Training security personnel remains a challenge

NIST offers some advice on prioritizing

Agencies are required to provide training for personnel with significant responsibilities for information security, but selecting the appropriate level of training while husbanding limited educational resources can be a challenging task.

“Key to this effective use of limited resources is ensuring that training is provided first to those who need it most,” stated a recent bulletin from the IT Lab at the National Institute of Standards and Technology.

Deciding who needs it most, defined in the Federal Information Security Management Act as those with “significant information security responsibilities,” is easier said than. It is a task that can lead to “spirited discussions,” wrote Mark Wilson of the IT Lab’s Computer Security Division.

Related stories:

Revised cybersecurity guidelines target training

Natalie Givans | Security gets into the mix

Using too broad a definition can prove a drain on limited training resources. “On the other side of the coin, if an organization pays lip service to the requirement and identifies too few personnel in a ‘check the box’ solution to the FISMA requirement, personnel who actually do have significant security responsibilities will not have the information security training that they need to protect the organization’s information and information system resources,” Wilson wrote.

NIST is updating its Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” published in 2003, but in the meantime the June IT Lab bulletin, “How to Identify Personnel with Significant Responsibilities for Information Security,” offers some interim guidance.

FISMA distinguishes between what is called “awareness training” for general IT users and more specific training for those responsible for an agency’s IT security. Under FSMA, an agency's chief information officer is responsible for designating a senior information security officer, usually the CISO, who is responsible for training and overseeing personnel with significant information security responsibilities. The challenge of this task is complicated by the need for many personnel who do not qualify as having “significant” responsibilities to nevertheless be trained at an appropriate level for their security responsibilities.

“CISOs, supervisors, managers, information owners, and system owners should insist that all personnel with responsibilities for information security – beyond the organization’s information system user population – are trained to the degree necessary for them to perform their security tasks in a satisfactory manner, whether they have some or significant information security responsibilities,” the bulletin says.

The bulletin offers seven criteria for selecting personnel with significant information security responsibilities:

Position sensitivity. This is identified in each position description. Positions of increased sensitivity could have more significant responsibilities.

Role. The prevailing tendency in some training initiatives is to define responsibilities by role alone. Some roles, such as agency head, CIO and CISO, would appear to be obvious choices. There also are other “usual suspects,” including system administrator, network administrator, information owner, system owner, auditor, assessor, incident response coordinator or analyst, information system security officer, risk executive, security administrator, security engineer, and security architect.

However, a system administrator for a low-impact system would be included under this scheme with an administrator for a high-impact system, and this could lead to an imbalance of the training provided.

Impact level. Instead of using role as the sole determinant, the impact level assigned under Federal Information Processing Standard 199 to the information and information systems also should be considered.

Greatest vulnerabilities. This criterion allows the appropriate managers to ask: Where are our vulnerabilities or weaknesses? Who has the ability or responsibility to fix them? Are the problems being fixed or not? Training resources can be assigned accordingly.

Security controls. Those personnel with the responsibility to select, implement, and assess system security controls may be deemed to have significant responsibilities.

Risk management. Those personnel with the responsibility for risk management of systems may be deemed to have significant responsibilities.

Security program management. Those personnel with the responsibility to implement, manage, maintain and audit information security programs may be considered to have significant responsibilities – from executive-level perspectives to system-, application- and network-level management.

The bulletin recommends assembling a team to make decisions, which could include representatives from human resources, labor unions, the CIO’s office, physical security, office of general counsel, internal audit, and functions that perform critical missions of the organization. System owners and information owners related to these critical missions also could be involved.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group