220 likes | 237 Views
This proprietary document outlines a strategic security training plan for FISSEA Target Training in 2005. It emphasizes the importance of continuous security skill development and provides guidelines for creating customized learning solutions. Collaboration and cross-training are also encouraged to enhance the overall security efforts.
E N D
Proprietary Writing a Strategic Security Training Plan FISSEA Target Training in 2005 March 22, 2005 Marirose Coulson coulson_marirose@bah.com This document is proprietary and is intended solely for classroom use.
Agenda • Security environment • Security programs • Strategic security training plans • Technical writing FISSEA Target Training 2005
The greatest security risks to an agency frequently come from the action, inaction, or inadvertent mistakes of people • Motivated internal threat agents pose the greatest risk due to their access • External threats pose a risk to vulnerable systems and gaps in network security coverage • Personnel with significant security responsibilities are lacking high level skills and up to date knowledge It is estimated that 99% of all reported intrusions result through exploitation of known vulnerabilities or configuration errors, for which safeguards and countermeasures were available. -National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev A, Risk Management Guide for Information Technology Systems FISSEA Target Training 2005
Security skills of all employees need to be continuously upgraded to reflect changes • Compliance and legislation • Policies and procedures • Mission • Security goals • Capital planning, budget, and resources • Threats and vulnerabilities • Bodies of knowledge • Hardware and software FISSEA Target Training 2005
Security is not a one-size fits all role; every level has security responsibilities • Senior executives • System owners and program managers • Certification and accreditation agents or authorization authorities • Information technology staff • Security compliance personnel (Information System Security Officers and Managers) • System users FISSEA Target Training 2005
Security training is an effective countermeasure and a critical factor for implementing security programs • Contributes to a skilled and knowledgeable security workforce able to perform security tasks • Establishes or reinforces competency expectations for various roles and responsibilities • Supports departmental functions, policies, and funding requirements • Promotes professional development, education,and certification • Helps ensure compliance and reduce material weakness in information security program’s processes and procedures • Identifies skill gaps and reinforces other continuous improvement or quality control efforts • Aids in communicating cultural change initiatives • Often viewed as a benefit or as part of an overall incentive package to reward, attract, and retain qualified personnel FISSEA Target Training 2005
Strategic training plans provide an opportunity to connect training to mission and present structured learning experiences for the entire organization • Core body of knowledge (CBK) in key areas such as policy, threats, network security, and compliance • Management training to include security controls, writing system security plans, system life cycle (SLC), certification and authorization/accreditation (C&A), critical infrastructure protection (CIP), and risk management • Operational training to include security fundamentals, contingency planning, end user awareness, incident response, and configuration management (CM) • Technical training to include system administrator training, network concepts, firewall best practices, encryption options, remote connection methods, wireless devices, auditing TCP/IP networks, network intrusion fundamentals, vulnerability assessment, and hacking FISSEA Target Training 2005
Training plans should include learning solutions that are customized to fit agency policy and procedure, specific audiences, and delivery formats • Generic or agency specific content • Role-based • Instructor-led classroom, web-based, video, distance learning • Duration flexibility (hours, half day, full day, multiple days) • Various levels of interactivity (e.g., lecture, hands-on exercises) FISSEA Target Training 2005
Cross collaboration is needed to implement a training plan • Collaborate and develop creative solutions to help solve security workforce challenges • Leverage existing courses, contracts, and subject-matter-experts • Create security focused “working groups” • Select robust courses that support overall security efforts to ensure confidentiality, integrity, and availability of information and information systems • Communicate in a variety of forums • A coordinated awareness program combined with security training can effectively change individual and organization perceptions about the relevance of security and the consequences of security failures • Trained employees are your best defense! FISSEA Target Training 2005
Benefits for the educator (or writer) of the strategic training plan • Identifies critical elements of overall security training, education, and awareness program • Allows alignment of training goals with organization mission • Provides the opportunity to collaborate with other departments in requesting informationor assessing needs • Outlines budget requirements and resources • Solidifies next steps by having a plan in place • Serves as a precursor to an implementation plan (what and when) FISSEA Target Training 2005
An Approach for Writing a Strategic Training Plan • Consider the big picture and scope: who needs what, when, how, for how much (dollars and level of effort), and most importantly, WHY? What is the “value-add”? • Determine your overall training education and awareness strategy • Choose the format that is the appropriate style for your audience - NIST Template - other models • Structure the content • Align with mission and goals • Integrate with IT/IS policy • Factor in budget and resource constraints • Consider infrastructure • Consider culture FISSEA Target Training 2005
I EXECUTIVE SUMMARY II BACKGROUND FISMA, OMB A-130, Appendix III, OPM 5 CFR 930 Specific department and/or agency policy (and other relevant information or rationale that may drive an awareness and training program and plan) III AGENCY IT SECURITY POLICY Goals, Objectives, Roles/Responsibilities IV AWARENESS Audience (management and all employees), Activities and target dates, Schedule, Review and updatingof materials and methods V TRAINING/EDUCATION Role 1: Executives and Managers Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria Role 2: IT security staff Learning Objectives, Focus Areas, Methods/ Activities, Schedule, Evaluation Criteria Role 3: System/Network Administrators Role 4: Remaining roles with significant IT security responsibilities NIST SP 800-50 Building an IT Security Awareness and Training Program – Appendix C Template, Sections I - V FISSEA Target Training 2005
VI PROFESSIONAL CERTIFICATION Role 1: IT Security Staff Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria Role 2: System/Network Administrators Learning Objectives, Focus Areas, Methods/Activities, Schedule, Evaluation Criteria Role 3: Remaining roles with significant IT security responsibilities VII RESOURCE REQUIREMENTS COST Staffing $ xxx Contracting Support $ xxx Facilities (e.g., training rooms, teleconferencing facility) $ xxx Media (e.g., server(s) for web- and computer-based material) $ xxx The NIST Appendix C Template, Sections VI and VII FISSEA Target Training 2005
I. Introduction II. Background A. Security Laws and Regulations, B. Agency Policy Guidelines, C. Baseline or POA&M III. Purpose and Scope A. Agency Mission, B. Agency Vision, C. Bureau or Office Framework and Strategy IV. Responsibilities A. CIO, B. Bureau or Office, C. Field Offices,D. DAA/CA, ISSM, ISSO/ ISSC, System/Database Administrators, IT Personnel V. Training Approach A. Program Requirements (Goals, Objectives, Action Steps/Performance Measure, Standards) B. Security Course Structure and Curriculum C. Skills Inventory/ Gap Analysis D. Training to Support Competencies Identified E. Technology, Delivery, Tracking Mechanisms F. Feedback and Assessment Strategy VI. Training Resources A. Course Administration, B. Resources and Facilities, C. Schedules, D. Future Training VII. Education Programs/Certifications/Partnerships Alternative sample outline for a strategic training plan FISSEA Target Training 2005
Use simple writing techniques to make the process easierand more efficient “The biggest challenge is to produce writing, no software does it.” - EEI (Editorial Experts Inc.) FISSEA Target Training 2005
Three Easy Steps to Effective Technical Writing • Start (today!) • Edit • Proofread FISSEA Target Training 2005
Get Started! • Do a small piece • Write a detailed outline • Write easier parts first • Avoid editing as you write • Reread or reconsider • Talk it out FISSEA Target Training 2005
Tips for Easier Editing • Know what you’re looking for • Mark first, then fix • Do several reviews • Read a paper copy • Avoid rushing • Take breaks • Use references FISSEA Target Training 2005
Proofreading: Look for Errors • Content • Repeated words • Verb tense • Punctuation • Subject verb agreement • Format, style, parallel structure • What’s left? FISSEA Target Training 2005
Technical WritingSummary • Start (today!) • Edit • Proofread FISSEA Target Training 2005
Writing a Strategic Training Plan - Session Summary • Security environment • Security programs • Strategic security training plans • Technical writing FISSEA Target Training 2005
IT Security is about people, processes, and technology Writing a Strategic Security Training Plan FISSEA Target Training 2005 March 22, 2005 Marirose Coulson w 703-289-5282 coulson_marirose@bah.com This document is proprietary and is intended solely for classroom use. FISSEA Target Training 2005