1 / 52

Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology

How to Use NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model”. Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology - December 1, 2004 - mark.wilson@nist.gov

coyd
Download Presentation

Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Use NIST SP 800-16“Information Technology Security Training Requirements: A Role- and Performance-Based Model” Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology - December 1, 2004 - mark.wilson@nist.gov (301) 975-3870 (voice) (301) 975-4007 (fax) http://csrc.nist.gov/

  2. Today’s Menu . . . • FISMA & OPM Say . . . • NIST SP 800-16 Background • Break • NIST SP 800-16 Building Blocks • How to Use NIST SP 800-16 • Break • Exercise • Wrap Up

  3. Objectives of This Workshop • Understand: • The NIST Special Publication (SP) 800-16 Learning Continuum • Awareness Versus Training • Why Role-Based Training • SP 800-16 Roles • Relationship Between Cells and Job Functions (Roles) • Relationship Between Topics & Concepts and Cells • Be Able to: • Draft an Outline or Complete Course Structure • Determine if a Training Course “Meets NIST SP 800-16”

  4. Introductions: Who Are We? • Who • What (is your title?) • Where (do you work; what is your affiliation?) • Why (are you here?) • For How Long ( in information security, training development, OIG, or other discipline?)

  5. FISMA Says . . . • Each agency shall develop, document, and implement an agencywide information security program . . . that includes . . . security awareness training [we call that “awareness”] to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency . . .

  6. When We Say “Users” . . . • “Users” Does Not Mean Only Employees • Users Include: • Employees • Contractors • Foreign or domestic guest researchers • Other agency personnel • Visitors • Guests • Other collaborators or associates requiring access

  7. FISMA Also Says . . . • The head of each agency shall . . . delegate to the agency Chief Information Officer . . . training and overseeing personnel with significant responsibilities for information security . . . • The head of each agency shall . . . ensure that the agency has trained personnel sufficient to assist the agency with complying with . . .

  8. FISMA: Train People with Significant Responsibilities . . . • Who? • CIO? • CISO & Security Staff? • System Owners? • Application Owners? • Data Owners? • Contractors?

  9. FISMA: Train People with Significant Responsibilities . . . • Who? • Network Administrators? • System Administrators? • Server (e.g., mail, web) Administrators? • Records Management Officials? • Law Enforcement Officials? • General Counsel?

  10. FISMA: Train People with Significant Responsibilities . . . • How to Decide? • Documented in Policy? • Documented in Position Descriptions? • Documented in Performance Plans? • Documented in Security Plans? • Documented in Contingency Plans, COOPs? • Documented in IG Reports? (Wait for IG Report?) • Just Makes Sense? Good Security Practice? (Get Buy-in)

  11. OPM (June 2004) Says . . . • Develop awareness and training plan • All users of federal information systems must be exposed to awareness materials at least annually • Identify employees with significant information security responsibilities and provide role-specific training in accordance with NIST standards and guidance

  12. OPM Also Says . . . • Train: • Executives • Program and functional managers • CIOs, IT security program managers, auditors, and other security oriented personnel (e.g., system and network administrators, and system/ application security officers) • IT function management and operations personnel

  13. SP 800-16 Background • Written by a FISSEA Workgroup • Published in April 1998 • Supersedes NIST SP 500-172 (circa 1989) • On-line at: • http://csrc.nist.gov/publications/nistpubs/index.html • http://csrc.nist.gov/ATE/index.html

  14. Primary Authors • Dee de Zafra – DHHS (Ret.) • Sadie Pitcher - Dept. of Commerce (Ret.) • John Tressler - Dept. of Education (?) • John Ippolito - Allied Technology

  15. Significant Others • K Rudolph - Native Intelligence • Vic Maconachy - NSA • Corey Schou - Idaho State University • Roger Quane - NSA

  16. Why Role-Based Training? • Current IT environment is more complex • Roles, not titles, allow fine-tuning • More than one role per person possible • Because FISMA hints at it • Because OPM requires it • More efficient than topic-based training

  17. Questions? Comments?Time for a Break?

  18. SP 800-16 Building Blocks • The NIST Model • IT Security Training Matrix • 6 Functional Specialties • 3 Fundamental Training Content Categories • 26 Role-Based Job Functions • 12 Body of Knowledge Topics & Concepts

  19. The NIST Model

  20. “NIST Model” Highlights • Learning Continuum • Awareness • Training • Education • Basics and Literacy • Role-Based Training

  21. Learning Continuum • Awareness • What: Focus attention on IT Security • Who: All employees • Training • What: Provide knowledge, skills, and abilities • Who: Depends on roles and responsibilities • Education • What: Provide long-term understanding • Who: IT Security professionals

  22. Basics and Literacy • Transition from awareness to training • Provides foundation for training • Basics • Core set of IT Security terms & concepts • “The ABCs” - The IT Security alphabet • Literacy • Curriculum framework

  23. The NIST Model

  24. Six Functional Specialties* • Manage • Acquire • Design & Develop • Implement & Operate • Review & Evaluate • Use • *(Other . . . Expandable)

  25. Three Fundamental Training Content Categories* • Laws and Regulations • The IT Security Program • System Life Cycle Security • *(Other - expandable)

  26. Auditor, External Auditor, Internal Certification Reviewer Chief Information Officer (CIO) Contracting Officer Contracting Officer’s Technical Representative (COTR) Data Center Manager Database Administrator Designated Approving Authority (DAA) Freedom of Information Act Official Senior IRM Official Information Resources Manager IT Security Program Officer/Manager Network Administrator Privacy Act Official Program Manager Programmer/Systems Analyst Records Management Official Source Selection Board Member System Administrator System Designer/Developer System Owner Systems Operations Personnel Technical Support Personnel Telecommunications Specialist User Role-Based Training:26 Job Functions (Roles)

  27. Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Acquisition/ Development/ Installation/ Implementation Controls Operational Controls Awareness, Training, and Education Controls Technical Controls IT Security Body of Knowledge Topics and Concepts

  28. Sources of Topics and Concepts • OMB Circular A-130, Appendix III • OMB Bulletin 90-08 • NIST SP 800-12 (The NIST Handbook) • NIST SP 800-14 (GSSPs) • Material developed during SP 800-16 development

  29. Single Course Matrix

  30. NIST Model Wrap-up • Learning Continuum • Basics and Literacy • Role-Based Training • 6 functional specialties • 3 fundamental training content categories • 26 job functions or roles • 46 training matrix cells • 12 body of knowledge topics and concepts

  31. From Model To Minutia Model Training Matrix Single Course Matrix Cells That Comprise A Course Body Of Knowledge Topics & Concepts Per Cell

  32. How to Use SP 800-16 • Select a Job Function (Role) • Identify All Cells that Make Up the Job Function [Appendix E] • Understand Definition, Behavioral Outcome, and Learning Objectives for Each Cell [Chapter 4] • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell [Chapter 4] • Populate Each Cell

  33. How to Use SP 800-16 • Select a Job Function . . . System Owner (See Appendix E)

  34. How to Use SP 800-16 • Identify All Cells that Make Up the Job Function (System Owner) (See Page E-13) • 1F • 2.1A • 2.2D • 3.1A, 3.1B, 3.1C, 3.1E, 3.1F • 3.2A, 3.2E • 3.3E, 3.3F • 3.4A, 3.4B, 3.4E • 3.5A, 3.5B • 3.6A

  35. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Start with Cell 1F (See Pages 69 & 70) • #1 – Laws and Regulations • #8 – Management Controls

  36. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 2.1A (See Pages 73 & 74) • All 12 Topics and Concepts Are Used

  37. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 2.2D (See Pages 89 & 90) • All 12 Topics and Concepts Are Used

  38. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 3.1A (See Pages 95 & 96) • #2 – IT Security Program • #5 – Information Sharing • #6 – Sensitivity • #8 – Management Controls • #9 – Acquisition/Development/Installation/ Implementation Controls

  39. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell • Do This for Each of the 18 Cells in “System Owner” Job Function (Role) • You Will Eventually Have . . .

  40. How to Use SP 800-16

  41. How to Use SP 800-16 • How to Populate Each Cell (Start With 1F): • Read Definition • Read Behavioral Outcome • Select Knowledge Level (Beginning) • Read Applicable Learning Objective • Read Applicable Topics and Concepts (p. 70) • Select Body of Knowledge Details from Applicable Topics and Concepts in Exhibit 4-4 (p. 48 & 51)

  42. How to Use SP 800-16 • How to Select Body of Knowledge Details from Applicable Topics and Concepts in Exhibit 4-4 (Start With #1): • Read Topic and Concept (#1 = Laws and Regulations) • Select Those Details (and/or Add Your Own) That Allow Your Audience to Achieve the Behavioral Outcome Shown in Cell 1F • May Not Use All Detailed Information Shown

  43. Caveats (Yes, But . . .) to 800-16 • No Departments/Agencies Will Identify All 26 Roles as Having “Significant Responsibilities” (Wilson’s Bet) • Organization Culture Must be Considered • Hybrid Courses/Roles Possible • Add a Cell; Delete a Cell – it’s OK! • This Methodology is Flexible!! • Add Your Own Detailed Information to That Which is in Exhibit 4-4

  44. Questions? Confusions? Break, Then Exercise

  45. Always Time for Exercise • Pick a Role (System Owner) • Identify All of the Cells (Appendix E) • List All Topics and Concepts Used in Each Cell (Chapter 4) • Select (or Add Your Own) Detailed Information for Each Topic and Concept Used in Each Cell (Exhibit 4-4) [*We’ll Do This By Table or Group*]

  46. Evaluating Training Effectiveness • Why? Training Must Be Meaningful? • “Meaningful” Requires Measurement • How and What Do We Measure? • Student Satisfaction (Level 1) • Learning (Teaching) Effectiveness (Level 2) • Performance Effectiveness (Level 3) • Training Program Effectiveness (Level 4)

  47. Summary • We Discussed: • The NIST Special Publication (SP) 800-16 Learning Continuum • Awareness Versus Training • Why Role-Based Training • SP 800-16 Roles • Relationship Between Cells and Job Functions (Roles) • Relationship Between Topics & Concepts and Cells

More Related