250 likes | 282 Views
Meeting FISMA Training Requirements through Security Awareness and Role-Based Training: An FBI Case Study. ITSL Information Technology Security Library. IT Security - What’s at Stake. Information Privacy - Confidentiality Provision of Services - Availability Data Manipulation - Integrity
E N D
Meeting FISMA Training Requirements through Security Awareness and Role-Based Training:An FBI Case Study ITSL Information Technology Security Library
IT Security - What’s at Stake • Information Privacy - Confidentiality • Provision of Services - Availability • Data Manipulation - Integrity • Critical Roles and Missions • National Infrastructure • Agency Reputation
IT Security - Alarming Statistics • 98% have firewalls and 73% have IDS, yet 36% report penetration from the outside. • 99% use anti-virus software, yet 82% have been hit by viruses, worms, etc. • 84% blame their most recent security breach on human error. • 50% increase in intrusions in the past 5 years • 90% detected computer security breaches. • 75% acknowledged financial losses due to breaches. Sources: 2003 CSI/FBI Computer Crime and Security Survey & 2004 CompTia Survey
Case Study: FBI Case Study Overview Mission: • In response to the Federal Information Security Management Act (FISMA) of 2002, the Federal Bureau of Investigation began searching for a comprehensive training solution. The solution needed to be recognized by the intelligence community, cost-effective, flexible and easily deployed across the organization. • The FBI performed a careful evaluation of the many training options available to them, and chose the one solution that is recognized by the National Security Agency, offers CNSS/NSA certification, is mapped to NIST standards and could be easily deployed across the organization.
Internal Needs Consistent training across organization With offices spread across all 50 states and a common mission, a shared knowledge base is critical Large number of employees in need of mandatory training Training recognized by the Intelligence community Case Study: FBI
Case Study: FBI • Internal Needs • Prevention of security breeches and to protecting data integrity • The FBI’s network stores highly sensitive data for a variety of ongoing investigations. Data loss is more than an inconvenience – it could negatively impact national security, criminal prosecutions or individuals in the witness protection program. • The FBI is a high-profile target for malicious intruders seeking information or to disrupt operations
Case Study: FBI • External Pressures • FISMA • Reputation • Malicious Intruders
Case Study: FBI • External Pressures • FISMA • General Information Security Awareness provided to every computer user in organization • Role-based Information Security training available to all employees and contractors with network access/responsibility
Case Study: FBI • External Pressures • Reputation • Foremost law enforcement agency in the United States • External critics seeking to exploit a misstep for political gain • Avoid high-profile and negative publicity
Case Study: FBI • External Pressures • Malicious Intruders • The FBI’s status makes it a prime target for individuals seeking unauthorized access • Hackers seeking to disrupt operations • Criminals wishing to disrupt investigations
Disadvantages Expensive Requires employees to spend time away from their regular duties Time-consuming Impractical for an organization with employees in every State and major city in the country A number of courses are required for a complete solution Advantages Meets FISMA Requirements Case Study: FBI Possible Solution: Instructor-led Training
Case Study: FBI Possible Solution: Generic Computer-Based Training • Advantages • Meets FISMA Requirements • Employees can complete training in office • Consistent training across organization • Disadvantages • No Recognized Credentials • Limited number of options and courses • Outdated information • No external incentive to complete coursework • No tracking and reporting if run locally
Case Study: FBI Possible Solution: Karta IT Security Library • Advantages • Meets FISMA Requirements • Employees can complete training in office • Consistent training across organization • Certified by the NSA • Provides students with option to earn Continuing Professional Education credits for certifications issued by (ISC)2 • 80+ courses for professionals with responsibility for information security and the organization’s network • Program support • Free customized Information Security Awareness course. • Students can earn CNSS/NSA Certification in Systems Administration • Tracking and reporting available • Disadvantages
Case Study: FBI Program Success: • Over 95% of FBI Employees took the IT Security Awareness course, exceeding their goal • Customized IT Security Awareness course was a vital tool in disseminating information about a new operating baseline within the organization • CNSS/NSA Certified staff across the organization • Organization-wide training provided for those individuals playing a key role in keeping the country safe and secure • Employees view this training opportunity as a major benefit of working for the FBI • Employees dedicating free time to improving their job skills • Simplified training plans based on roles and responsibilities
FBI’s IT Security Training Solution Role-based IT Security Training Rollout Support IT Security Awareness IT Security Training Solution Industry Recognized Content Tracking & Reporting
Role-Based IT Security Training 80+ IT Security Courses 4 Learning Tracks IT Security Library Promotes“Individualized Learning” 3 Skill Levels 18 Training Plans
Learning Tracks 4 Learning Tracks Security Policy/Guidelines Data Security Network Security Security Planning
NSA & CNSS Certification The Karta IT Security Training curriculum received National Security Agency (NSA) and Committee on National Security Systems (CNSS) Certification by meeting national standards for NSTISSI No. 4013 through 2006. Industry Recognized Content • Continuing Professional Education Credits (CPE) • Individuals holding Certified Information Systems Security Professional (CISSP) or System Security Certified Practitioner (SSCP) can earn CPE credit for each hour of education accomplished in Karta’s IT Security Library from (ISC)2.
Industry Recognized Content • ACE College Credit Recommendations • Karta received College Credit Recommendations for the IT Security Library • A team of content specialists from the American Council on Education (ACE), selected from college faculty, has reported that Karta’s web-based IT Security courses are comparable to college level courses and may be used as transfer credit at many colleges and universities
Role-Based Training Plans • Based on NIST Special Publication 800-16 Job Function – Training Cross References NIST SP 800-16 IT Security Training Matrix … as seen in the ITSL Course Catalog
Role-Based Training Plans • Based on NIST Special Publication 800-16 Course to NIST SP-800-16 Cross Reference Sample Training Plans … as seen in the ITSL Course Catalog
18 Role-Based Training Plans Information Security Officer IT Program Manager Network Administrator Systems Administrator Database Administrator Programmer Systems Analyst System Owner Systems Designer System Developer Tech. Support Personnel Data Center Manager Systems Operations Personnel Information Resources Manager Information Resources Manager Official End User Designated Approving Authority Certification Reviewer Role-Based Training Plans
IT Security Training Project Support Enterprise-Wide Support • Comprehensive rollout/internal support • Implementation planning • Structured marketing support • Sample marketing essentials include: marketing plan with specific success criteria,email templates, flyers, brochures, user guides, and more. • Project tracking and support • Management of reporting (FISMA) • Program coordination/communication
Features & Infrastructure “A Turn Key Solution”
Karta Contacts George Soltys Senior Manager, IT Security Training Karta Technologies, Inc. 703.564.0341 703.309.3038 (cell) gsoltys@karta.com