A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’ Association (FISSEA) Executive Board Member Security Orientation Annual Security Training Security Awareness Role-Based Training

Office of IT Strategic Plan IT Security Policy Training Program Training Plan Stakeholder Meetings Vision Mission Goals Security Training Program Success Training Strategic Plan  Meetings  Working Groups  Communities of Practices  Committees  Goals and objectives  Milestones to achieve  Performance indicators  Goals and objectives  Milestones to achieve  Performance indicators  Define authority  Assign responsibility  Guide resource allocation  Define parameters  Determine logistics  Identify resources  Acquire resources  Execute Program  Evaluate Program Organizational acceptance and integration of IT security policies, procedures, and practices within an organization’s existing lines of business rules and practices.

TRAINING STATEGIC PLAN Mission, Vision, Goals and Objectives MISSION: The mission is to ensure that a comprehensive, effective, and measurable training program is fully implemented and evaluated and aligned with Office of IT Security’s business objectives and strategic goals. VISION: To achieve and effective and efficient Training Program that is integrated at all levels within the Department/Agency and in compliance with all security-related statutes, regulations and Federal laws. STRATEGIC GOALS: GOAL 1: Design, develop, and implement a fully-integrated security training program. GOAL 2: Comply with Federal Information Security Directives GOAL 3: Ensure security training program is evaluated to determine transfer of learning and return on investment (ROI) A Strategic Plan guides the process to creating the training Plan which leads to establishing or maintaining a training program.

Strategic Plan objectives guide the process to creating a Training Plan which leads to establishing or maintaining a Training Program. OBJECTIVE: Awareness Provide security awareness activities to all employees within the Department/Agency OBJECTIVE: Awareness Provide security awareness activities to all employees within the Department/Agency OBJECTIVE: Orientation Identify all new hires and provide security orientation “60-days prior to employee’s use of IT systems” OBJECTIVE: Orientation Identify all new hires and provide security orientation “60-days prior to employee’s use of IT systems” OBJECTIVE: Role-Based (Specific) Training Identify all employees with significant security responsibilities to provide security training in functional specialties OBJECTIVE: Role-Based (Specific) Training Identify all employees with significant security responsibilities to provide security training in functional specialties OBJECTIVE: Annual Refresher Training Identify all IT end-users and provide security awareness training “annually” OBJECTIVE: Annual Refresher Training Identify all IT end-users and provide security awareness training “annually” TRAINING STRATEGIC PLAN GOAL 1: Design, develop and implement a fully integrated training program GOAL 2: Comply with Federal IT security directives and mandates GOAL 3: Ensure training program is evaluated TRAINING STRATEGIC PLAN GOAL 1: Design, develop and implement a fully integrated training program GOAL 2: Comply with Federal IT security directives and mandates GOAL 3: Ensure training program is evaluated

A Strategic Plan guides the process to creating the Training Plan which leads to a Training Program. Training Strategic Plan AWARENESS Provide security awareness activities to all employees within the Department/Agency ORIENTATION Provide security orientation “60 days prior to employee’s use of IT systems” REFRESHER TRAINING Provide security awareness training “annually” ROLE-BASED TRAINING Provide role-specific training in functional specialties Training Plan [Needs Analysis] 1. Title 2. Purpose 3. Target Audience 4. Learning Objectives 5. Budget Allocation 6. Training Delivery Method 7. Delivery Timeframes 8. Proposed Additional Resources 9. Evaluation and Measurement

Developing a Training Plan can be considered the Analysis (and Design) phase of what instructional designers/training specialists call the ADDIE model Analysis Development Design ImplementationSummative Evaluation Formative Evaluation McGriff (2000) Instructional Systems, College of Education, Penn State University Define what is to be learned

A Training Plan determines the learner profile, description of possible constraints and needs Training Plan [Outline] 1. Title: Security Basics and Literacy (Orientation) 2. Purpose: To provide basic security concepts to new hires 60 days upon use of an IT system 3. Target Audience: All new hires [120 employees a year] 4. Learning Objectives (Beginning) At the end of this course, given the materials, discussions and activities, the participants will be able to: understand our enterprise and critical infrastructure, prevent and reduce common threats, practice safeguards and countermeasures and protect our information technology assets. 5. Budget Allocation: Are funds available for Security Basics and Literacy? [Yes/No] 6. Training Delivery Method: Instructor-Led Training 7. Delivery Timeframes: Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Program Analyst 9. Evaluation and Measurement: Reaction (Attitude Survey)

The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING- extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

Developing the Training Plan by identifying training criteria Training Plan [Analysis] 1. Title: Annual Security Awareness Training 2. Purpose: Provide security awareness training to “produce relevant and needed security skills and competencies” 3. Target Audience: All IT end-users [100 – 100,000 + employees] 4. Learning Objectives: At the end of this course, given scenarios and activities, the participants will be able to: identify threats and vulnerabilities to computer systems, introduce computer security policies, describe appropriate computer security practices, review the role of the security organization and inform users of their responsibilities 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Computer-Based Training [Web-based Training] 7. Delivery Timeframes: Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (Level 1) and Learning (Level 2)

The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING - extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

To determine the needs for role-based training we reference NIST SP IT Security Training Matrix IT SECURITY TRAINING MATRIX FUNCTIONAL SPECIALTIES TRAINING AREAS A MANAGE B ACQUIRE C DESIGN & DEVELOP D IMPLEMENT & OPERATE E REVIEW & EVALUTE F USE G OTHER 1. LAW & REGULATIONS1A1B1C1D1E1F 2. SECURITY PROGRAM 2.1 PLANNING2.1 A2.1 B2.1 C2.1 D2.1 E 2.2 MANAGEMENT2.2 A 2.2 B2.2 C2.2 D2.2 E 3. SYSTEM LIFE CYCLE SECURITY 3.1 INITIATION3.1 A3.1 B3.1 C 3.1 E3.1 F 3.2 DEVELOPMENT3.2 A3.2 B3.2 C3.2 D3.2 E3.2 F 3.3 TEST & EVALUATION 3.3 C3.3 D3.3 E3.3 F 3.4 IMPLEMENTATION3.4 A 3.4 C3.4 D3.4 E3.4 F 3.5 OPERATIONS3.5 A 3.5 C3.5 D3.5 E3.5 F 3.6 TERMINATION3.6 A 3.6 C3.6 D3.6 E 4. OTHER

Continue to identify the training criteria for role-based training: IT Security Management: Manage Training Plan [Analysis] 1. Title: IT Security Management [2.2 A] 2. Purpose: Provide role-based training in functional specialties to understand and implement a security program that meets organizational needs 3. Target Audience: CIO, Information Resource Manager, IT Security Specialist/Manager, Program Manager 4. Learning Objectives: At the conclusion of this module, individuals will be able to: -Monitor organizational activities to ensure compliance with the existing IT security program -Review organizational IT security plans to ensure they appropriately address the security requirements of each system -Interpret patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the IT security program and, on that basis, modify or augment the program as appropriate 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Instructor-Led; Web-based; Computer-Based; Blended 7. Delivery Timeframes: Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (L1), Learning (L2), Behavior (L3), ROI (L4)

To determine the needs for role-based training we reference NIST SP IT Security Training Matrix IT SECURITY TRAINING MATRIX FUNCTIONAL SPECIALTIES TRAINING AREAS A MANAGE B ACQUIRE C DESIGN & DEVELOP D IMPLEMENT & OPERATE E REVIEW & EVALUTE F USE G OTHER 1. LAW & REGULATIONS1A1B1C1D1E1F 2. SECURITY PROGRAM 2.1 PLANNING2.1 A2.1 B2.1 C2.1 D2.1 E 2.2 MANAGEMENT 2.2 A 2.2 B 2.2 C2.2 D2.2 E 3. SYSTEM LIFE CYCLE SECURITY 3.1 INITIATION3.1 A3.1 B3.1 C 3.1 E3.1 F 3.2 DEVELOPMENT3.2 A3.2 B3.2 C3.2 D3.2 E3.2 F 3.3 TEST & EVALUATION 3.3 C3.3 D3.3 E3.3 F 3.4 IMPLEMENTATION3.4 A 3.4 C3.4 D3.4 E3.4 F 3.5 OPERATIONS3.5 A 3.5 C3.5 D3.5 E3.5 F 3.6 TERMINATION3.6 A 3.6 C3.6 D3.6 E 4. OTHER

Continue to identify the training criteria for role-based training: IT Security Management: Acquire Training Plan [Analysis] 1. Title: IT Security Management [2.2 B] Acquisition 2. Purpose: Provide role-based training in functional specialties to gain a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work 3. Target Audience: Contracting Officer, COTR, Information Resource Manager, IT Specialist/Manager, IT Invest Review Board Members 4. Learning Objectives: At the conclusion of this module, individuals will be able to: -Identify areas within the acquisition process where IT security work steps are required. -Develop security work steps for inclusion in the acquisition process -Evaluate procurement activities to ensure the IT security work steps are being effectively performed 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Instructor-Led; Web-based; Computer-Based; Blended 7. Delivery Timeframes: Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (L1), Learning (L2), Behavior (L3), ROI (L4)

The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING - extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

Developing a Training Plan can be considered the Analysis (and Design) phase of what Instructional designers or training specialists call the ADDIE model Analysis Development Design ImplementationSummative Evaluation Formative Evaluation McGriff (2000) Instructional Systems, College of Education, Penn State University Define what is to be learned Determine the effectiveness of the instruction Plan instruction Execute instruction Develop instructional materials

TRAINING AUDIENCE MATRIX Target Audience Training Type CIOIT Specialist Program ManagerCOTR End- Users New Hires ORIENTATION TRAINING X AWARENESS TRAINING X ROLE-BASED TRAINING Security Management Courses Managing a Security Organization XXX Integrating Security into Acquisition Lifecycle XXX Create a a series of Matrixes to determine trends to guide decision- making : Training Audience Matrix

BUDGET ALLOCATION MATRIX Are Resources Available for this Course Training Type YesNoMaybe Security Orientation X Awareness Training X Role-based Training Security Management Courses Managing a Security Organization X Integrating Security into Acquisition Lifecycle ` X Create a a series of Matrixes to determine trends to guide decision- making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement

Training Delivery Matrix What type of training will be used? Training Type ILTWBTCBTBlended Security OrientationX Awareness Training X Role-based Training Security Management Courses Managing a Security Organization X Integrating Security into Acquisition Lifecycle ` X Create a a series of Matrixes to determine trends to guide decision- making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement

Office of IT Strategic Plan IT Security Policy Training Program Training Plan Stakeholder Meetings Vision Mission Goals Security Training Program Success Training Strategic Plan After accessing the security training needs determine what is the most effective approach in acquiring resources, executing and evaluating the Training Program Determine what resources you have to accomplish the Training Strategic Plan vision, mission, goals Who can develop training based on needs? What can we do to develop the most effective security training with the resources we have?