NIST Updates Guidance on Information Security Awareness

Draft Special Publication Aimed at Security Pros and Training Program Designers The National Institute of Standards and Technology is issuing draft guidance aimed at improving the way government agencies educate their employees on information security awareness.

NIST said the draft publication is aimed at two groups of professionals: those charged with securing IT systems and individuals responsible for developing training programs. "We believe that these two audiences will look at the document in very different ways," a NIST statement says. "The information security professional will probably be reading to understand what must be done to provide role-based training in his or her organization. The instructional design specialist/training development specialist will be reading to understand the training methodology contained in the document, and to use that methodology to design and possibly present training courses for specific audiences."

Known as Special Publication 800-16: Information Security Training Requirements: A Role- and Performance-Based Model (Draft) - along with SP 800-50: Building an Information Technology Security Awareness and Training Program - it describes key approaches of an information security awareness and training program required under the Federal Information Security Management Act and Office of Management and Budget.

Among provision of SP 800-16, an update from the original document issued nearly 11 years ago:

All employees must be regularly exposed to information security awareness techniques for instance, posters, awareness tools/trinkets, periodic e-mail, warning messages, tips of the day upon accessing an information system, computer/information security day events;

All users of IT systems must attend information security awareness training online or in-person annually. Training material should provide the information security basics and literacy.

Each employ who has significant responsibility for information security must receive formal role-based information security training. The amount and frequency of training depends on the gap between an individual's existing and needed skills, and changes in technology and the operating environment to which the individual must adapt. Influences on training needs include individual development plans, performance plans and management.

"Meeting these responsibilities and providing for the confidentiality, integrity and availability of information in today's highly networked environment is not an easy or trivial task," the draft document states. "The task is made that much more difficult, if not impossible, if each person who owns, uses, relies on, or manages information and information systems does not know their specific responsibilities and/or is not properly motivated to carry out their information security responsibilities."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.