NIST Updates Guidance on Information Security AwarenessDraft Special Publication Aimed at Security Pros and Training Program Designers The National Institute of Standards and Technology is issuing draft guidance aimed at improving the way government agencies educate their employees on information security awareness.
NIST said the draft publication is aimed at two groups of professionals: those charged with securing IT systems and individuals responsible for developing training programs. "We believe that these two audiences will look at the document in very different ways," a NIST statement says. "The information security professional will probably be reading to understand what must be done to provide role-based training in his or her organization. The instructional design specialist/training development specialist will be reading to understand the training methodology contained in the document, and to use that methodology to design and possibly present training courses for specific audiences."
Known as Special Publication 800-16: Information Security Training Requirements: A Role- and Performance-Based Model (Draft) - along with SP 800-50: Building an Information Technology Security Awareness and Training Program - it describes key approaches of an information security awareness and training program required under the Federal Information Security Management Act and Office of Management and Budget.
Among provision of SP 800-16, an update from the original document issued nearly 11 years ago:
"Meeting these responsibilities and providing for the confidentiality, integrity and availability of information in today's highly networked environment is not an easy or trivial task," the draft document states. "The task is made that much more difficult, if not impossible, if each person who owns, uses, relies on, or manages information and information systems does not know their specific responsibilities and/or is not properly motivated to carry out their information security responsibilities."