Training security personnel remains a challenge

NIST offers some advice on prioritizing

Agencies are required to provide training for personnel with significant responsibilities for information security, but selecting the appropriate level of training while husbanding limited educational resources can be a challenging task.

“Key to this effective use of limited resources is ensuring that training is provided first to those who need it most,” stated a recent bulletin from the IT Lab at the National Institute of Standards and Technology.

Deciding who needs it most, defined in the Federal Information Security Management Act as those with “significant information security responsibilities,” is easier said than. It is a task that can lead to “spirited discussions,” wrote Mark Wilson of the IT Lab’s Computer Security Division.

Related stories:

Revised cybersecurity guidelines target training

Natalie Givans | Security gets into the mix

Using too broad a definition can prove a drain on limited training resources. “On the other side of the coin, if an organization pays lip service to the requirement and identifies too few personnel in a ‘check the box’ solution to the FISMA requirement, personnel who actually do have significant security responsibilities will not have the information security training that they need to protect the organization’s information and information system resources,” Wilson wrote.

NIST is updating its Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” published in 2003, but in the meantime the June IT Lab bulletin, “How to Identify Personnel with Significant Responsibilities for Information Security,” offers some interim guidance.

FISMA distinguishes between what is called “awareness training” for general IT users and more specific training for those responsible for an agency’s IT security. Under FSMA, an agency's chief information officer is responsible for designating a senior information security officer, usually the CISO, who is responsible for training and overseeing personnel with significant information security responsibilities. The challenge of this task is complicated by the need for many personnel who do not qualify as having “significant” responsibilities to nevertheless be trained at an appropriate level for their security responsibilities.

“CISOs, supervisors, managers, information owners, and system owners should insist that all personnel with responsibilities for information security – beyond the organization’s information system user population – are trained to the degree necessary for them to perform their security tasks in a satisfactory manner, whether they have some or significant information security responsibilities,” the bulletin says.

The bulletin offers seven criteria for selecting personnel with significant information security responsibilities:

Position sensitivity. This is identified in each position description. Positions of increased sensitivity could have more significant responsibilities.

Role. The prevailing tendency in some training initiatives is to define responsibilities by role alone. Some roles, such as agency head, CIO and CISO, would appear to be obvious choices. There also are other “usual suspects,” including system administrator, network administrator, information owner, system owner, auditor, assessor, incident response coordinator or analyst, information system security officer, risk executive, security administrator, security engineer, and security architect.

However, a system administrator for a low-impact system would be included under this scheme with an administrator for a high-impact system, and this could lead to an imbalance of the training provided.

Impact level. Instead of using role as the sole determinant, the impact level assigned under Federal Information Processing Standard 199 to the information and information systems also should be considered.

Greatest vulnerabilities. This criterion allows the appropriate managers to ask: Where are our vulnerabilities or weaknesses? Who has the ability or responsibility to fix them? Are the problems being fixed or not? Training resources can be assigned accordingly.

Security controls. Those personnel with the responsibility to select, implement, and assess system security controls may be deemed to have significant responsibilities.

Risk management. Those personnel with the responsibility for risk management of systems may be deemed to have significant responsibilities.

Security program management. Those personnel with the responsibility to implement, manage, maintain and audit information security programs may be considered to have significant responsibilities – from executive-level perspectives to system-, application- and network-level management.

The bulletin recommends assembling a team to make decisions, which could include representatives from human resources, labor unions, the CIO’s office, physical security, office of general counsel, internal audit, and functions that perform critical missions of the organization. System owners and information owners related to these critical missions also could be involved.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.