Training security personnel remains a challenge

Agencies are required under FISMA to provide training for IT security personnel, and the need to husband limited resources puts a high priority on matching appropriate levels of training with personnel. NIST offers some suggestions on meeting the challenge.

Agencies are required to provide training for personnel with significant responsibilities for information security, but selecting the appropriate level of training while husbanding limited educational resources can be a challenging task.

“Key to this effective use of limited resources is ensuring that training is provided first to those who need it most,” stated a recent bulletin from the IT Lab at the National Institute of Standards and Technology.

Deciding who needs it most, defined in the Federal Information Security Management Act as those with “significant information security responsibilities,” is easier said than. It is a task that can lead to “spirited discussions,” wrote Mark Wilson of the IT Lab’s Computer Security Division.


Related stories:

Revised cybersecurity guidelines target training

Natalie Givans | Security gets into the mix


Using too broad a definition can prove a drain on limited training resources. “On the other side of the coin, if an organization pays lip service to the requirement and identifies too few personnel in a ‘check the box’ solution to the FISMA requirement, personnel who actually do have significant security responsibilities will not have the information security training that they need to protect the organization’s information and information system resources,” Wilson wrote.

NIST is updating its Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” published in 2003, but in the meantime the June IT Lab bulletin, “How to Identify Personnel with Significant Responsibilities for Information Security,” offers some interim guidance.

FISMA distinguishes between what is called “awareness training” for general IT users and more specific training for those responsible for an agency’s IT security. Under FSMA, an agency's chief information officer is responsible for designating a senior information security officer, usually the CISO, who is responsible for training and overseeing personnel with significant information security responsibilities. The challenge of this task is complicated by the need for many personnel who do not qualify as having “significant” responsibilities to nevertheless be trained at an appropriate level for their security responsibilities.

“CISOs, supervisors, managers, information owners, and system owners should insist that all personnel with responsibilities for information security – beyond the organization’s information system user population – are trained to the degree necessary for them to perform their security tasks in a satisfactory manner, whether they have some or significant information security responsibilities,” the bulletin says.

The bulletin offers seven criteria for selecting personnel with significant information security responsibilities:

Position sensitivity. This is identified in each position description. Positions of increased sensitivity could have more significant responsibilities.

Role. The prevailing tendency in some training initiatives is to define responsibilities by role alone. Some roles, such as agency head, CIO and CISO, would appear to be obvious choices. There also are other “usual suspects,” including system administrator, network administrator, information owner, system owner, auditor, assessor, incident response coordinator or analyst, information system security officer, risk executive, security administrator, security engineer, and security architect.

However, a system administrator for a low-impact system would be included under this scheme with an administrator for a high-impact system, and this could lead to an imbalance of the training provided.

Impact level. Instead of using role as the sole determinant, the impact level assigned under Federal Information Processing Standard 199 to the information and information systems also should be considered.

Greatest vulnerabilities. This criterion allows the appropriate managers to ask: Where are our vulnerabilities or weaknesses? Who has the ability or responsibility to fix them? Are the problems being fixed or not? Training resources can be assigned accordingly.

Security controls. Those personnel with the responsibility to select, implement, and assess system security controls may be deemed to have significant responsibilities.

Risk management. Those personnel with the responsibility for risk management of systems may be deemed to have significant responsibilities.

Security program management. Those personnel with the responsibility to implement, manage, maintain and audit information security programs may be considered to have significant responsibilities – from executive-level perspectives to system-, application- and network-level management.

The bulletin recommends assembling a team to make decisions, which could include representatives from human resources, labor unions, the CIO’s office, physical security, office of general counsel, internal audit, and functions that perform critical missions of the organization. System owners and information owners related to these critical missions also could be involved.