By Mark Wilson and Joan Hash
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Federal agencies and private sector organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing information technology (IT):
· Understand their roles and responsibilities related to the organizational mission;
· Understand the organization’s IT security policy, procedures, and practices; and
· Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.
As cited in audit reports, periodicals, and conference presentations, the IT security professional community understands that people are one of the weakest links in attempts to secure systems and networks. The people factor - not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. A robust and enterprisewide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, and properly use and protect the IT resources entrusted to them.
NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program, by Mark Wilson and Joan Hash, provides guidelines that can help federal departments and agencies meet their security training responsibilities contained in the Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) guidance. The document gives guidance for building and maintaining a comprehensive awareness and training program, as part of an organization’s IT security program. This ITL Bulletin summarizes NIST SP 800-50, which is available at http://csrc.nist.gov/publications/nistpubs/index.html.
The document is a companion publication to NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model (also available at the above website). The two publications are complementary; SP 800-50 works at a higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 addresses a more tactical level, describing an approach to role-based IT security training.
The agency IT security program policy should contain a clear and distinct section devoted to agencywide requirements for the awareness and training program. Topics documented within the awareness and training program policy should include roles and responsibilities, development of program strategy and a program plan, implementation of the program plan, and maintenance of the awareness and training program.
Components: Awareness, Training, Education, and Certification
A successful IT security program consists of:
An awareness and training program is crucial, in that it is the vehicle for disseminating information that users, including managers, need in order to do their jobs. In the case of an IT security program, it is the vehicle to be used to communicate security requirements across the enterprise.
An effective IT security awareness and training program explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Through awareness and training, users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.
Awareness: Security awareness efforts are designed to change behavior or reinforce good security practices. Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.
Training: Training strives to produce relevant and needed security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills that allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.
Education: Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response.
Certification: Professional development is intended to ensure that users, from beginner to the career security professional, possess a required level of knowledge and competence necessary for their roles. Professional development validates skills through certification. Such development and successful certification can be termed “professionalization.” The preparatory work to testing for such a certification normally includes study of a prescribed body of knowledge or technical curriculum, and may be supplemented by on-the-job experience.
The movement toward professionalization within the IT security field can be seen among IT security officers, IT security auditors, IT contractors, and system/network administrators and is evolving. There are two types of certification: general and technical. The general certification focuses on establishing a foundation of knowledge on the many aspects of the IT security profession. The technical certification focuses primarily on the technical security issues related to specific platforms, operating systems, vendor products, etc.
Some agencies and organizations focus on IT security professionals with certifications as part of their recruitment efforts. Other organizations offer pay raises and bonuses to retain employees with certifications and encourage others in the IT security field to seek certification.
The development of an IT security awareness and training program involves three major steps:
Even a small amount of IT security awareness and training can go a long way toward improving the IT security posture of, and vigilance within, an organization.
Designing: Awareness and training programs must be designed with the organization mission in mind. The awareness and training program must support the business needs of the organization and be relevant to the organization’s culture and IT architecture. The most successful programs are those that users feel are relevant to the subject matter and issues presented.
Designing an IT security awareness and training program answers the question “What is our plan for developing and implementing awareness and training opportunities that are compliant with existing directives?” In the design step of the program, the agency’s awareness and training needs are identified, an effective agencywide awareness and training plan is developed, organizational buy-in is sought and secured, and priorities are established.
Developing: Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind:
· “What behavior do we want to reinforce?” (awareness); and
· “What skill or skills do we want the audience to learn and apply?” (training).
In both cases, the focus should be on specific material that the participants should integrate into their jobs. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them. Any presentation that feels canned – impersonal and so general as to apply to any audience – will be filed away as just another of the annual “we’re here because we have to be here” sessions. An awareness and training program can be effective, however, if the material is interesting and current.
The awareness audience must include all users in an organization. Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors, guests, and other collaborators or associates requiring access. The message to be spread through an awareness program, or campaign, should make all individuals aware of their commonly shared IT security responsibilities. On the other hand, the message in a training class is directed at a specific audience. The message in training material should include everything related to security that attendees need to know in order to perform their jobs. Training material is usually far more in-depth than material used in an awareness session or campaign.
Implementing: An IT security awareness and training program should be implemented only after a needs assessment has been conducted, a strategy has been developed, an awareness and training program plan for implementing that strategy has been completed, and awareness and training material has been developed.
The program’s implementation must be fully explained to the organization to achieve support for its implementation and commitment of necessary resources. This explanation includes expectations of agency management and staff support, as well as expected results of the program and benefits to the organization. Funding issues must also be addressed. For example, agency managers must know if the cost to implement the awareness and training program will be totally funded by the Chief Information Officer (CIO) or IT security program budget, or if their budgets will be impacted to cover their share of the expense of implementing the program. It is essential that everyone involved in the implementation of the program understand their roles and responsibilities. In addition, schedules and completion requirements must be communicated.
Once the plan for implementing the awareness and training program has been explained to (and accepted by) agency management, the implementation can begin. A number of ways exist for awareness and training material to be presented and disseminated throughout an organization. Agencies should tailor their implementation to the size, organization, and complexity of their enterprise. See NIST SP 800-50, Section 5, for techniques for delivering awareness and training material.
An organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements, IT infrastructure and organizational changes, and shifts in organizational mission and priorities. CIOs and IT security program managers need to be cognizant of this potential problem and incorporate mechanisms into their strategy to ensure the program continues to be relevant and compliant with overall objectives. Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.”
Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and effectiveness. An automated tracking system should be designed to capture key information regarding program activity (e.g., courses, dates, audience, costs, sources). The tracking system should capture this data at an agency level, so that it can be used to provide enterprisewide analysis and reporting regarding awareness, training, and education initiatives.
Tracking compliance involves assessing the status of the program as indicated by the database information and mapping it to standards established by the agency. Reports can be generated and used to identify gaps or problems. Corrective action and necessary follow-up can then be taken. This may take the form of formal reminders to management; additional awareness, training, or education offerings; and/or the establishment of a corrective plan with scheduled completion dates.
Evaluation and Feedback: Formal evaluation and feedback mechanisms are critical components of any security awareness, training, and education program. Continuous improvement cannot occur without a good sense of how the existing program is working. In addition, the feedback mechanism must be designed to address objectives initially established for the program. Once the baseline requirements have been solidified, a feedback strategy can be designed and implemented. Various evaluation and feedback mechanisms that can be used to update the awareness and training program plan include surveys, evaluation forms, independent observation, status reports, interviews, focus groups, technology shifts, and benchmarking.
A feedback strategy needs to incorporate elements that will address quality, scope, deployment method (e.g., web-based, onsite, offsite), level of difficulty, ease of use, duration of session, relevancy, currency, and suggestions for modification.
Managing Change: It will be necessary to ensure that the program, as structured, continues to be updated as new technology and associated security issues emerge. Training needs will shift as new skills and capabilities become necessary to respond to new architectural and technology changes. A change in the organizational mission and/or objectives can also influence ideas regarding how best to design training venues and content. Emerging issues, such as homeland defense, will also impact the nature and extent of security awareness activities necessary to keep users informed/educated about the latest exploits and countermeasures. New laws and court decisions may also impact agency policy that, in turn, may affect the development and/or implementation of awareness and training material. Finally, as security directives change or are updated, awareness and training material should reflect these changes.
Program Success Indicators: CIOs, program officials, and IT security program managers should be primary advocates for continuous improvement and for supporting an agency’s security awareness, training, and education program. It is critical that everyone be capable and willing to carry out their assigned security roles in the organization. In security, the phrase, only as strong as the weakest link, is true. Securing an organization’s information and infrastructure is a team effort. Listed below are some key indicators to gauge the support for, and acceptance of, the program.
· Sufficient funding to implement the agreed-upon strategy.
· Appropriate organizational placement to enable those with key responsibilities (CIO, program officials, and IT security program manager) to effectively implement the strategy.
· Support for broad distribution (e.g., web, e-mail, TV) and posting of security awareness items.
· Executive/senior-level messages to staff regarding security (e.g., staff meetings, broadcasts to all users by agency head).
· Use of metrics (e.g., to indicate a decline in security incidents or violations, indicate that the gap between existing awareness and training coverage and identified needs is shrinking, the percentage of users being exposed to awareness material is increasing, the percentage of users with significant security responsibilities being appropriately trained is increasing).
· Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file.
· Level of attendance at mandatory security forums/briefings.
· Recognition of security contributions (e.g., awards, contests).
· Motivation demonstrated by those playing key roles in managing/coordinating the security program.
Government and industry organizations must protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment. A robust IT security awareness and training program, as part of the overall IT security program, gives users the needed tools and information to protect an agency’s vital information resources. Addressing the people factor is key to ensuring an adequate and appropriate level of IT security within an organization, large or small. We invite you to visit our Computer Security Resource Center at http://csrc.nist.gov for more information on a wide range of IT security topics.
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.