Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

Published byAlexia Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’"— Presentation transcript:

1 A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’ Association (FISSEA) Executive Board Member 2003-2005 Security Orientation Annual Security Training Security Awareness Role-Based Training

2 Office of IT Strategic Plan IT Security Policy Training Program Training Plan Stakeholder Meetings Vision Mission Goals Security Training Program Success Training Strategic Plan  Meetings  Working Groups  Communities of Practices  Committees  Goals and objectives  Milestones to achieve  Performance indicators  Goals and objectives  Milestones to achieve  Performance indicators  Define authority  Assign responsibility  Guide resource allocation  Define parameters  Determine logistics  Identify resources  Acquire resources  Execute Program  Evaluate Program Organizational acceptance and integration of IT security policies, procedures, and practices within an organization’s existing lines of business rules and practices.

3 TRAINING STATEGIC PLAN Mission, Vision, Goals and Objectives MISSION: The mission is to ensure that a comprehensive, effective, and measurable training program is fully implemented and evaluated and aligned with Office of IT Security’s business objectives and strategic goals. VISION: To achieve and effective and efficient Training Program that is integrated at all levels within the Department/Agency and in compliance with all security-related statutes, regulations and Federal laws. STRATEGIC GOALS: GOAL 1: Design, develop, and implement a fully-integrated security training program. GOAL 2: Comply with Federal Information Security Directives GOAL 3: Ensure security training program is evaluated to determine transfer of learning and return on investment (ROI) A Strategic Plan guides the process to creating the training Plan which leads to establishing or maintaining a training program.

4 Strategic Plan objectives guide the process to creating a Training Plan which leads to establishing or maintaining a Training Program. OBJECTIVE: Awareness Provide security awareness activities to all employees within the Department/Agency OBJECTIVE: Awareness Provide security awareness activities to all employees within the Department/Agency OBJECTIVE: Orientation Identify all new hires and provide security orientation “60-days prior to employee’s use of IT systems” OBJECTIVE: Orientation Identify all new hires and provide security orientation “60-days prior to employee’s use of IT systems” OBJECTIVE: Role-Based (Specific) Training Identify all employees with significant security responsibilities to provide security training in functional specialties OBJECTIVE: Role-Based (Specific) Training Identify all employees with significant security responsibilities to provide security training in functional specialties OBJECTIVE: Annual Refresher Training Identify all IT end-users and provide security awareness training “annually” OBJECTIVE: Annual Refresher Training Identify all IT end-users and provide security awareness training “annually” TRAINING STRATEGIC PLAN GOAL 1: Design, develop and implement a fully integrated training program GOAL 2: Comply with Federal IT security directives and mandates GOAL 3: Ensure training program is evaluated TRAINING STRATEGIC PLAN GOAL 1: Design, develop and implement a fully integrated training program GOAL 2: Comply with Federal IT security directives and mandates GOAL 3: Ensure training program is evaluated

5 A Strategic Plan guides the process to creating the Training Plan which leads to a Training Program. Training Strategic Plan AWARENESS Provide security awareness activities to all employees within the Department/Agency ORIENTATION Provide security orientation “60 days prior to employee’s use of IT systems” REFRESHER TRAINING Provide security awareness training “annually” ROLE-BASED TRAINING Provide role-specific training in functional specialties Training Plan [Needs Analysis] 1. Title 2. Purpose 3. Target Audience 4. Learning Objectives 5. Budget Allocation 6. Training Delivery Method 7. Delivery Timeframes 8. Proposed Additional Resources 9. Evaluation and Measurement

6 Developing a Training Plan can be considered the Analysis (and Design) phase of what instructional designers/training specialists call the ADDIE model Analysis Development Design ImplementationSummative Evaluation Formative Evaluation McGriff (2000) Instructional Systems, College of Education, Penn State University Define what is to be learned

7 A Training Plan determines the learner profile, description of possible constraints and needs Training Plan [Outline] 1. Title: Security Basics and Literacy (Orientation) 2. Purpose: To provide basic security concepts to new hires 60 days upon use of an IT system 3. Target Audience: All new hires [120 employees a year] 4. Learning Objectives (Beginning) At the end of this course, given the materials, discussions and activities, the participants will be able to: understand our enterprise and critical infrastructure, prevent and reduce common threats, practice safeguards and countermeasures and protect our information technology assets. 5. Budget Allocation: Are funds available for Security Basics and Literacy? [Yes/No] 6. Training Delivery Method: Instructor-Led Training 7. Delivery Timeframes: 30-50 Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Program Analyst 9. Evaluation and Measurement: Reaction (Attitude Survey)

8 The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING- extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

9 Developing the Training Plan by identifying training criteria Training Plan [Analysis] 1. Title: Annual Security Awareness Training 2. Purpose: Provide security awareness training to “produce relevant and needed security skills and competencies” 3. Target Audience: All IT end-users [100 – 100,000 + employees] 4. Learning Objectives: At the end of this course, given scenarios and activities, the participants will be able to: identify threats and vulnerabilities to computer systems, introduce computer security policies, describe appropriate computer security practices, review the role of the security organization and inform users of their responsibilities 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Computer-Based Training [Web-based Training] 7. Delivery Timeframes: 50-60 Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (Level 1) and Learning (Level 2)

10 The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING - extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

11 To determine the needs for role-based training we reference NIST SP 800-16 IT Security Training Matrix IT SECURITY TRAINING MATRIX FUNCTIONAL SPECIALTIES TRAINING AREAS A MANAGE B ACQUIRE C DESIGN & DEVELOP D IMPLEMENT & OPERATE E REVIEW & EVALUTE F USE G OTHER 1. LAW & REGULATIONS1A1B1C1D1E1F 2. SECURITY PROGRAM 2.1 PLANNING2.1 A2.1 B2.1 C2.1 D2.1 E 2.2 MANAGEMENT2.2 A 2.2 B2.2 C2.2 D2.2 E 3. SYSTEM LIFE CYCLE SECURITY 3.1 INITIATION3.1 A3.1 B3.1 C 3.1 E3.1 F 3.2 DEVELOPMENT3.2 A3.2 B3.2 C3.2 D3.2 E3.2 F 3.3 TEST & EVALUATION 3.3 C3.3 D3.3 E3.3 F 3.4 IMPLEMENTATION3.4 A 3.4 C3.4 D3.4 E3.4 F 3.5 OPERATIONS3.5 A 3.5 C3.5 D3.5 E3.5 F 3.6 TERMINATION3.6 A 3.6 C3.6 D3.6 E 4. OTHER

12 Continue to identify the training criteria for role-based training: IT Security Management: Manage Training Plan [Analysis] 1. Title: IT Security Management [2.2 A] 2. Purpose: Provide role-based training in functional specialties to understand and implement a security program that meets organizational needs 3. Target Audience: CIO, Information Resource Manager, IT Security Specialist/Manager, Program Manager 4. Learning Objectives: At the conclusion of this module, individuals will be able to: -Monitor organizational activities to ensure compliance with the existing IT security program -Review organizational IT security plans to ensure they appropriately address the security requirements of each system -Interpret patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the IT security program and, on that basis, modify or augment the program as appropriate 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Instructor-Led; Web-based; Computer-Based; Blended 7. Delivery Timeframes: 50-60 Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (L1), Learning (L2), Behavior (L3), ROI (L4)

13 To determine the needs for role-based training we reference NIST SP 800-16 IT Security Training Matrix IT SECURITY TRAINING MATRIX FUNCTIONAL SPECIALTIES TRAINING AREAS A MANAGE B ACQUIRE C DESIGN & DEVELOP D IMPLEMENT & OPERATE E REVIEW & EVALUTE F USE G OTHER 1. LAW & REGULATIONS1A1B1C1D1E1F 2. SECURITY PROGRAM 2.1 PLANNING2.1 A2.1 B2.1 C2.1 D2.1 E 2.2 MANAGEMENT 2.2 A 2.2 B 2.2 C2.2 D2.2 E 3. SYSTEM LIFE CYCLE SECURITY 3.1 INITIATION3.1 A3.1 B3.1 C 3.1 E3.1 F 3.2 DEVELOPMENT3.2 A3.2 B3.2 C3.2 D3.2 E3.2 F 3.3 TEST & EVALUATION 3.3 C3.3 D3.3 E3.3 F 3.4 IMPLEMENTATION3.4 A 3.4 C3.4 D3.4 E3.4 F 3.5 OPERATIONS3.5 A 3.5 C3.5 D3.5 E3.5 F 3.6 TERMINATION3.6 A 3.6 C3.6 D3.6 E 4. OTHER

14 Continue to identify the training criteria for role-based training: IT Security Management: Acquire Training Plan [Analysis] 1. Title: IT Security Management [2.2 B] Acquisition 2. Purpose: Provide role-based training in functional specialties to gain a sufficient understanding of IT security and the acquisition process to incorporate IT security program requirements into acquisition work 3. Target Audience: Contracting Officer, COTR, Information Resource Manager, IT Specialist/Manager, IT Invest Review Board Members 4. Learning Objectives: At the conclusion of this module, individuals will be able to: -Identify areas within the acquisition process where IT security work steps are required. -Develop security work steps for inclusion in the acquisition process -Evaluate procurement activities to ensure the IT security work steps are being effectively performed 5. Budget Allocation: Are funds available for Security Awareness Training [Yes/No] 6. Training Delivery Method: Instructor-Led; Web-based; Computer-Based; Blended 7. Delivery Timeframes: 50-60 Minutes 8. Proposed Additional Resources: What resources are available to design, develop and deliver the course? Developed by Contractor 9. Evaluation and Measurement: Reaction (L1), Learning (L2), Behavior (L3), ROI (L4)

15 The Kirkpatrick Model of evaluation utilizes four levels of evaluation: Reaction, Learning, Behavior and ROI Level 4 Level 3 Level 2 Level 1 BUSINESS IMPACT/ROI – compares the cost of the training with benefits BEHAVIOR - transfer of learning is the extent to which a change in behavior LEARNING - extent to which participant’s attitudes change, improve knowledge and increase skills REACTION – feedback of attitude and feeling towards training

16 Developing a Training Plan can be considered the Analysis (and Design) phase of what Instructional designers or training specialists call the ADDIE model Analysis Development Design ImplementationSummative Evaluation Formative Evaluation McGriff (2000) Instructional Systems, College of Education, Penn State University Define what is to be learned Determine the effectiveness of the instruction Plan instruction Execute instruction Develop instructional materials

17 TRAINING AUDIENCE MATRIX Target Audience Training Type CIOIT Specialist Program ManagerCOTR End- Users New Hires ORIENTATION TRAINING X AWARENESS TRAINING X ROLE-BASED TRAINING Security Management Courses Managing a Security Organization XXX Integrating Security into Acquisition Lifecycle XXX Create a a series of Matrixes to determine trends to guide decision- making : Training Audience Matrix

18 BUDGET ALLOCATION MATRIX Are Resources Available for this Course Training Type YesNoMaybe Security Orientation X Awareness Training X Role-based Training Security Management Courses Managing a Security Organization X Integrating Security into Acquisition Lifecycle ` X Create a a series of Matrixes to determine trends to guide decision- making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement

19 Training Delivery Matrix What type of training will be used? Training Type ILTWBTCBTBlended Security OrientationX Awareness Training X Role-based Training Security Management Courses Managing a Security Organization X Integrating Security into Acquisition Lifecycle ` X Create a a series of Matrixes to determine trends to guide decision- making : Budget Allocation, Training Delivery, Delivery Timeframe, Additional Resources, and Evaluation and Measurement

20 Office of IT Strategic Plan IT Security Policy Training Program Training Plan Stakeholder Meetings Vision Mission Goals Security Training Program Success Training Strategic Plan After accessing the security training needs determine what is the most effective approach in acquiring resources, executing and evaluating the Training Program Determine what resources you have to accomplish the Training Strategic Plan vision, mission, goals Who can develop training based on needs? What can we do to develop the most effective security training with the resources we have?

Download ppt "A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’"

Similar presentations

Board Governance: A Key to Quality Organizations

Board Governance: A Key to Quality Organizations
WV High Quality Standards for Schools

WV High Quality Standards for Schools
Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Campus Improvement Plans

Campus Improvement Plans
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IT Governance and Management

IT Governance and Management
IT Planning.

IT Planning.
Orientation to Performance and Quality Improvement Plan

Orientation to Performance and Quality Improvement Plan
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Procurement Transformation State of North Carolina

Procurement Transformation State of North Carolina
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
Core Performance Measures FY 2015

Core Performance Measures FY 2015

Similar presentations

Ads by Google