1 / 28

The NIST IT Security Training Guideline: SP 800-16 (An Overview)

The NIST IT Security Training Guideline: SP 800-16 (An Overview). Mark Wilson National Institute of Standards and Technology - FISSEA Conference: March 2000 - mark.wilson@nist.gov (301) 975-3870 (voice) (301) 948-0279 (fax) http://csrc.nist.gov/nistpubs/. Security Training Guideline.

kgilmer
Download Presentation

The NIST IT Security Training Guideline: SP 800-16 (An Overview)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The NIST IT Security Training Guideline: SP 800-16 (An Overview) Mark Wilson National Institute of Standards and Technology - FISSEA Conference: March 2000 - mark.wilson@nist.gov (301) 975-3870 (voice) (301) 948-0279 (fax) http://csrc.nist.gov/nistpubs/

  2. Security Training Guideline • Special Publication (SP) 800-16: “Information Technology Security Training Requirements: A Role- and Performance-Based Model” • Written by a FISSEA Workgroup • Supersedes NIST SP 500-172 (circa 1989)

  3. Primary Authors • Dee de Zafra - DHHS • Sadie Pitcher - Dept. of Commerce (Ret.) • John Tressler - Dept of Education • John Ippolito - Allied Technology

  4. Significant Others • K Rudolph - Native Intelligence • Vic Maconachy - NSA • Corey Schou - Idaho State University • Roger Quane - NSA

  5. Security Training Guideline • Available in loose-leaf • Binders for special audiences/meetings • Color graphics • Section tabs • On-line at: • http://csrc.nist.gov/training/welcome.html • http://csrc.nist.gov/nistpubs/

  6. Why Role-Based Training? • Current IT environment is more complex • SP 500-172 limited to five categories • Executives • Program and functional managers • IRM, security, and audit • ADP management and operations • End users • Roles, not titles, allow fine-tuning • More than one role per person possible

  7. NIST Model Highlights • Learning Continuum • Basics and Literacy • Role-Based Training • 6 functional specialties or roles (expandable) • 3 fundamental training content categories • 26 job functions (expandable) • 46 training matrix cells (expandable) • 12 body of knowledge topics and concepts

  8. The NIST Model

  9. Learning Continuum • Awareness • What: Focus attention on IT Security • Who: All employees • Training • What: Provide knowledge, skills, and abilities • Who: Depends on roles and responsibilities • Education • What: Provide long-term understanding • Who: IT Security professionals

  10. Basics and Literacy • Transition from Awareness to Training • Provides foundation for Training • Basics • Core set of IT Security terms & concepts • “The ABCs” - The IT Security alphabet • Literacy • Curriculum framework

  11. Training Content Categories • Three fundamental training content categories: • Laws and Regulations • The IT Security Program • System Life Cycle Security

  12. Auditor, External Auditor, Internal Certification Reviewer Chief Information Officer (CIO) Contracting Officer Contracting Officer’s Technical Representative (COTR) Data Center Manager Database Administrator Designated Approving Authority (DAA) Freedom of Information Act Official Senior IRM Official Information Resources Manager IT Security Program Officer/Manager Network Administrator Privacy Act Official Program Manager Programmer/Systems Analyst Records Management Official Source Selection Board Member System Administrator System Designer/Developer System Owner Systems Operations Personnel Technical Support Personnel Telecommunications Specialist User Role-Based Training:26 Job Functions

  13. Single Course Matrix

  14. Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Acquisition/ Development/ Installation/ Implementation Controls Operational Controls Awareness, Training, and Education Controls Technical Controls IT Security Body of Knowledge Topics and Concepts

  15. Sources of Topics and Concepts • OMB Circular A-130, Appendix III • OMB Bulletin 90-08 • NIST SP 800-12 (The NIST Handbook) • NIST SP 800-14 (GSSPs) • Material developed during SP 800-16 development

  16. NIST Model Wrap-up • Learning Continuum • Basics and Literacy • Role-Based Training • 6 functional specialties or roles (expandable) • 3 fundamental training content categories • 26 job functions (expandable) • 46 training matrix cells (expandable) • 12 body of knowledge topics and concepts

  17. From Model To Minutia Model Training Matrix Single Course Matrix Cells That Comprise A Course Body Of Knowledge Topics & Concepts Per Cell

More Related