TRENDING:

NIST Updates Guidance on Information Security Awareness

Draft Special Publication Aimed at Security Pros and Training Program Designers Eric Chabrow (GovInfoSecurity) • March 24, 2009     The National Institute of Standards and Technology is issuing draft guidance aimed at improving the way government agencies educate their employees on information security awareness.

NIST said the draft publication is aimed at two groups of professionals: those charged with securing IT systems and individuals responsible for developing training programs. "We believe that these two audiences will look at the document in very different ways," a NIST statement says. "The information security professional will probably be reading to understand what must be done to provide role-based training in his or her organization. The instructional design specialist/training development specialist will be reading to understand the training methodology contained in the document, and to use that methodology to design and possibly present training courses for specific audiences."

Known as Special Publication 800-16: Information Security Training Requirements: A Role- and Performance-Based Model (Draft) - along with SP 800-50: Building an Information Technology Security Awareness and Training Program - it describes key approaches of an information security awareness and training program required under the Federal Information Security Management Act and Office of Management and Budget.

Among provision of SP 800-16, an update from the original document issued nearly 11 years ago:

All employees must be regularly exposed to information security awareness techniques for instance, posters, awareness tools/trinkets, periodic e-mail, warning messages, tips of the day upon accessing an information system, computer/information security day events;

All users of IT systems must attend information security awareness training online or in-person annually. Training material should provide the information security basics and literacy.

Each employ who has significant responsibility for information security must receive formal role-based information security training. The amount and frequency of training depends on the gap between an individual's existing and needed skills, and changes in technology and the operating environment to which the individual must adapt. Influences on training needs include individual development plans, performance plans and management.

"Meeting these responsibilities and providing for the confidentiality, integrity and availability of information in today's highly networked environment is not an easy or trivial task," the draft document states. "The task is made that much more difficult, if not impossible, if each person who owns, uses, relies on, or manages information and information systems does not know their specific responsibilities and/or is not properly motivated to carry out their information security responsibilities."

Previous
Bill Mulled to Create White House Cybersecurity Office
Next
Welcome to GovInfoSecurity.com

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Stopping Cloud Workload Attacks
Stopping Cloud Workload Attacks
AI in Healthcare: The Growing Promise - and Potential Risks
AI in Healthcare: The Growing Promise - and Potential Risks
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Getting a Tighter Grip on Vendor Security Risk in Healthcare
How AI Can Help Speed Up Physician Credentialing Chores
How AI Can Help Speed Up Physician Credentialing Chores
Why Hospitals Should Beware of Malicious AI Use
Why Hospitals Should Beware of Malicious AI Use
How Biden's AI Executive Order Will Affect Healthcare
How Biden's AI Executive Order Will Affect Healthcare
How State Governments Can Regulate AI and Protect Privacy
How State Governments Can Regulate AI and Protect Privacy
Good Governance: 'It's All Hygiene'
Good Governance: 'It's All Hygiene'
Mapping Access - and Attack - Paths in Active Directory
Mapping Access - and Attack - Paths in Active Directory

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.