training
VII. Education Programs/Certifications/Partnerships
15FISSEA Target Training 2005
Use simple writing techniques to make the process easierand more efficient
“The biggest challenge is to produce writing,
no software does it.”
- EEI (Editorial Experts Inc.)
16FISSEA Target Training 2005
Three Easy Steps to Effective Technical Writing
1. Start (today!)
2. Edit
3. Proofread
17FISSEA Target Training 2005
Get Started!
Do a small piece
Write a detailed outline
Write easier parts first
Avoid editing as you write
Reread or reconsider
Talk it out
18FISSEA Target Training 2005
Tips for Easier Editing
Know what you’re looking for
Mark first, then fix
Do several reviews
Read a paper copy
Avoid rushing
Take breaks
Use references
19FISSEA Target Training 2005
Proofreading: Look for Errors
Content
Repeated words
Verb tense
Punctuation
Subject verb agreement
Format, style, parallel structure
What’s left?
20FISSEA Target Training 2005
Technical Writing Summary
1. Start (today!)
2. Edit
3. Proofread
21FISSEA Target Training 2005
Writing a Strategic Training Plan - Session Summary
Security environment
Security programs
Strategic security training plans
Technical writing
22FISSEA Target Training 2005
FISSEA Target Training 2005March 22, 2005
Marirose Coulsonw 703-289-5282
Writing a Strategic Security Training Plan
This document is proprietary and is intended solely for classroom use.
IT Security is about people, processes, and technology