Nist SP 800 50 Building an Information Technology Security Awareness and Training Program

Sequential Label and Supply nist sp 800-50, "Building an Information Technology Security Awareness and Training Program" Sequential Label and Supply After a recent failure of the computer systems at Sequential Label and Supply, it has become clear that current security provisions are inadequate The IT security team is under-funded and understaffed There is a lack of respect for the IT team Problems are dealt with as they present themselves rather than are anticipated and prevented Agency IT security policy At present, there is no formal security policy and problems tend to be addressed on an ad hoc basis.

For example, when a disc brought in by an employee infected all of the computers with a virus, the ability to use such software was disabled: no fundamental reforms were made Awareness There is a need to create a consistent, coherent security policy for the entire company, in all roles Objectives include employee education and the development of a comprehensive security program to insure all employees act responsibly in regards to IT Recent attacks to the company have placed it on high alert, although there remains a demonstrated reluctance to invest in IT security Review and updating of materials and methods is required ASAP, as is a company-wide meeting on the topic of security; however training and education of all employees must be integrated into the regular schedule and standard operating processes of the company Training-education Role 1: Executives and managers Learning Objectives Both executives and managers must understand that IT security is not something that can be confined to the IT staff alone, but must be a pervasive, company-wide effort Focus Areas Evaluating priority areas using cost-benefit analysis Methods/Activities Education about best practices for IT security can be disseminated through meetings, but also through online and software-based training Education in both formal and informal capacities (through disseminated articles and personal briefings when necessary) must be a continual effort, particularly given the fact that this group of employees seems to give low priority to security and view it as the IT staff's problem Schedule In addition to meeting with the group as a whole, regular briefings should be given on a formal basis about changes in IT security policy.

Also, informally through emails and company bulletins, the importance of good IT best practices and precautions should reinforced Evaluation Criteria Performance can be regularly monitored in regards to IT use to ensure employees are following protocols as well as are meeting the criteria for their job performance (such as a receptionist 'closing' a call swiftly) Regular questionnaires to evaluate knowledge of staff on IT security Role 2: IT security staff Learning Objectives To create a holistic security plan for the organization which still allows the organization to function effectively Focus Areas Instead of 'fixing' problems after they occur, preventative maintenance must be better integrated into the company's standard operating procedures Methods/Activities IT staff must monitor and track 'regular' computer activities to compare them against suspicious patterns of use (such as late-night logging in) Regular simulations of possible attack strategies are required to ensure that defensive strategies stay ahead of the hackers Schedule System-wide evaluations should be conducted on a regular basis (for example, every fortnight) Company-wide meetings to educate all employees on IT-related matters are needed, as well as meetings with individual departments to deal with specific concerns Evaluation Criteria A reduction in critical security incidents overall Employee feedback indicating that knowledge of IT best practices has improved Role 3: System/Network Administrators Learning Objectives Prioritizing areas in need of security controls Focus Areas 'Back door' attacks Internal and external threats Methods/Activities Reviewing past security attacks Addressing potential worst-case scenarios through simulation Schedule After the initial, comprehensive review of the system and the creation of an overall security policy, training of all staff and re-education of critical IT personnel is demanded on a scheduled, regular basis Evaluation Criteria A reduction in critical security incidents overall Remaining roles with significant IT / security responsibilities Even non-technical staff must become aware of how to prevent security breaches (such as persons 'sliding through' without showing proper identification Professional Certification Role 1: IT security staff Learning Objectives IT staff must have the necessary professional qualifications to implement a security strategy Focus Areas Specific technical knowledge and educational requirements should be stated in the company manual regarding who fulfills specific positions Methods/Activities Computer-based training in new methodologies Education for staff in department-wide events (if necessary, suspending some company activities to allow for intensive, in-depth education).

IT staff should have to keep certifications current and obtain regular retraining (ideally through web-based methods to minimize disruption to company activities) Formal promotional certification given on a company-wide basis for fulfilling specific requirements Schedule While most IT education can take place online, more comprehensive educational efforts may require work time to be blocked off for the effort Evaluation Criteria Passing performance on quizzes.