1 / 60

How to Use NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model”

How to Use NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model”. Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology - November 16, 2004 - mark.wilson@nist.gov

orpah
Download Presentation

How to Use NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Use NIST SP 800-16“Information Technology Security Training Requirements: A Role- and Performance-Based Model” Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology - November 16, 2004 - mark.wilson@nist.gov (301) 975-3870 (voice) (301) 975-4007 (fax) http://csrc.nist.gov/

  2. Today’s Menu . . . • NIST SP 800-16 – an Overview • Break • FISMA & OPM Say . . . • How to Use NIST SP 800-16 • Break • Exercise • Wrap Up

  3. Objectives of This Workshop • Understand: • The NIST Special Publication (SP) 800-16 Learning Continuum • Awareness Versus Training • Why Role-Based Training • SP 800-16 Roles • Relationship Between Cells and Job Functions (Roles) • Relationship Between Topics & Concepts and Cells • Be Able to: • Draft an Outline or Complete Course Structure • Determine if a Training Course “Meets NIST SP 800-16”

  4. Security Training Guideline • Special Publication (SP) 800-16: “Information Technology Security Training Requirements: A Role- and Performance-Based Model” • Written by a FISSEA Workgroup • Published in April 1998 • Supersedes NIST SP 500-172 (circa 1989)

  5. Primary Authors • Dee de Zafra – DHHS (Ret.) • Sadie Pitcher - Dept. of Commerce (Ret.) • John Tressler - Dept. of Education (?) • John Ippolito - Allied Technology

  6. Significant Others • K Rudolph - Native Intelligence • Vic Maconachy - NSA • Corey Schou - Idaho State University • Roger Quane - NSA

  7. Security Training Guideline • First printing in loose-leaf • The plan: binders • Color graphics • Section tabs • On-line at: • http://csrc.nist.gov/publications/nistpubs/index.html • http://csrc.nist.gov/ATE/index.html

  8. Why Role-Based Training? • Current IT environment is more complex • SP 500-172 limited to five categories • Executives • Program and functional managers • IRM, security, and audit • ADP management and operations • End users • Roles, not titles, allow fine-tuning • More than one role per person possible

  9. The NIST Model

  10. “NIST Model” Highlights • Learning Continuum • Basics and Literacy • Role-Based Training • 6 functional specialties • 3 fundamental training content categories • 26 job functions (roles) • 46 training matrix cells • 12 body of knowledge topics and concepts

  11. Learning Continuum • Awareness • What: Focus attention on IT Security • Who: All employees • Training • What: Provide knowledge, skills, and abilities • Who: Depends on roles and responsibilities • Education • What: Provide long-term understanding • Who: IT Security professionals

  12. Basics and Literacy • Transition from awareness to training • Provides foundation for training • Basics • Core set of IT Security terms & concepts • “The ABCs” - The IT Security alphabet • Literacy • Curriculum framework

  13. The NIST Model

  14. Six Functional Specialties* • Manage • Acquire • Design & Develop • Implement & Operate • Review & Evaluate • Use • *(Other . . . Expandable)

  15. Three Fundamental Training Content Categories* • Laws and Regulations • The IT Security Program • System Life Cycle Security • *(Other - expandable)

  16. Auditor, External Auditor, Internal Certification Reviewer Chief Information Officer (CIO) Contracting Officer Contracting Officer’s Technical Representative (COTR) Data Center Manager Database Administrator Designated Approving Authority (DAA) Freedom of Information Act Official Senior IRM Official Information Resources Manager IT Security Program Officer/Manager Network Administrator Privacy Act Official Program Manager Programmer/Systems Analyst Records Management Official Source Selection Board Member System Administrator System Designer/Developer System Owner Systems Operations Personnel Technical Support Personnel Telecommunications Specialist User Role-Based Training:26 Job Functions (Roles)

  17. Laws and Regulations IT Security Program System Environment System Interconnection Information Sharing Sensitivity Risk Management Management Controls Acquisition/ Development/ Installation/ Implementation Controls Operational Controls Awareness, Training, and Education Controls Technical Controls IT Security Body of Knowledge Topics and Concepts

  18. Sources of Topics and Concepts • OMB Circular A-130, Appendix III • OMB Bulletin 90-08 • NIST SP 800-12 (The NIST Handbook) • NIST SP 800-14 (GSSPs) • Material developed during SP 800-16 development

  19. Single Course Matrix

  20. NIST Model Wrap-up • Learning Continuum • Basics and Literacy • Role-Based Training • 6 functional specialties • 3 fundamental training content categories • 26 job functions or roles • 46 training matrix cells • 12 body of knowledge topics and concepts

  21. From Model To Minutia Model Training Matrix Single Course Matrix Cells That Comprise A Course Body Of Knowledge Topics & Concepts Per Cell

  22. Questions? Comments?Time for a Break?

  23. FISMA Says . . . • Each agency shall develop, document, and implement an agencywide information security program . . . that includes . . . security awareness training [we call that “awareness”] to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency . . .

  24. When We Say “Users” . . . • “Users” Does Not Mean Only Employees • Users Include: • Employees • Contractors • Foreign or domestic guest researchers • Other agency personnel • Visitors • Guests • Other collaborators or associates requiring access

  25. FISMA Also Says . . . • The head of each agency shall . . . delegate to the agency Chief Information Officer . . . training and overseeing personnel with significant responsibilities for information security . . . • The head of each agency shall . . . ensure that the agency has trained personnel sufficient to assist the agency with complying with . . .

  26. FISMA: Train People with Significant Responsibilities . . . • Who? • CIO? • CISO & Security Staff? • System Owners? • Application Owners? • Data Owners? • Contractors?

  27. FISMA: Train People with Significant Responsibilities . . . • Who? • Network Administrators? • System Administrators? • Server (e.g., mail, web) Administrators? • Records Management Officials? • Law Enforcement Officials? • General Counsel?

  28. FISMA: Train People with Significant Responsibilities . . . • How to Decide? • Documented in Policy? • Documented in Position Descriptions? • Documented in Performance Plans? • Documented in Security Plans? • Documented in Contingency Plans, COOPs? • Documented in IG Reports? (Wait for IG Report?) • Just Makes Sense? Good Security Practice? (Get Buy-in)

  29. OPM (June 2004) Says . . . • Develop awareness and training plan • All users of federal information systems must be exposed to awareness materials at least annually • Identify employees with significant information security responsibilities and provide role-specific training in accordance with NIST standards and guidance

  30. OPM Also Says . . . • Train: • Executives • Program and functional managers • CIOs, IT security program managers, auditors, and other security oriented personnel (e.g., system and network administrators, and system/ application security officers) • IT function management and operations personnel

  31. How to Use SP 800-16 • Select a Job Function (“Role”) • Identify All Cells that Make Up the Job Function (Role) • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell • Populate Each Cell • And Then . . .

  32. How to Use SP 800-16 • Select a Job Function . . . System Owner (See Appendix E)

  33. How to Use SP 800-16 • Identify All Cells that Make Up the Job Function (System Owner) (See Page E-13) • 1F • 2.1A • 2.2D • 3.1A, 3.1B, 3.1C, 3.1E, 3.1F • 3.2A, 3.2E • 3.3E, 3.3F • 3.4A, 3.4B, 3.4E • 3.5A, 3.5B • 3.6A

  34. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Start with Cell 1F (See Pages 69 & 70) • #1 – Laws and Regulations • #8 – Management Controls

  35. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 2.1A (See Pages 73 & 74) • All 12 Topics and Concepts Are Used

  36. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 2.2D (See Pages 89 & 90) • All 12 Topics and Concepts Are Used

  37. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell - Cell 3.1A (See Pages 95 & 96) • #2 – IT Security Program • #5 – Information Sharing • #6 – Sensitivity • #8 – Management Controls • #9 – Acquisition/Development/Installation/ Implementation Controls

  38. How to Use SP 800-16 • Identify the Body of Knowledge Topics and Concepts that Make Up Each Cell • Do This for Each of the 18 Cells in “System Owner” Job Function (Role) • You Will Eventually Have . . .

More Related