fissea target training in 2005 march 22, 2005 marirose coulson [email protected] proprietary...

FISSEA Target Training in 2005March 22, 2005

Marirose [email protected]

Proprietary

Writing a Strategic Security Training Plan

This document is proprietary and is intended solely for classroom use.

2FISSEA Target Training 2005

Agenda

Security environment

Security programs

Strategic security training plans

Technical writing


Motivated internal threat agents pose the greatest risk due to their access

External threats pose a risk to vulnerable systems and gaps in network security coverage

Personnel with significant security responsibilities are lacking high level skills and up to date knowledge

The greatest security risks to an agency frequently come from the action, inaction, or inadvertent mistakes of people

It is estimated that 99% of all reported intrusions

result through exploitation of known vulnerabilities or configuration errors,

for which safeguards and countermeasures were available.

-National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev A,

Risk Management Guide for Information Technology Systems


Security skills of all employees need to be continuously upgraded to reflect changes

Compliance and legislation

Policies and procedures

Mission

Security goals

Capital planning, budget, and resources

Threats and vulnerabilities

Bodies of knowledge

Hardware and software


Security is not a one-size fits all role; every level has security responsibilities

Senior executives

System owners and program managers

Certification and accreditation agents or authorization authorities

Information technology staff

Security compliance personnel (Information System Security Officers and Managers)

System users


Security training is an effective countermeasure and a critical factor for implementing security programs

Contributes to a skilled and knowledgeable security workforce able to perform security tasks

Establishes or reinforces competency expectations for various roles and responsibilities

Supports departmental functions, policies, and funding requirements

Promotes professional development, education,and certification

Helps ensure compliance and reduce material weakness in information security program’s processes and procedures

Identifies skill gaps and reinforces other continuous improvement or quality control efforts

Aids in communicating cultural change initiatives

Often viewed as a benefit or as part of an overall incentive package to reward, attract, and retain qualified personnel


Strategic training plans provide an opportunity to connect training to mission and present structured learning experiences for the entire organization

Core body of knowledge (CBK) in key areas such as policy, threats, network security, and compliance

Management training to include security controls, writing system security plans, system life cycle (SLC), certification and authorization/accreditation (C&A), critical infrastructure protection (CIP), and risk management

Operational training to include security fundamentals, contingency planning, end user awareness, incident response, and configuration management (CM)

Technical training to include system administrator training, network concepts, firewall best practices, encryption options, remote connection methods, wireless devices, auditing TCP/IP networks, network intrusion fundamentals, vulnerability assessment, and hacking


Training plans should include learning solutions that are customized to fit agency policy and procedure, specific audiences, and delivery formats

Generic or agency specific content

Role-based

Instructor-led classroom, web-based, video, distance learning

Duration flexibility (hours, half day, full day, multiple days)

Various levels of interactivity (e.g., lecture, hands-on exercises)


Cross collaboration is needed to implement a training plan

Collaborate and develop creative solutions to help solve security workforce challenges

Leverage existing courses, contracts, and subject-matter-experts

Create security focused “working groups”

Select robust courses that support overall security efforts to ensure confidentiality, integrity, and availability of information and information systems

Communicate in a variety of forums

A coordinated awareness program combined with security training can effectively change individual and organization perceptions about the relevance of security and the consequences of security failures

Trained employees are your best defense!


Benefits for the educator (or writer) of the strategic training plan

Identifies critical elements of overall security training, education, and awareness program

Allows alignment of training goals with organization mission

Provides the opportunity to collaborate with other departments in requesting informationor assessing needs

Outlines budget requirements and resources

Solidifies next steps by having a plan in place

Serves as a precursor to an implementation plan (what and when)


An Approach for Writing a Strategic Training Plan

1. Consider the big picture and scope: who needs what, when, how, for how much (dollars and level of effort), and most importantly, WHY? What is the “value-add”?

2. Determine your overall training education and awareness strategy

3. Choose the format that is the appropriate style for your audience

- NIST Template

- other models

4. Structure the content

– Align with mission and goals

– Integrate with IT/IS policy

– Factor in budget and resource constraints

– Consider infrastructure

– Consider culture


NIST SP 800-50 Building an IT Security Awareness and Training Program – Appendix C Template, Sections I - V

I EXECUTIVE SUMMARY

II BACKGROUND

FISMA, OMB A-130, Appendix III, OPM 5 CFR 930

Specific department and/or agency policy (and other relevant information or rationale that may drive an awareness and training program and plan)

III AGENCY IT SECURITY POLICY

Goals, Objectives, Roles/Responsibilities

IV AWARENESS

Audience (management and all employees), Activities and target dates, Schedule, Review and updatingof materials and methods

V TRAINING/EDUCATION

Role 1: Executives and Managers

Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria

Role 2: IT security staff

Learning Objectives, Focus Areas, Methods/ Activities, Schedule, Evaluation Criteria

Role 3: System/Network Administrators

Role 4: Remaining roles with significant IT security responsibilities


The NIST Appendix C Template, Sections VI and VII

VI PROFESSIONAL CERTIFICATION

Role 1: IT Security Staff


Role 2: System/Network Administrators


Role 3: Remaining roles with significant IT security responsibilities

VII RESOURCE REQUIREMENTS COST

Staffing $ xxx

Contracting Support $ xxx

Facilities (e.g., training rooms, teleconferencing facility) $ xxx

Media (e.g., server(s) for web- and computer-based material) $ xxx


Alternative sample outline for a strategic training plan

I. Introduction

II. Background

A. Security Laws and Regulations, B. Agency Policy Guidelines, C. Baseline or POA&M

III. Purpose and Scope

A. Agency Mission, B. Agency Vision, C. Bureau or Office Framework and Strategy

IV. Responsibilities

A. CIO, B. Bureau or Office, C. Field Offices,D. DAA/CA, ISSM, ISSO/ ISSC, System/Database Administrators, IT Personnel

V. Training Approach

A. Program Requirements (Goals, Objectives, Action Steps/Performance Measure, Standards)

B. Security Course Structure and Curriculum

C. Skills Inventory/ Gap Analysis

D. Training to Support Competencies Identified

E. Technology, Delivery, Tracking Mechanisms

F. Feedback and Assessment Strategy

VI. Training Resources

A. Course Administration, B. Resources and Facilities, C. Schedules, D. Future Training

VII. Education Programs/Certifications/Partnerships


Use simple writing techniques to make the process easierand more efficient

“The biggest challenge is to produce writing,

no software does it.”

- EEI (Editorial Experts Inc.)


Three Easy Steps to Effective Technical Writing

1. Start (today!)

2. Edit

3. Proofread


Get Started!

Do a small piece

Write a detailed outline

Write easier parts first

Avoid editing as you write

Reread or reconsider

Talk it out


Tips for Easier Editing

Know what you’re looking for

Mark first, then fix

Do several reviews

Read a paper copy

Avoid rushing

Take breaks

Use references


Proofreading: Look for Errors

Content

Repeated words

Verb tense

Punctuation

Subject verb agreement

Format, style, parallel structure

What’s left?


Technical Writing Summary

1. Start (today!)

2. Edit

3. Proofread


Writing a Strategic Training Plan - Session Summary

Security environment

Security programs

Strategic security training plans

Technical writing


FISSEA Target Training 2005March 22, 2005

Marirose Coulsonw 703-289-5282

[email protected]

Writing a Strategic Security Training Plan

This document is proprietary and is intended solely for classroom use.

IT Security is about people, processes, and technology

fissea target training in 2005 march 22, 2005 marirose coulson [email protected] proprietary...

Documents