150 likes | 170 Views
IT Security Awareness, Training and Education Trends. Dan Costello Policy Analyst OMB. What is Education?. Webster’s Third New International Dictionary: the act or process of educating or of being educated; a conditioning, strengthening.
E N D
IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB
What is Education? • Webster’s Third New International Dictionary: the act or process of educating or of being educated; a conditioning, strengthening. • Harvard Graduate School of Education: 5,782 hits on the search first of which provides files on how to reflect on your teaching practice. • Web definition: the activities of educating or instructing or teaching; activities that impart knowledge or skill.
Education is: NIST 800-16: Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.
Agenda • FISMA & A-130 Security Training Concepts • Findings from FY03 FISMA Reports • Some Key Ingredients for Success
FISMA Head of each agency shall: • Ensure the agency has trained personnel sufficient to assist the agency in complying with related policies, procedures, standards, and guidelines needed to secure information systems. • Delegate to CIO authority to ensure compliance with the requirements imposed on the agency including training. The agency information security program shall include: • security awareness training to inform personnel, including contractors and other users of information systems supporting the operations and assets of the agency, of: • security risks, their responsibilities in complying with agency policies, and procedures designed to reduce these risks.
A-130 Concepts 1) Every new user of a system introduces a risk to all other users. AND 2) Over time, attention to security tends to dissipate. Concurrently, changes to a system may necessitate a change in the rules or user procedures. SO: Training is required for all users (including contractors) prior to access and should be periodic to refresh and update users.
A-130: Rules of the System • Establish a set of rules of behavior concerning use of, security in, and the acceptable level of risk for, the system. • Rules are based on the needs of various users of the system. • The security provided by the rules should only be as stringent as necessary to provide adequate security. • Rules delineate responsibilities and expected behavior of users. • Rules articulate consequences of behavior not consistent with the rules. • System rules are basis for training.
A-130: Training • Training required for all users prior to access to the system. • Training is tailored to what a user needs to know to use the system securely, to respond and think proactively & preventatively. • Training can be presented in stages, as more access is granted. • Training can vary from formal classroom to clearly written brochures depending on the type of access allowed and the risk that access represents to the security of the system and the information in it.
Complementary Guidance • NIST IT Security Training Requirements – A Role & Performance Based Model (800-16) • NIST Guide for Developing Security Plans for Information Systems (800-18) • NIST Building an Information Technology Security Awareness and Training Program (800-50) • OMB FISMA Reporting Instructions (M-03-19)
C.3 Has the agency CIO ensured security training and awareness of all agency employees, including contractors and those employees with significant IT security responsibilities?* *Aggregated governmentwide data provided by Agency FY03 FISMA reports
Findings from FY03 FISMA Reports • B. Security Awareness Training: 10 agencies provided security awareness training to 95% or more agency employees, 5 agencies with 50% or less. • D. Specialized Security Training: 6 agencies provided specialized security training to more than 95% of agency employees with significant security responsibilities. The remaining agencies fell between 60-95%. • Agencies identified 1%-6% of agency employees as performing significant security responsibilities. • Average cost to train one agency employee was $7.64, however there was a wide range of average cost by agency.
Findings from FY03 FISMA Reports • OIG and agency reports hilited lack of or achievement of security awareness training. • Agencies have designed and implemented a security awareness program. • Most agencies are monitoring and assessing training programs to track compliance to agency requirements and modify the programs. • Some agencies require employees to fulfill security awareness training once per fiscal year, seeing spike in September after most agencies have closed out data for reporting purposes.
Key Ingredients for Successful Training and Awareness Programs • Is senior management involved/sponsoring? • Is training aligned to support your agency’s mission? • Does training account for various working environments (home, office, contractors)? • Is training varied to address evolving challenges and dynamic to stimulate interest (i.e. flyers, regular emails, formal classroom, IT security awareness day)? • Is training monitored to track employees and linked to HR systems to view who has/has not fulfilled agency training requirements?
IT Security Education Drives Mission Performance Awareness & Training Education Proactive & Preventative & Responsive PERFORMANCE
QUESTIONS Dan Costello dcostell@omb.eop.gov 202-395-7857