210 likes | 263 Views
A Security Training Program through Transformational Leadership and Practical Approaches. Security Awareness. Security Orientation. Tanetta N. Isler Federal Information Systems Security Educators’ Association (FISSEA) Executive Board Member 2003-2005. Role-Based Training.
E N D
A Security Training Program through Transformational Leadership and Practical Approaches Security Awareness Security Orientation Tanetta N. Isler Federal Information Systems Security Educators’ Association (FISSEA) Executive Board Member 2003-2005 Role-Based Training Annual Security Training
Security Training Program Success StakeholderMeetings Training Program Office of IT Strategic Plan Vision Mission Goals Training Plan IT Security Policy Organizational acceptance and integration of IT security policies, procedures, and practices within an organization’s existing lines of business rules and practices. • Meetings • Working Groups • Communities of Practices • Committees • Acquire resources • Execute Program • Evaluate Program • Goals and objectives • Milestones to achieve • Performance indicators • Define parameters • Determine logistics • Identify resources • Goals and objectives • Milestones to achieve • Performance indicators Training Strategic Plan • Define authority • Assign responsibility • Guide resource allocation
A Strategic Plan guides the process to creating the training Plan which leads to establishing or maintaining a training program.
Strategic Plan objectives guide the process to creating a Training Plan which leads to establishing or maintaining a Training Program. TRAINING STRATEGIC PLAN GOAL 1: Design, develop and implement a fully integrated training program GOAL 2: Comply with Federal IT security directives and mandates GOAL 3: Ensure training program is evaluated OBJECTIVE: Awareness Provide security awareness activities to all employees within the Department/Agency OBJECTIVE: Orientation Identify all new hires and provide security orientation “60-days prior to employee’s use of IT systems” OBJECTIVE: Annual Refresher Training Identify all IT end-users and provide security awareness training “annually” OBJECTIVE: Role-Based (Specific) Training Identify all employees with significant security responsibilities to provide security training in functional specialties
A Strategic Plan guides the process to creating the Training Plan which leads to a Training Program.
Developing a Training Plan can be considered the Analysis (and Design) phase of what instructional designers/training specialists call the ADDIE model Define what is to be learned Analysis Design Formative Evaluation Development Implementation Summative Evaluation McGriff (2000) Instructional Systems, College of Education, Penn State University
A Training Plan determines the learner profile, description of possible constraints and needs
The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI BUSINESS IMPACT/ROI–compares the cost of the training with benefits BEHAVIOR- transfer of learning is the extent to which a change in behavior LEARNING-extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training
Developing the Training Plan by identifying training criteria
The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI BUSINESS IMPACT/ROI–compares the cost of the training with benefits BEHAVIOR- transfer of learning is the extent to which a change in behavior LEARNING- extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training
To determine the needs for role-based training we reference NIST SP 800-16 IT Security Training Matrix
Continue to identify the training criteria for role-based training: IT Security Management: Manage
To determine the needs for role-based training we reference NIST SP 800-16 IT Security Training Matrix
Continue to identify the training criteria for role-based training: IT Security Management: Acquire
The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI BUSINESS IMPACT/ROI–compares the cost of the training with benefits BEHAVIOR- transfer of learning is the extent to which a change in behavior LEARNING- extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training
Developing a Training Plan can be considered the Analysis (and Design) phase of what Instructional designers or training specialists call the ADDIE model Define what is to be learned Plan instruction Analysis Formative Evaluation Design Determine the effectiveness of the instruction Execute instruction Development Implementation Summative Evaluation Develop instructional materials McGriff (2000) Instructional Systems, College of Education, Penn State University
Create a a series of Matrixes to determine trends to guide decision-making : Training Audience Matrix
Create a a series of Matrixes to determine trends to guide decision-making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement
Create a a series of Matrixes to determine trends to guide decision-making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement
Security Training Program Success StakeholderMeetings Training Program Office of IT Strategic Plan Vision Mission Goals Training Plan IT Security Policy After accessing the security training needs determine what is the most effective approach in acquiring resources, executing and evaluating the Training Program • Determine what resources you have to accomplish the Training Strategic Plan vision, mission, goals Who can develop training based on needs? What can we do to develop the most effective security training with the resources we have? Training Strategic Plan