information system security training: making it happen, part 2

This article was downloaded by: [Florida State University]On: 01 November 2014, At: 09:23Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T3JH, UK

Information Systems SecurityPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uiss19

Information System Security Training: Making it Happen, Part 2Susan Hansche CISSP aa A senior manager for Information System Security Awareness and Training at TROY Systems, Inc., based in Fairfax, Virginia. Shehas designed numerous training courses on information technology and information system security for both private-sector andgovernment clients. She may be reached via e-mail at [email protected] online: 21 Dec 2006.

To cite this article: Susan Hansche CISSP (2001) Information System Security Training: Making it Happen, Part 2, Information Systems Security, 10:3, 1-20, DOI:10.1201/1086/43316.10.3.20010701/31727.6

To link to this article: http://dx.doi.org/10.1201/1086/43316.10.3.20010701/31727.6

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform.However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, orsuitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verifiedwith primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses,damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of theuse of the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling,loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use can befound at http://www.tandfonline.com/page/terms-and-conditions

http://www.tandfonline.com/loi/uiss19

http://www.tandfonline.com/action/showCitFormats?doi=10.1201/1086/43316.10.3.20010701/31727.6

http://dx.doi.org/10.1201/1086/43316.10.3.20010701/31727.6

http://www.tandfonline.com/page/terms-and-conditions

Information System Security Training: Making it Happen, Part 2

Susan Hansche, CISSP

SUSAN D. HANSCHE, CISSP, is a senior manager for Information System Security Awareness and Trainingat TROY Systems, Inc., based in Fairfax, Virginia. She has designed numerous training courses on infor-mation technology and information system security for both private-sector and government clients. Shemay be reached via e-mail at [email protected].

This article is the second of a two-part series on the importance ofproviding both security aware-

ness and information systems securitytraining to all employees, regardless oftheir job responsibilities. Part 1, (ISS,January/February 2001) discussed theprocess of designing and developing asecurity awareness program. Thesecurity awareness program should bethe first step in the information sys-tem security awareness and trainingprogram. In conjunction with theawareness program, the informationsecurity professional should design atraining program. When designingand developing an information tech-nology (IT) security training program,there is a wide range of options thatare based on specific job requirementsand the daily management, operation,and protection of the information sys-tem. This article describes a frame-work to help develop an informationsystem security training program thatwill match your organization’s needs.

INTRODUCTIONTraining is more formal and interac-tive than an awareness program. It isdirected toward building knowledge,skills, and abilities that facilitate jobcapabilities and performance. Thedays of long, and dare one say, boringlectures have been replaced withinteractive and meaningful training.The days when instructors were cho-sen for their specific knowledge,regardless of whether they knew howto communicate that knowledge, havedisappeared. Instructional design(i.e., training) is now an industry thatrequires professionals to knowinstructional theories, procedures,and techniques. Its focus is on ensur-ing that students develop skills andpractices that once they leave thetraining environment will be applica-ble to their job. In addition, trainingneeds to be a motivator; thus, itshould spark the student’s curiosityto learn more.

During the last decade, the infor-mation systems security training

S E C U R I T Y M A N A G E M E N T P R A C T I C E S

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

field has strived to stay current withthe rapid advances of informationtechnologies. One example of this isthe U.S. National Institute of Stan-dards and Technology (NIST) docu-ment, SP800-16, “IT SecurityTraining Requirements: A Role- andPerformance-Based Model.” This doc-ument, developed in 1998, provides aguideline to federal agencies develop-ing IT security training programs.Even for an organization in the pri-vate sector, NIST SP800-16 may behelpful in outlining a baseline of whattype and level of information shouldbe offered. For this reason, a briefoverview of the NIST document isincluded in this article. Following thisoverview, the article follows the fivephases of the traditional Instruction-al Systems Design (ISD) model fortraining: (1) needs analysis and goalformation, (2) design, (3) develop-ment, (4) implementation, and (5)evaluation. The ISD model provides asystematic approach to instructionaldesign and highlights the importantrelationship and linkage betweeneach phase.

When following the ISD model, akey aspect is matching the trainingobjectives with the subsequent designand development of the content mate-rial. The ISD model begins by focus-ing on what the student is to know orbe able to do after the training.Without this beginning, the remain-ing phases can be inefficient and inef-fective. Thus, the first step isestablishing the training needs andoutlining the program goals. In thedesign and development phase, thecontent, instructional strategies, andtraining delivery methods are decid-ed. The implementation phaseincludes the actual delivery of thematerial. Although the evaluation ofthe instructional material is usuallyconsidered something that occursafter completing the implementation,it should be considered an ongoing

element of the entire process. Thefinal section of the article provides asuggested IT security course curricu-lum. It lists several courses that maybe needed to meet the different jobduties and roles required to protectthe IT system. Keep in mind thatcourse curriculum for an organizationshould match identified trainingneeds.

NIST SP800-16, IT SecurityTraining Requirements: A Role-and Performance-Based Model1

The NIST SP800-16 IT SecurityLearning Continuum provides aframework for establishing an infor-mation systems security training pro-gram. It states that after beginningan awareness program, the transi-tional stage to training is “SecurityBasics and Literacy.” The instruction-al goal of “Security Basics andLiteracy” is to provide a foundation ofIT security knowledge by providingkey security terms and concepts. Thisbasic information is the basis for alladditional training courses.

Although there is a tendency to rec-ognize employees as specific job titles,the goal of the NIST SP800-16 ITSecurity Learning Continuum is tofocus on IT-related job functions, notjob titles. The NIST IT SecurityLearning Continuum is designed forthe changing workforce; as an employ-ee’s role changes or as the organiza-tion changes, the needs for IT securitytraining also changes. Think of theresponsibilities and daily duties re-quired of a system manager 10 yearsago versus today. Over the course oftime, employees will acquire differentroles in relationship to the IT system.Thus, instead of saying the systemmanager needs a specific course,SP800-16 states that the personresponsible for a specific IT systemfunction will need a specific type oftraining.

Essentially, it is the job functionand related responsibilities that will

J U L Y / A U G U S T 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

determine what IT system securitycourse is needed. This approach rec-ognizes that an employee may haveseveral job requirements and thusmay need several different IT securi-ty training classes to meet the varietyof duties. It can be a challenge toidentify this new approach and try tofit standard job categories into theframework. In some organizations,this may not be possible. However,irrespective of the job functions ororganization, there are several ITsecurity topics that should be part ofan IT system security curriculum.Always keep in mind that the train-ing courses that are offered must beselected and prioritized based on theorganization’s immediate needs.

In an ideal world, each organiza-tion would have financial resources toimmediately fund all aspects of an ITsecurity training program. However,the reality is that resource con-straints will force an evaluation oftraining needs against what is possi-ble and feasible. In some cases, animmediate training need will dictatethe beginning or first set of trainingcourses.

MANAGEMENT BUY-INBefore the design and development ofcourse content, one of the first chal-lenges of a training program is receiv-ing support from all levels of theorganization, especially senior man-agement. Within any organization arethe “training believers” and the “on-the-job learning believers.” In otherwords, some managers believe thattraining is very important and willfinancially support training efforts,

while others believe that moneyshould not be spent on training andthat employees should learn the nec-essary skills while performing theirjob duties. Thus, it is an importantfirst step to convince senior managersthat company-provided training isvaluable and essential.

To help persuade senior manage-ment of the importance of sponsoringtraining, consider these points:

�� Training helps provide employeeretention. Those who instantly think“No, that’s not right, we spendmoney to train our employees andthen they leave and take those skillsto another company” should considerthe other side. Those employees willleave anyway, but, on average,employees who are challenged bytheir job duties (and, satisfied withtheir pay) and believe that the com-pany will provide professionalgrowth and opportunities will staywith the company.�� Find an ally in senior managementthat can be your advocate. When sen-ior managers are discussing businessplans, it is important to have some-one speak positively about trainingprograms during those meetings.�� Make sure the training programreflects the organizational need. Inmany instances, it will be necessaryto persuade management on the ben-efits of the training program. Thisimplies knowledge of the weaknessesof the current program and the abili-ty express how the training programwill overcome the unmet require-ments.

J U L Y / A U G U S T 2 0 0 1


If you are struggling with how toimplement a training program to meet your needs, training profes-

sionals can help to determineimmediate needs and provide guidance

based on previous experiences andbest practices.

Senior management needs to under-stand that training belongs on the top

of everyone’s list. When employees areexpected to perform new skills, thevalue of training must be carefully

considered and evaluated.

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

�� Market the training program to allemployees. Some employees believethey can easily learn skills and donot need to take time for training.Thus, it is important to emphasizehow the training will meet theemployee’s business needs.�� Start small and create a success.Management is more likely to dedi-cate resources to training if an ini-tial program has been successful.�� Discover management’s objections.Determine the issues and problemsthat may be presented. Also, try todetermine what they like or do notlike in training programs. Thenmake sure the proposed training pro-gram will overcome these challenges.Include management’s ideas into theprogram. Even though it is rarelypossible to please everyone, it is aworthy goal to meet almost every-one’s needs.

ESTABLISHING THE INFORMATIONSYSTEM SECURITY TRAININGNEEDAfter receiving management ap-proval, the next step in the develop-ment of a training program is toestablish and define the trainingneed. Basically, a training need existswhen an employee lacks the knowl-edge or skill to perform an assignedtask. This implies that a set of per-formance standards for the task mustalso exist. The creation of perform-ance standards is accomplished bydefining the task and the knowledge,skills, abilities, and experiences(KSA&Es) needed to perform thetask. Then compare what KSA&Esthe employees currently possess withthose that are needed to successfullyperform the task. The differences

between the two are the trainingneeds.

In the information systems securi-ty arena, several U.S. governmentagencies have defined a set of stan-dards for job functions or tasks. Inaddition to the NIST SP800-16, theNational Security Telecommuni-cations and Information SystemsSecurity Committee (NSTISSC) hasdeveloped a set of INFOSEC trainingstandards. For example, NSTISSChas developed national training stan-dards for four specific IT security jobfunctions: (1) Information SystemsSecurity Professionals (NSTISSC#4011); (2) the Designated ApprovingAuthority (NSTISSI #4012); (3)System Administrator in InformationSystem Security (NSTISSC #4013);and, (4) Information System SecurityOfficer (NSTISSC #4014). The NISTand NSTISSC documents can behelpful in determining the standardsnecessary to accomplish the informa-tion system security tasks or respon-sibilities.

Once the needs analysis has beencompleted, the next step is to priori-tize the training needs. When makingthis decision, several factors shouldbe considered:

�� Legal requirements �� Cost-effectiveness�� Management pressure �� The organization’s vulnerabilities �� Threats, information sensitivity,and risks �� The student population

For some organizations (i.e., federalagencies, banking, healthcare), legalrequirements will dictate some of thedecisions about what training to offer.To determine cost-effectiveness, thinkabout the costs associated with anuntrained staff. For example, the costsassociated with a network failure arehigh. If an information system is shutdown and the organization’s IT opera-tions cease to exist for an extended

J U L Y / A U G U S T 2 0 0 1


Be an enthusiastic proponent! If you do not believe in the training

program and its benefits, neither willanyone else.

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

period of time, the loss of money andwasted time would be enormous.Thus, training system administratorswould be a high priority. Executivepressures will come from within, usu-ally the chief information officer (CIO)or IT security officer. If an organiza-tion has conducted a risk assessment,executive-level management may pri-oritize training based on what it per-ceives to be the greatest risks. Finally,and usually the most typical deter-mining factor, training is prioritizedbased on the student population withthe most problems or the most imme-diate need.

Due to the exponential technologi-cal advances, information systemsecurity is continually evolving. Astechnology changes, so do the vulner-abilities and threats to the system.Taking it one step further, newthreats require new countermea-sures. All of these factors necessitatethe continual training of IT systemprofessionals. As such, the IT securitytraining program must also evolveand expand with the technologicalinnovations.

In conducting a needs analysis,define the standards, prioritize thetraining needs, and finalize the goalsand objectives. Keep in mind thatwhen beginning an information sys-tem security training program, it isnecessary to convince managementand employees of its importance.Also, like all programs, the success ofthe training program will be meas-ured by its ability to meet the organi-zation’s overall IT security goals, andthese goals must be clearly defined atthe beginning of the program.

Developing the Program PlanOnce training needs are known, theplan for the training program can bedeveloped. The program plan outlinesthe specific equipment, material,tasks, schedule, and personnel andfinancial resources needed to producethe training program. The program

plan provides a sequence and defini-tion of the activities to be performed,such as deliverables for specific proj-ects. One of the most common mis-takes that training managers make isthinking they do not need a plan.

Another mistake is not seekingapproval for the program plan fromsenior management. An integral partof program planning is to ensure thatthe plan will work; thus, before mov-ing to the next step, review the planwith senior managers. In addition,seeking consensus and agreement atthis stage allows others to be involvedand feel that they are a part of theprocess — an essential component tosuccess.

INSTRUCTIONAL STRATEGY:TRAINING DESIGN AND DEVELOPMENTThe design of the training program isbased on the learning objectives. Thelearning objectives are based on thetraining needs. Thus, the instruction-al strategy (training delivery method)is based on the best method of achiev-ing the learning objectives.

In choosing an instructional strate-gy, the focus should be on selectingthe best method for the learningobjectives, the number of students,and the organization’s ability to effi-ciently deliver the instructionalmaterial. The key is to understandthe learning objectives, the students,and the organization.

During the design and develop-ment phase, the content material isoutlined and developed into instruc-tional units or lessons. Rememberthat content should be based on whatemployees need to know and do toperform their job duties. During theneeds analysis phase, the tasks and

J U L Y / A U G U S T 2 0 0 1


Remember this common saying: If you don’t plan your work, you can’t

work your plan.

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

duties for specific job functions mayhave already been established. If thecontent is not task-driven, the focus ison what type of behaviors or attitudesare expected. This involves definingwhat performance employees wouldexhibit when demonstrating theobjective and what is needed toaccomplish the goal. The idea is todescribe what someone would do ordisplay to be considered competent inthe behavior or attitude.

A well-rounded information systemsecurity training program willinvolve multiple learning methods.When making a decision about theinstructional strategy, one of theunderlying principles should be tochoose a strategy that is as simple aspossible while still achieving theobjectives. Another factor is theinstructional material itself — not allcontent fits neatly into one type ofinstructional strategy. For trainingeffectiveness, look at the learningobjectives and content to determinewhat would be the best method forstudents to learn the material. One ofthe current philosophies for instruc-tional material is that it should be“edutainment,” which is the combina-tion of education and entertainment.Because this is a hotly debated issue,it is best not to be cornered into tak-ing a side. Look at who the audiencewill be and what the content is andmake a decision that best fits thelearning objective.

When deciding on the method, hereare a few tips:

�� Who is the audience? It is impor-tant to consider the audience sizeand location. If the audience is large

and geographically dispersed, a tech-nology-based solution, i.e., computer-based (CD-ROM) or Web-basedtraining (delivery over the Internet),may be more efficient.�� What are the business needs? Forexample, if limited travel money isavailable for students, then a tech-nology-based delivery may be appli-cable. Technology-based delivery canreduce travel costs. However, tech-nology-based training usually incursmore initial costs to design anddevelop; thus, some travel costs willbe spent in developing the technolo-gy-based solution.�� What is the course content? Sometopics are better suited for instruc-tor-led, video, Web, or CD-ROMdelivery. Although there are manydebates about what is the best deliv-ery method (and everyone will havean opinion), seek the advice of train-ing professionals who can assess thematerial and make recommenda-tions.�� What type of learner interaction isnecessary? Is the course content bestpresented as self-paced individualinstruction or as group instruction?Some instructional materials arebetter suited for face-to-face andgroup interaction, while other con-tent is best suited for creative inter-active individualized instruction. Forexample, if students are simplyreceiving information, a technology-based solution might be more appro-priate. If students are required toperform problem-solving activities ina group, then a classroom settingmight be better.�� What types of presentations orclassroom activities need to be used?If the course content requires stu-dents to install or configure an oper-ating system, a classroom lab mightbe best.�� How stable is the instructionalmaterial? Stability of content can bea cost issue. If content will change

J U L Y / A U G U S T 2 0 0 1


The course topics must be sequencedto build new or complex skills ontoexisting ones and to encourage andenhance the student’s motivation for

learning the material.

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

frequently, the expense required tochange the material must be esti-mated in difficulty, time, and money.Some instructional strategies can be revised more easily and cost-efficiently than others.�� What type of technology is avail-able for training delivery? This is acritical factor in deciding the instruc-tional strategy. The latest trend is todeliver training via the Internet oran intranet. In order for this to besuccessful, students must have thetechnological capability to access theinformation. For example, ininstances where bandwidth couldlimit the amount of multimedia (e.g.,audio, video, and graphic anima-tions) that can be delivered, a CD-ROM solution might be moreeffective.

Regardless of instructional strate-gy, there are several consistent ele-ments that will be used to presentinformation. They include voice, text,still or animated pictures/graphics,video, demonstrations, simulations,case studies, and some form of inter-active exercises. In most courses, sev-eral presentation methods arecombined. This allows for greaterflexibility in reaching all studentsand also in choosing the best methodto deliver the instructional content.For those unfamiliar with the instruc-tional strategies available, refer toAppendix A for a detailed definition ofinstructor-led and technology-basedtraining delivery methods.

While deciding on what type ofinstructional strategy is best suited forthe training needs, it is necessary toexplore multiple avenues of informa-tion. Individuals should ask businesscolleagues and training professionalsabout previous training experiencesand evaluate the responses. Keep inmind that the instructional strategydecision must be based on the instruc-tional objectives, course content, deliv-ery options, implementation options,

technological capabilities, and avail-able resources, such as time andmoney.

Possible Course CurriculumThe IT system security training cours-es in Appendix B represent a generallist of IT security topics that can pro-vide protection to the IT system. Thelist is intended to be flexible. As tech-nologies change, so will the types ofcourses. It merely represents the typeof training courses that an organiza-tion might consider. Additionally, thecourse content should be combinedand relabeled based on the organiza-tion’s particular training needs.

Appendix B also contains moredetailed information about eachcourse, including the title, briefdescription, intended audience, high-level list of topics, and, other informa-tion as appropriate. The courses listedin Appendix B are based on some ofthe skills necessary to meet therequirements of an information sys-tem security training plan. It isexpected that each organization wouldprioritize their training needs andthen define what type of courses tooffer. Because several of these topics(and many more) are available fromthird-party training companies, it isnot necessary to develop custom cours-es for an organization. However, thecontent within these outside courses isgeneral in nature. Thus, for yourorganization to receive the most effec-tive results, the instructional materialshould be customized by adding yourown policies and procedures. The useof outside sources in this customiza-tion can be both beneficial and cost-effective for the organization.

EVALUATING THE INFORMATIONSYSTEM SECURITY TRAININGPLANEvaluating training effectiveness isan important element of an informa-tion system security training plan. Itis an ongoing process that starts at

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

the beginning of the training pro-gram. During all remaining phases ofthe training program, whether it isduring the analysis, design, develop-ment, or implementation stage, eval-uation must be built into the plan.

Referring to NIST SP800-16, thedocument states that evaluatingtraining effectiveness has four dis-tinct but interrelated purposes tomeasure:

1. The extent to which conditionswere right for learning and thelearner’s subjective satisfaction

2. What a given student has learnedfrom a specific course

3. A pattern of student outcomes fol-lowing a specified course

4. The value of the class compared toother options in the context of anorganization’s overall IT securitytraining program

Furthermore, the evaluation pro-cess should produce four types ofmeasurement, each related to one ofthe evaluation’s four purposes:

1. Information to assist the employ-ees themselves in assessing theirsubsequent on-the-job perform-ance

2. Information to assist the employ-ee’s supervisors in assessing anindividual student’s subsequenton-the-job performance

3. Trend data to assist trainers inimproving both learning andteaching

4. Return-on-investment statistics toenable responsible officials to allo-cate limited resources in athoughtful, strategic manneramong the spectrum of IT securi-ty awareness, security literacy,training, and education optionsfor optimal results among theworkforce as a whole

To obtain optimal results, it is nec-essary to plan for the collection and

organization of data and then plan forthe time an analyst will need to eval-uate the information (data) andextrapolate its meaning to the organi-zation’s goals.

One of the most important ele-ments of effective measurement andevaluation is selecting the properitem to measure. Thus, regardless ofthe type of evaluation or where itoccurs, the organization must agreeon what it should be evaluating, suchas perceptions, knowledge, or a specif-ic set of skills.

In addition, keep in mind that eval-uation has costs. The costs involvethought, time, energy, and money.Therefore, evaluation must be consid-ered to be an ongoing, integral aspectof the training program, and bothtime and money must be budgetedappropriately.

SUMMARYIT system security is a rapidly evolvinghigh-risk area that touches everyaspect of an organization’s operations.Companies and federal organizationsface the challenge of providing employ-ees with the appropriate awareness,training, and education that will enableemployees to fulfill their responsibili-ties effectively and to protect the ITsystem assets and information.

J U L Y / A U G U S T 2 0 0 1


Because resources, such as laborhours and monies, are at a premium

for demand, the evaluation of thetraining program must become anintegral part of the training plan.

Employees are your greatest assetsand trained employees are crucial to

the effective functioning andprotection of the information system.

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

This article has outlined the variousfacets of developing an informationsystem (IS) security training program.The first step is to create an aware-ness program. The awareness programhelps to set the stage by alertingemployees to the issues of IT security.It also prepares users of the IT systemfor the next step of the security train-ing program, providing the basic con-cepts of IT security to all employees.From this initial training effort, vari-ous specialized and detailed trainingcourses should be offered to employ-ees. These specific training coursesmust be related to the various jobfunctions that occur within an organi-zation’s IT system security arena.

Critical to the success of a trainingprogram is having senior manage-ment support and approval. Duringeach step of the program’s life cycle, itis important to distribute statusreports to keep all team members andexecutive-level managers apprised ofprogress. In some instances, it may beimportant (or necessary) to receivedirect approval from senior manage-ment before proceeding to the nextphase.

The five steps of the instructionalprocess are relevant to all informationsystem security training programs.The first step is to analyze the train-ing needs and define the goals andobjectives for the training program.Once the needs have been outlined,the next step is to start designing thecourse. It is important to documentthis process into some type of designdocument or blueprint for the pro-gram. Because the design documentprovides the direction for the coursedevelopment, all parties involvedshould review and approve the designdocument before proceeding.

The development phase involvesputting all the course elementstogether, such as the instructor mate-rial, student material, classroomactivities, and storyboarding and pro-

gramming of media elements if thecourse is technology-based. Oncecourse development has been com-pleted, the first goal of the implemen-tation phase is to begin with a pilot ortesting of the materials. This allowsthe instructional design team to eval-uate the material for learner effec-tiveness and rework any issues beforea full-scale implementation. Through-out the information system securitytraining program, the inclusion of anevaluation program is critical to theprogram’s success. Resources, such astime and money, must be dedicated toevaluate the instructional material interms of effectiveness and meetingthe learning and company’s needs.Keep in mind that the key factor inan evaluation program is its inclusionthroughout the design, development,and implementation of the IT securi-ty training program.

Appendix B lists several examplesof training courses have been sug-gested for an information systemsecurity training program. Keep inmind that as technology changes, thecourse offerings required to meet theevolving IT security challenges mustalso change. These changes willnecessitate modifications andenhancements to current courses. Inaddition, new courses will be neededto meet the ever-changing IT systemadvances and enhancements. Thus,the IS security training program andcourse offerings must be flexible tomeet the new demands.

Each organization must also planfor the growth of the IT professional.IT security functions have becometechnologically and manageriallycomplex. Companies are seeking edu-cated IT security professionals whocan solve IT security challenges andkeep up with the changing technologyissues. Currently, there is a lack of ITsecurity professionals in the U.S.workforce; thus, organizations willneed to identify and designate

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

appropriate individuals as IT securityspecialists and train them to becomeIT security professionals capable ofproblem solving and creating vision.

In facing the challenges of develop-ing an information system securitytraining program, it is important toremember that the process cannot beaccomplished by one person workingalone. It requires a broad, cross-orga-nizational effort that includes theexecutive level bringing together var-ious divisions to work on projects. Byinvolving everyone in the process, theadditional benefit of creating owner-ship and accountability is estab-lished. Also, the expertise of bothtraining personnel (i.e., training man-agers, instructional designers, andtrainers) and IT security specialistsare needed to achieve the traininggoals.

APPENDIXESThese appendixes to InformationSystem Security Training: Making itHappen provide additional informa-tion to help launch an effective secu-rity training program. Appendix Acontains a detailed definition ofinstructor-led and technology-basedtraining delivery methods. AppendixB contains more detailed informationfor each course, including title, briefdescription, intended audience, high-level list of topics, and other informa-tion as appropriate.

APPENDIX A: INSTRUCTIONALSTRATEGIES (TRAININGDELIVERY METHODS)

Instructor-LedThe traditional instructional strategyis instructor-led and is considered tobe a group instruction strategy, bring-ing students together in a commonplace, usually a classroom environ-ment, with an instructor or facilitator.Instructor-led training can provideconsiderable interaction between theinstructor and students. It is usuallythe least expensive in designing anddeveloping of instructional material.However, it can be the most expensiveduring implementation, especially ifstudents are required to travel to acentral location.

Text-BasedText-based training is an individual,self-paced form of training. The stu-dent reads a standard textbook orsome other book on the training con-tent. Text-based training does notallow for interaction with an instruc-tor. However, the textbook informationis usually written by an individualwith expertise in the subject matter.Additionally, students can access thematerial when needed and can review(or re-read) sections as needed.

Paper-Based or WorkbookPaper-based or workbook training is atype of individual, self-paced instruc-tion. It is the oldest form of distancelearning (e.g., correspondence cours-es). Workbooks include instructionaltext, graphical illustrations, and prac-tice exercises. The workbooks arewritten specifically to help studentslearn particular subjects or tech-niques. The practice exercises helpstudents to remember what is cov-ered in the books by giving them anopportunity to work with the content.In some cases, students may berequired to complete a test or exam toshow competency in the subject.

Video-BasedVideo-based training is usually an indi-vidual, self-paced form of instruction.

J U L Y / A U G U S T 2 0 0 1


Always remember the end result: “Asuccessful IT security training

program can help ensure the integrity,availability, and confidentiality of theIT system assets and its information— the first and foremost goals of IT

security.”

Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

The information is provided on a stan-dard VHS video cassette tape that canbe played using a standard VHS videocassette recorder (VCR). If used as aself-paced form of instruction, it doesnot allow for interaction with theinstructor. However, if used in the class-room, a video can be discussed and ana-lyzed as an interactive exercise. A videoallows for animated graphics that canshow processes or a demonstration ofstep-items. It has flexible delivery timeand location and, if necessary, can berepeated.

Technology-Based, Including CBTand WBT

Technology-based training is alsoan individual, self-paced instruction-al strategy. It is any training thatuses a computer as the focal point forinstructional delivery. With technolo-gy-based training, instructional con-tent is provided through the use of acomputer and software that guides astudent through an instructional pro-gram. It can be either computer-basedtraining (CBT), delivered via a floppydisk, CD-ROM, or loaded on a server,or Web-based training (WBT), deliv-ered via the Internet or an intranet.

Computer-based training (CBT)involves several presentation methodsincluding tutorials, practice exercises,simulations or emulation’s, demon-strations, problem-solving exercises,and games. CBT has many positivefeatures that can be of importance toagencies that need to deliver a stan-dard set of instructional material to alarge group of students who are in geo-graphically separate areas. The bene-fits of CBT include immediatefeedback, student control of instruc-tional material, and the integration ofmultimedia elements such as video,audio, sounds, and graphical anima-tions.

After the initial CBT developmentcosts, CBT can be used to teach anynumber of students at any time.Customized CBT programs can focus

only on what students need to learn;thus training time and costs can be sig-nificantly reduced. Additionally, CBTcan enable reduction or elimination oftravel for students; thus total trainingcosts can also be reduced. As a self-paced, individualized form of instruc-tion, CBT provides flexibility for thestudent. For example, the student cancontrol the training environment byselecting specific lessons or topics. Inaddition, for some students, the anony-mous nature can be nonthreatening.

Even though CBT has many bene-fits, it is important to remember thatCBT is not the answer to all trainingneeds. It some situations it can bemore appropriate, effective, and costefficient. However, in other situa-tions, it can produce a negative stu-dent attitude and destroy the goodwill and goals of the training pro-gram. For example, students who areoffered CBT courses and are instruct-ed to fit it in to their schedule maybelieve they are expected to completethe training outside of the workday.These same students know that tak-ing an instructor-led course allowsthem to complete the training duringa workday. Therefore, they may viewCBT as an unfair time requirement.

CBT includes computer-assistedlearning (CAL) which uses a comput-er as a tool to aid in a traditionallearning situation, such as classroomtraining. The computer is a device toassist the instructor during the train-ing process, just like an overhead pro-jector or handouts. It also includescomputer-assisted testing (CAT)which assesses an individual throughthe medium of a computer. Studentstake the test at the computer, and thecomputer records and scores the test.CAT is imbedded in most computer-based training products.

Web-based training (WBT) is a new,creative method for delivering comput-er-based training to widespread, limit-less audiences. WBT represents a shift

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

from the current delivery of CBT. Inthe CBT format, the information isusually stored on the local machine, aserver, or a CD-ROM. In WBT theinformation is distributed via theWorld Wide Web (WWW) and is mostlikely stored at a distant location or anorganization’s central server. The infor-mation is displayed to the user using asoftware application called a browser,such as Internet Explorer. The contentis presented by text, graphics, audio,video, and graphical animations. WBThas many of the same benefits of CBT,including saving time and easy access.However, one of the key advantages ofWBT over CBT is the ease of updatinginformation. If changes need to bemade to instructional material, thechanges are made once to the serverand then everyone can access the newinformation. The challenges of WBTare providing the technical capabilityfor the student’s computer, the agency’sserver, and the available bandwidth.

APPENDIX B: SUGGESTED ITSYSTEM SECURITY TRAININGCOURSES

INFOSEC 101: IT Security Basics

Brief DescriptionThis course should describe coreterms and concepts that every user ofthe IT system must know, the funda-mentals of IT security and how toapply them, and the IT system securi-ty rules of behavior. It will allowevery individual to understand theirrole in protecting IT systems assetsand information.

Intended AudienceThe course is intended for all employ-ees who use the IT system, regardlessof their specific job responsibilities.Essentially, all employees shouldreceive this training.

List of TopicsWhat Is IT Security and Why Is ItImportant; Federal Laws and

Regulations; Vulnerabilities, Threats,and Sensitivity of the IT System;Protecting the Information, IncludingSensitive but Unclassified andClassified Information; Protecting theHardware; Password Protections;Media Handling (i.e., how to process,store, and dispose of information onfloppy disks); Copyright Issues; LaptopSecurity; User Accountability; Who toContact with Problems; and other spe-cific agency policies related to all usersof the IT system. If the organizationprocesses classified information, a sep-arate briefing should be given.Note: Because most organizationsrequire this course for all employees,it is a good example of content thatshould be delivered via a technology-based delivery. This includes eithervideo, CBT via CD-ROM, or WBT viathe agency’s intranet.

INFOSEC 102: IT Security Basicsfor a Network ProcessingClassified Information

Brief DescriptionThis course describes the core termsand concepts that every user of the ITsystem must know, the fundamentalsof IT security and how to apply them,and the rules of behavior. It is similarto INFOSEC 101 except it also pro-vides information pertinent to employ-ees who have access to a networkprocessing classified information.

Intended AudienceThe course is intended for all employ-ees with access to a network process-ing classified information.

List of TopicsWhat Is IT Security and Why Is It

Important; Federal Laws andRegulations; Vulnerabilities, Threats,and Sensitivity of the IT System;Protecting Classified Information;Protecting the Hardware, IncludingTEMPEST equipment; PasswordProtections; Media Handling (i.e.,

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

APPENDIX B: SUGGESTED IT SYSTEM SECURITY TRAINING COURSES

J U L Y / A U G U S T 2 0 0 1


Course Number andContent Level

Course Title Intended Audience Possible Prerequisite

INFOSEC 101 Basic IT Security Basics All employees None

INFOSEC 102 Basic IT Security Basics for NetworksProcessing Classified Information

All employees with access to anetwork processing classifiedinformation

None

INFOSEC 103 Basic IT Security Basics — AnnualRefresher

All employees INFOSEC 101

INFOSEC 104 Basic Fundamentals of IT Security Individuals directly responsiblefor IT security

None

INFOSEC 201 Intermediate Developing the IT System SecurityPlan

Individuals responsible for devel-oping the IT system securityplan

INFOSEC 101 or 103

INFOSEC 202 Intermediate How to Develop an IT SystemContingency Plan

Individuals responsible for devel-oping the IT system contingencyplan

INFOSEC 101 or 103

INFOSEC 203 Intermediate System/Technical Responsibilities forProtecting the IT System

Individuals responsible for theplanning and daily operations ofthe IT system

INFOSEC 101 or 103

INFOSEC 204 Intermediate Life Cycle Planning for IT SystemSecurity

Managers responsible for theacquisition and design of the ITsystem

INFOSEC 101 or 103

INFOSEC 205 Intermediate Basic Information System SecurityOfficer (ISSO) Training

Individuals assigned as the ISSOor alternate ISSO

INFOSEC 101 or 103

INFOSEC 206 Intermediate Certifying the IT System Individuals responsible for theDesignated Approving Authority(DAA) role

INFOSEC 101 or 103 INFOSEC203

INFOSEC 207 Intermediate Information System Security forExecutive Managers

Executive-level managers None

INFOSEC 208 Intermediate An Introduction to Network andInternet Security

Individuals responsible for net-work connections


INFOSEC 209 Intermediate An Introduction to Cryptography Individuals responsible for net-work connections informationand security

INFOSEC 101 or 103 INFOSEC203 or 205

INFOSEC 301 Advanced Understanding Audit Logs Individuals responsible forreviewing audit logs.

INFOSEC 101 or 103 INFOSEC203 or 205

INFOSEC 302 Advanced Windows NT 4.0 Security Individuals responsible for net-works using Windows NT 4.0


INFOSEC 303 Advanced Windows 2000 Security Individuals responsible for net-works using Windows 2000


INFOSEC 304 Advanced Unix Security Individuals responsible for net-works using Unix


INFOSEC 305 Advanced Advanced ISSO Training Individuals assigned as the ISSOor alternate ISSO

INFOSEC 205

INFOSEC 306 Advanced Incident Handling Individuals responsible for han-dling IT security incidents


INFOSEC 307 Advanced How to Conduct a RiskAnalysis/Assessment

Individuals responsible for con-ducting risk analyses


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

how to process, store, and dispose ofclassified information); CopyrightIssues; Laptop Security; UserAccountability; Who to Contact withProblems; and other specific agencypolicies related to users of a classifiedIT system.

INFOSEC 103: IT Security Basics— Annual Refresher

Brief DescriptionThis is a follow-on course to the ITSecurity Basics. As technologychanges, the demands and challengesfor IT security also change. In thiscourse, the agency will look at themost critical challenges for the enduser. The focus of the refresher coursewill be on how to meet those needs.

Intended AudienceThe course is for all employees whouse the IT system.

List of TopicsTopics would be specific to the agencyand the pertinent IT security chal-lenges it faces.

INFOSEC 104: Fundamentals of ITSecurity

Brief DescriptionThis course is designed for employeesdirectly involved with protecting theIT system. It provides a basic under-standing of the federal laws andagency-specific policies and proce-dures, the vulnerabilities and threatsto IT systems, the countermeasuresthat can help to mitigate the threats,and an introduction to the physical,personnel, administrative, and sys-tem/technical controls.

Intended AudienceThe course is for employees who

need more than just the basics of ITsecurity. It is an introduction coursethat can be used as a prerequisite forhigher level material. This couldinclude system administrators, system

staff, information officers, informationsystem security officers, security offi-cers, and program managers.Note: This course can be taken inplace of INFOSEC 101. It is designedas an introductory course for thoseemployees who have job responsibili-ties directly related to securing the ITsystem.

INFOSEC 201: Developing the ITSystem Security Plan

Brief DescriptionBy law, every IT federal system musthave an IT system security plan forits general support systems andmajor applications. This courseexplains how to develop an IT SystemSecurity Plan following the guide-lines set forth in NIST SP 800-18,“Guide for Developing Security Plansfor Information Technology Systems.”

Intended AudienceThe course is for the system owner (orteam) responsible for ensuring thatthe IT system security plan is pre-pared and implemented. In manyagencies, the IT system security planwill be developed by a team, such asthe system administrator, infor-mation officer, security officer, andinformation system security officer.

List of TopicsSystem Identification; Assignment ofSecurity Responsibilities; SystemDescription/Purpose; System Inter-connection; Sensitivity and Sharingof Information; Risk Assessment and Management; Administrative,Physical, Personnel, and System/Technical Controls; Life Cycle Plan-ning; and Security Awareness andTraining.Note: The design of this courseshould be customized with an organi-zation-approved methodology and apredefined set of templates on how todevelop an IT system security plan.The students should leave the class

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

with the organization-approved toolsnecessary to develop the plan.

INFOSEC 202: How to Develop anIT System Contingency Plan

Brief DescriptionThe hazards facing IT systems demandthat effective business continuity plansand disaster-recovery plans be in place.Business continuity plans define howto recover from disruptions and contin-ue support for critical functions.Disaster recovery plans define how torecover from a disaster and restorecritical functions to normal operations.The first step is to define your organi-zation’s critical functions and processesand determine the recovery time-frames and tradeoffs. This course dis-cusses how to conduct an in-depthbusiness impact analysis (BIA, identi-fying the critical business functionswithin an organization and determin-ing the impact of not performing thefunctions beyond the maximum accept-able outage) that defines recovery pri-orities, processing interdependencies,and the basic technology infrastruc-ture required for recovery.

Intended AudienceThe course is for those employeesresponsible for the planning and man-agement of the IT system. This mayinclude the system administrator,information officer, security officer, andinformation system security officer.

List of TopicsWhat Is an IT System ContingencyPlan; Conducting a Business ImpactAnalysis (BIA); Setting Your Site (hotsite, cold site, warm site); RecoveryObjectives; Recovery Requirements;Recovery Implementation; BackupOptions and Plans; Testing the Plan;and Evaluating the Results ofRecovery Tests.Note: The content of this courseshould be customized with an organi-zation-approved methodology for cre-

ating an IT system contingency plan.If possible, preapproved templates ortools should be included.

INFOSEC 203: System/TechnicalResponsibilities for Protecting theIT System

Brief DescriptionThis course begins by explaining thevulnerabilities of and threats to theIT system and what is necessary toprotect the physical assets and infor-mation. It focuses on specific require-ments such as protecting the physicalenvironment, installing software,access controls, configuring operatingsystems and applications to meetsecurity requirements, and under-standing audit logs.

Intended AudienceThis course if for employees who areinvolved and responsible for the plan-ning and day-to-day operations of theIT system. This would include systemadministrators, system staff, informa-tion officers, and information systemsecurity officers.

List of TopicsOverview of IT System Security;Identifying Vulnerabilities,Threats, andSensitivity of the IT System; Identi-fying Effective Countermeasures;Administrative Responsibilities (e.g.,management of logs and records);Physical Responsibilities (e.g., serverroom security); Intercon-nectionSecurity; Access Controls (identificationand authentication); Group and FileManagement (setting up workinggroups and shared files); Group and FilePermissions (configuring the system foraccess permissions); Audit Events andLogs; and IT Security Maintenance.

INFOSEC 204: Life Cycle Planningfor IT System Security

Brief DescriptionThe system life cycle is a model forbuilding and operating an IT system

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

from its inception to its termination.This course covers the fundamentalsof how to identify the vulnerabilitiesof and threats to IT systems beforethey are implemented and how toplan for IT security during the acqui-sition and design of an IT system.This includes identifying the risksthat may occur during implementa-tion of the IT system and how to min-imize those risks, describing thestandard operating procedures with afocus on security, how to test that anIT system is secure, and how to dis-pose of terminated assets.

Intended AudienceThe course is designed for managerstasked with the acquisition anddesign of IT systems. This couldinclude contracting officers, informa-tion officers, system administrators;program managers, and informationsystem security officers.

List of TopicsIdentify IT Security Needs During theDesign Process; Develop IT Security inthe Acquisition Process; Federal Lawsand Regulations; Organization Policiesand Procedures; Acquisition, Develop-ment, Installation and ImplementationControls; Risk Management; Estab-lishing Standard Operating Procedures;and Destruction and Disposal of Equip-ment and Media.Note: The course focus should be onthe implementation and use of orga-nizational structures and processesfor IT Security and related decision-making activities. Organization-specific policies, guidelines, require-ments, roles, responsibilities, andresource allocations should be previ-ously established.

INFOSEC 205: Basic InformationSystem Security Officer (ISSO)Training

Brief Description

This course provides an introductionto the ISSO role and responsibilities.The ISSO implements the IT systemsecurity plan and provides securityoversight on the IT system. The focusof the course is on understanding theimportance of IT security and how toprovide a security management rolein the daily operations.

Intended AudienceThis course is intended for employeesassigned as the ISSO or equivalent.This could be system administrators,information officers, program man-agers, or security officers.

List of TopicsOverview of IT Security; Vul-nerabilities, Threats, and Sensitivity;Effective Countermeasures; Admin-istrative Controls; Physical Controls;Personnel Controls; System/ TechnicalControls; Incident Handling; andSecurity Awareness Training.Note: Each organization should havesomeone designated as the informa-tion system security officer (ISSO)who is responsible for providing secu-rity oversight on the IT system.

INFOSEC 206: Certifying andAccrediting the IT System

Brief DescriptionThis course provides information onhow to verify that an IT system com-plies with information security re-quirements. This includes grantingfinal approval to operate an IT sys-tem in a specified security mode andensure that classified or sensitive butunclassified (SBU) information is pro-tected according to federal and organ-ization requirements.

Intended AudienceThe course is for individuals assignedthe designated approving authority(DAA) role and responsibilities. Thisincludes program managers, securityofficers, information officers, or infor-mation system security officers.

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

List of TopicsFederal Laws and Regulations;Agency Policies and Procedures;Understanding Vulnerabilities, Threats,and Sensitivities; Effective Counter-measures; Access Controls; Groupsand File Permissions; Protection ofClassified and SBU Information;Protection of TEMPEST and OtherEquipment; The Accreditation Process;Incident Handling; Life Cycle Man-agement; Standard Operating Pro-cedures; and Risk Management.

INFOSEC 207: Information SystemSecurity for Executive Managers

Brief DescriptionThis course provides an overview ofthe information system security con-cerns for executive-level managers. Itemphasizes the need for both plan-ning and managing security on the ITsystem, how to allocate employee andfinancial resources, and how to leadthe IT security team by example.

Intended AudienceThis course is for executive-levelmanagers.

List of TopicsOverview of IT System Security;Federal Laws and Regulations;Vulnerabilities and Threats to the ITSystem; Effective Countermeasures;Need for IT Security Managementand Oversight; and Budgeting for ITSecurity.Note: Course content should be cus-tomized for each organization tomake sure it meets the specific needsof the executive-level managementteam. It is anticipated that therewould be several short, interactivesessions based on specific topics.Some sessions could be delivered viaa technology-based application toeffectively plan for time limitations.

INFOSEC 208: An Introduction toNetwork and Internet Security

Brief DescriptionIn this course the focus is on how todevelop a network and Internet/intranet security policy to protect theagency’s IT system assets and infor-mation: how to analyze the vulnera-bilities of the IT system and reviewthe various external threats; how tomanage the risks and protect the ITsystem from unauthorized access;and how to reduce your risks bydeploying technical countermeasuressuch as firewalls and data encryptiondevices.

Intended AudienceThe course is for employees involvedwith the implementation, day-to-daymanagement, and oversight responsi-bilities of the network connections,including internal intranet and exter-nal Internet connections. This couldinclude system administrators, systemstaff, information officers, informationsystem security officers, security offi-cers, and program managers.

List of TopicsOverview of IT Network Security andthe Internet; Introduction to TCP/IPand Packets; Understanding Vulner-abilities and Threats to Network Con-nections (hackers, malicious codes,spoofing, sniffing, denial of serviceattacks, etc.); Effective Counter-measures for Network Connections(policies, access controls, physical pro-tections, anti-virus software, firewalls,data encryption, etc.); Developing aNetwork and Internet/ intranet Se-curity Policy; and How to Recognizean Internet Attack.

INFOSEC 209: An Introduction toCryptography

Brief DescriptionThe focus of this course is to providean overview of cryptography. Thisincludes the basic concepts of

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

cryptography, public and private keyalgorithms in terms of their applica-tions and uses, key distribution andmanagement, the use of digital sig-natures to provide authenticity ofelectronic transactions, and non-repudiation.

Intended AudienceThe course is for employees involvedwith the management and securityresponsibilities of the network con-nections. This could include systemadministrators, system staff, informa-tion officers, information system secu-rity officers, security officers, andprogram managers.

List of TopicsCryptography Concepts; Authen-tication Methods Using Crypto-graphic Modules; Encryption;Overview of Certification Authority;Digital Signatures; Nonrepudiation;Hash Functions and Message Di-gests; Private Key and Public KeyCryptography; and Key Management.

INFOSEC 301: UnderstandingAudit Logs

Brief DescriptionThis is an interactive class focusingon how to understand and reviewaudit logs, explaining what types ofevents are captured in an audit log,how to search for unusual events, howto use audit log tools, how to recordand store audit logs, and how to han-dle an unusual audit event.

Intended AudienceThis course is for employeesassigned with managing and provid-ing oversight on the daily IT systemoperations. This includes systemadministrators, information officers,and information system securityofficers.

List of TopicsUnderstanding an IT System Event;Planning for Audit Log Reviews; How

to Review Audit Logs; How to Find andSearch through Audit Logs; UsingThird-Party Tools for Audit LogReviewing; How to Handle an UnusualSystem Event in the Audit Log.Note: As a prerequisite, studentsshould have completed either INFOS-EC 203 or INFOSEC 205 to have abasic understanding of IT securityconcepts.

INFOSEC 302: Windows NT 4.0Server and Workstation Security

Brief DescriptionThis course focuses on how to properlyconfigure the Windows NT 4.0 securityfeatures for both the server and work-station operating systems. Studentslearn the security features of WindowsNT and participate in installing andconfiguring the operating systems in ahands-on computer lab.

Intended AudienceThe course is designed for employeeswho are responsible for installing,configuring, and managing networksusing the Windows NT 4.0 server andworkstation operating system. Thismay include information officers, sys-tem administrators, and system staff.

List of TopicsOverview of the Windows NT 4.0Server and Workstation OperatingSystems; Identification and Authen-tication Controls; DiscretionaryAccess Controls; Group Organizationand Permissions; Directory and FileOrganization and Permissions; Pro-tecting System Files; Auditing Events;Using the Windows NT Tools toConfigure and Maintain the System.Note: As a prerequisite studentsshould complete INFOSEC203 sothey have a basic understanding of ITsecurity concepts.

INFOSEC 303: Windows 2000Security

Brief Description

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

This course is similar to INFOSEC302 except it focuses on how to prop-erly configure the security features ofthe Windows 2000 Operating System.Students learn the security featuresof Windows 2000 by installing andconfiguring the operating system in ahands-on computer lab.

Intended AudienceThe course is designed for employeeswho are responsible for installing,configuring, and managing networksusing the Windows 2000 operatingsystem. This may include informationofficers, system administrators, andsystem staff.

List of TopicsOverview of the Windows 2000Operating System; The DomainName System (DNS); MigratingWindows NT 4.0 Domains; Identi-fication and Authentication Controls;Discretionary Access Controls; FileSystem Resources (NTFS); GroupOrganization and Permissions; Direc-tory and File Organization andPermissions; Protecting System Files;Auditing Events; Using the Windows2000 Tools to Configure and Maintainthe System.Note: As a prerequisite, studentsshould complete INFOSEC 203 tohave a basic understanding of ITsecurity concepts.

INFOSEC 304: Unix Security

Brief DescriptionIn this hands-on course, students willgain the knowledge and skills neededto implement security on the Unixoperating system. This includessecuring the system from internaland external threats, protecting theUnix file system, controlling supe-ruser access, and configuring toolsand utilities to minimize vulnerabili-ties and detect intruders.

Intended AudienceThe course is designed for employeeswho are responsible for installing,configuring, and managing networksusing the Unix operating system. Thismay include information officers, sys-tem administrators, and system staff.

List of TopicsIntroduction to Unix Security;Establishing Secure Accounts;Storing Account Information; Con-trolling Root Access; Directory andFile Permissions; Minimize Risksfrom Unauthorized Programs; andUnderstanding TCP/IP and Security.Note: As a prerequisite studentsshould complete INFOSEC 203 tohave a basic understanding of ITsecurity concepts.

INFOSEC 305: Advanced ISSOTraining

Brief DescriptionThis course provides an in-depth lookat the ISSO responsibilities. Focus ison how to review security plans, con-tingency plans/disaster recover plans,and IT system accreditation and howto handle IT system incidents.Specific IT security case studies areexamined and evaluated.

Intended AudienceThe course is intended for ISSOs whohave completed INFOSEC 205 andhave at least 1 year of experience asthe ISSO.

List of TopicsOversight Responsibilities forReviewing IT System Security Plansand Contingency Plans; How toHandle IT System Incidents; andCase Studies.

INFOSEC 306: Incident Handling

Brief DescriptionThis course explains the proceduresfor handling an IT system securityincident. It begins by defining how to

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

categorize incidents according to risk,followed by how to initiate and con-duct an investigation and who to con-tact for support. Key to handlingincidents is ensuring that equipmentand information is not compromisedduring an investigation. Thus, stu-dents learn the proper procedures forsafekeeping assets and information.

Intended AudienceThe course is designed for employeeswho are responsible for handling ITsecurity incidents. This could includeinformation officers, information sys-tem security officers, security officers,and individuals representing a com-puter incident response team.

List of TopicsUnderstanding an IT System Se-curity Incident; Federal Laws andCivil/Criminal Penalties; Organ-ization Policies and Penalties; TheOrganization-Specific Security Inci-dent Reporting Process; SecurityInvestigation Procedures; IdentifyInvestigative Authorities; Interfacingwith Law Enforcement Agencies;Witness Interviewing; Protecting theEvidence; and How to Write an ITSystem Security Incident Report.Note: As a prerequisite, studentsshould complete INFOSEC 205 tohave a basic understanding of ITsecurity concepts.

INFOSEC 307: How to Conduct aRisk Analysis/Assessment

Brief DescriptionThis course explains the process ofconducting a risk analysis/assess-ment. It reviews why a risk analysisis important, the objectives of a risk

analysis, the best time to conduct arisk analysis, and different method-ologies to conduct a risk assessment,including a review of electronic tools,and provides plenty of hands-onopportunities to complete a samplerisk analysis. A critical element of arisk analysis/assessment is consider-ing target analysis and target assess-ment. The unauthorized intrudermay also be conducting an analysis ofthe information system risks and willknow the vulnerabilities to attack.

Intended AudienceThe course is for individuals taskedwith completing a risk analysis. Thiscould include the information officer,system administrator, program man-ager, information system security offi-cer, and security officer.

List of TopicsOverview of a Risk Analysis;Understanding Vulnerabilities, Threats,and Sensitivity and Effective Count-ermeasures of IT Systems; Objectivesof a Risk Analysis; Risk AnalysisMethodologies; Federal Guidance onConducting a Risk Analysis; Processof Conducting a Risk Analysis;Electronic Risk Analysis Tools;Completing Sample Risk AnalysisWorksheets (asset valuations, threatand vulnerability evaluation, level of risk, and countermeasures);and reviewing Target Analysis/Assessments.Note: This course may be offered inconjunction with INFOSEC 201 andINFOSEC 206.

Source1. Available from the NIST Web site

http://csrc.nist.gov/nistpubs/

J U L Y / A U G U S T 2 0 0 1


Dow

nloa

ded

by [

Flor

ida

Stat

e U

nive

rsity

] at

09:

23 0

1 N

ovem

ber

2014

information system security training: making it happen, part 2

Documents