III. Operational Controls
`
`capability, contacts will have been established with counterparts outside the organization. This
`allows for early warning of threats and vulnerabilities that the organization may have notyet
`experienced. Early preventative measures (generally more cost-effective than repairing damage)
`can then be taken to reduce future losses. Data is also shared outside the organization to allow
`others to learn from the organization's experiences.
`
`12.1.3 Side Benefits
`
`Finally, establishing an incident handling capability helps an organization in perhaps unanticipated
`ways. Three are discussed here.
`
`Uses of Threat and Vulnerability Data: Incident handling can greatly enhance the risk assessment
`process. An incident handling capability will allow organizations to collect threat data that may be
`useful in their risk assessment and safeguard selection processes(e.g., in designing new systems).
`Incidents can be logged and analyzed to determine whetherthere is a recurring problem (or if
`other patterns are present, as are sometimes seen in hacker attacks), which would not be noticed
`if each incident were only viewedin isolation. Statistics on the numbers and typesofincidents in
`the organization can be used in the risk assessment processas an indication of vulnerabilities and
`threats.”
`
`Enhancing Internal Communications and Organization Preparedness. Organizations often find
`that an incident handling capability enhances internal communications andthe readiness of the
`organization to respondto any type ofincident, not just computer security incidents. Internal
`communications will be improved; managementwill be better organized to receive
`communications; and contacts within public affairs, legal staff, law enforcement, and other groups
`will have been preestablished. The structure set up for reporting incidents can also be used for
`other purposes.
`
`Enhancing the Training and Awareness Program. The organization's training process can also
`benefit from incident handling experiences. Based on incidents reported, training personnel will
`have a better understanding of users' knowledge of security issues. Trainers can use actual
`incidents to vividly illustrate the importance of computer security. Training that is based on
`current threats and controls recommendedbyincident handling staff provides users with
`information morespecifically directed to their current needs — thereby reducing the risks to the
`organization from incidents.
`
`* Tt is important, however, not to assumethat since only n reports were made, that n is the total numberofincidents;
`it is notlikely that all incidents will be reported,
`
`136
`
`|
`
`Roku EX1040 (Part 2 of 2) |
`Roku v. Ancora
`IPR2021-01406 |
`
`Roku EX1040 (Part 2 of 2)
`Roku v. Ancora
`IPR2021-01406
`
`

`

`12. Incident Handling
`
`12.2
`
`Characteristics of a Successful Incident Handling Capability
`
`A successful incident handling capability has several core characteristics:
`
`e
`
`e
`
`e
`
`e
`
`e
`
`an understanding of the constituencyit will serve;
`
`an educated constituency;
`
`a meansfor centralized communications;
`
`expertise in the requisite technologies; and
`
`links to other groupsto assist in incident handling (as needed).
`
`12.2.1 Defining the Constituency to Be Served
`
`The constituency includes computer users and
`program managers. Like any other customer-
`vendorrelationship, the constituency will tend
`to take advantage of the capability if the
`services rendered are valuable.
`
`The focus of a computer security incident handling
`capability may be external as well as internal. An
`incidentthat affects an organization mayalso affectits
`trading partners, contractors, or clients. In addition,
`an organization's computer security incident handling
`capability may be able to help other organizations
`and, therefore, help protect the community as a whole.
`
`The constituency is not always the entire
`organization. For example, an organization
`may use Several types of computers and
`networks but may decidethat its incident handling capability is cost-justified only for its personal
`computerusers. In doing so, the organization may have determined that computerviruses pose a
`muchlarger risk than other malicious technical threats on other platforms. Or, a large
`organization composedof several sites may decide that current computersecurity efforts at some
`sites do not require an incident handling capability, whereas other sites do (perhaps becauseofthe
`criticality of processing).
`
`12.2.2 Educated Constituency
`
`Users need to know about, accept, andtrust
`the incident handling capability orit will not
`be used. Throughtraining and awareness
`programs, users can become knowledgeable
`about the existence of the capability and how
`to recognize and report incidents. Userstrust
`in the value of the service will build with
`
`Managers need to know details aboutincidents,
`including who discovered them and how,so that they
`can prevent similar incidents in the future. However
`users will not be forthcoming if they fear reprisal or
`that they will become scapegoats. Organizations may
`need to offer incentives to employees for reporting
`incidents and offer guarantees against reprisal or
`other adverse actions. It may also be useful to
`consider anonymousreporting.
`
`

`

`IIT. Operational Controls
`
`reliable performance.
`
`12.2.3 Centralized Reporting and Communications
`
`Successful incident handling requires that users be able to report incidents to the incident handling
`team in a convenient, straightforward fashion;this is referred to as centralized reporting. A
`successful incident handling capability depends on timely reporting.
`Ifit is difficult or time
`consuming to report incidents, the incident handling capability may not be fully used. Usually,
`some form ofa hotline, backed up by pagers, works well.
`
`Centralized communications is very useful for accessing or distributing information relevant to
`the incident handling effort. For example, if users are linked together via a network,the incident
`handling capability can then use the network to send out timely announcements and other
`information. Users can take advantage of the network to retrieve security information stored on
`servers and communicate with the incident response team via e-mail.
`
`12.2.4 Technical Platform and Communications Expertise
`
`The technical staff members who comprise the incident handling capability need specific
`knowledge, skills, and abilities. Desirable qualifications for technical staff members may include
`the ability to:
`
`°
`
`e
`
`e
`
`©
`
`e
`
`work expertly with someorall of the constituency's core technology;
`
`work in a group environment;
`
`communicate effectively with different types of users, who will range from system
`administrators to unskilled users to managementto law-enforcementofficials;
`
`be on-call 24 hours as needed; and
`
`travel on short notice (of course, this depends upon the physical location of the
`constituency to be served).
`
`12.2.5 Liaison With Other Organizations
`
`Due to increasing computer connectivity, intruder activity on networks can affect many
`organizations, sometimesincluding those in foreign countries. Therefore, an organization's
`incident handling team may need to work with other teams or security groupsto effectively handle
`incidents that range beyond its constituency. Additionally, the team may need to poolits
`knowledge with other teams at various times. Thus,it is vital to the success of an incident
`handling capability that it establish ties and contacts with other related counterparts and
`
`|
`
`|
`|
`
`|
`
`138
`
`

`

`supporting organizations.
`
`Especially important to incident handling are
`contacts with investigative agencies, such as
`federal (e.g., the FBI), state, and local law
`enforcement. Lawsthat affect computer
`crime vary amonglocalities and states, and
`some actions maybe state (but not federal)
`crimes. It is important for teams to be familiar
`with current laws and to have established
`contacts within law enforcement and
`investigative agencies.
`
`12. Incident Handling
`
`The Forum of
`Incident Response and Security Teams
`
`The 1988Internet wormincident highlighted the need
`for better methods for responding to and sharing
`information about incidents, It was also clear that any
`single team or "hot line" would simply be
`overwhelmed. Out of this was born the conceptof a
`coalition ofresponse teams ~ each with its own
`constituency, but working together to share
`information, provide alerts, and support each other in
`the response to incidents. The Forum ofIncident
`Response and Security Teams (FIRST) includes
`teams from government, industry, computer
`manufacturers, and academia. NIST serves as the
`secretariat of FIRST.
`
`Incidents can also garner much media
`attention and can reflect quite negatively on
`an organization's image. An incident handling
`capability may need to work closely with the
`organization's public affairs office, whichis
`trained in dealing with the news media.
`In
`presenting informationto the press, it is important that (1) attackers are not given information
`that would place the organization at greater risk and (2) potential legal evidence is properly
`protected.
`
`12.3
`
`Technical Support for Incident Handling
`
`Incident handling will be greatly enhanced by technical mechanisms that enable the dissemination
`of information quickly and conveniently.
`
`12.3.1 Communications for Centralized Reporting of Incidents
`
`The technicalability to report incidents is of primary importance, since without knowledge of an
`incident, response is precluded. Fortunately, such technical mechanisms are alreadyin place in
`many organizations.
`
`For rapid response to constituency problems, a simple telephone “hotline”is practical and
`convenient. Some agencies may already have a numberused for emergencies or for obtaining
`help with other problems; it may be practical (and cost-effective) to also use this numberfor
`incident handling.
`It may be necessary to provide 24-hour coveragefor the hotline. This can be
`donebystaffing the answering center, by providing an answering service for nonoffice hours, or
`by using a combination of an answering machine and personalpagers.
`
`139
`
`

`

`III. Operational Controls
`
`If additional mechanisms for contacting the
`incident handling team can be provided, it may
`increase access and thus benefit incident
`handling efforts. A centralized e-mail address
`;
`that forwards mail to staff members would
`
`Onewayto establish a centralized reporting and
`incident response capability, while minimizing
`expenditures,is to use an existing Help Desk. Many
`agencies already havecentral Help Desks for fielding
`Aiiseboleantmonte epalcticns
`
`exchange information with the team.
`Providing a fax numberto users mayalso be
`helpful.
`
`—_
`ee
`;
`12.3.2 Rapid CommunicationsFacilities
`
`in detecting and eradicating computer viruses. By
`expanding the capabilities ofthe Help Desk and
`publicizing its telephone number {or e-mail address),
`an agency may be ableto significantly improve its
`ability to handle manydifferent types ofincidents:at
`manimalicast
`
`Some form of rapid communicationsisttaaa
`essential for quickly communicating with the
`constituency as well as with managementofficials and outside organizations. The team may need
`to send out security advisories or collect information quickly, thus some convenient form of
`communications, such as electronic mail, is generally highly desirable. With electronic mail, the
`team can easily direct information to various subgroups within the constituency, such as system
`managers or network managers, and broadcast generalalerts to the entire constituency as needed.
`Whenconnectivity already exists, e-mail has low overheadandis easy to use. (However,it is
`possible for the e-mail system itself to be attacked, as was the case with the 1988 Internet worm.)
`
`Althoughthere are substitutes for e-mail, they tend to increase response time. An electronic
`bulletin board system (BBS) can work well for distributing information, especially if it provides a
`convenient user interface that encouragesits use. A BBS connected to a network is more
`convenient to access than one requiring a terminal and modem; however,the latter may be the
`only alternative for organizations without sufficient network connectivity. In addition,
`telephones, physical bulletin boards, and flyers can be used.
`
`12.3.3 Secure CommunicationsFacilities
`
`Incidents can range from thetrivial to those involving national security. Often when exchanging
`information aboutincidents, using encrypted communications may be advisable. This will help
`prevent the unintended distribution of incident-related information. Encryption technologyis
`available for voice, fax, and e-mail communications.
`
`12.4
`
`Interdependencies
`
`An incident handling capability generally depends upon other safeguards presented in this
`handbook. The most obviousis the strong link to other components of the contingency plan. The
`following paragraphsdetail the most important of these interdependencies.
`
`140
`
`

`

`12. Incident Handling
`
`Contingency Planning. As discussed in the introduction to this chapter, an incident handling
`capability can be viewed as the componentof contingency planning that deals with responding to
`technical threats, such as viruses or hackers. Close coordination is necessary with other
`contingency planning efforts, particularly when planning for contingency processing in the event
`of a serious unavailability of system resources.
`
`Support and Operations. Incident handlingis also closely linked to support and operations,
`especially user support and backups. For example, for purposesofefficiency and cost savings,
`the incident handling capability is often co-operated with a user "help desk." Also, backups of
`system resources may need to be used when recovering from anincident.
`
`Training and Awareness. Thetraining and awareness program can benefit from lessons learned
`during incident handling.
`Incident handling staff will be able to help assess the level of user
`awareness about current threats and vulnerabilities. Staff members may be able to help train
`system administrators, system operators, and other users and systems personnel. Knowledge of
`security precautions (resulting from suchtraining) helps reduce future incidents. It is also
`importantthat users are trained what to report and how to reportit.
`
`Risk Management. Therisk analysis process will benefit from statistics and logs showing the
`numbers and typesof incidents that have occurred and the types of controls that are effective in
`preventing incidents. This information can be usedto help select appropriate security controls
`and practices.
`
`12.5
`
`Cost Considerations
`
`There are a numberofstart-up costs and funding issues to consider when planning an incident
`handling capability. Because the success of an incident handling capability relies so heavily on
`users’ perceptionsof its worth and whetherthey useit, it is very important that the capability be
`able to meet users’ requirements. Two important funding issuesare:
`
`Personnel. An incident handling capability plan might call for at least one manager and one or
`more technical staff members(or their equivalent) to accomplish program objectives. Depending
`on the scopeof the effort, however, full-time staff members may not be required.
`In some
`situations, some staff may be needed part-time or on an on-call basis. Staff may be performing
`incident handling duties as an adjunct responsibility to their normal assignments.
`
`Incident handling staff will need to keep current with computer system
`Education and Training.
`and security developments. Budget allowances need to be made,therefore, for attending
`conferences, security seminars, and other continuing-education events. If an organization is
`located in more than one geographic areas, funds will probably be needed fortravel to other sites
`for handling incidents.
`
`141
`
`

`

`IIT, Operational Controls
`
`References
`
`Brand, Russell L. Coping With the Threat of Computer Security Incidents: A Primerfrom
`Prevention Through Recovery. July 1989.
`
`Fedeli, Alan. "Organizing a Corporate Anti-Virus Effort." Proceedings of the Third Annual
`Computer VIRUSClinic, Nationwide Computer Corp. March 1990.
`
`Holbrook,P., and J. Reynolds, eds. Site Security Handbook. RFC 1244 prepared for the Internet
`Engineering Task Force, 1991. FIP from csrc.nist.gov:/put/secpley/rfc 1244.txt.
`
`National Institute of Standards and Technology. "Establishing a Computer Security Incident
`Response Capability." Computer Systems Laboratory Bulletin. Gaithersburg, MD. February 1992.
`
`Padgett, K. Establishing and Operating an Incident Response Team. Los Alamos, NM: Los
`Alamos National Laboratory, 1992.
`
`Pethia, Rich, and Kenneth van Wyk. Computer Emergency Response - An International Problem.
`1990.
`
`Quarterman, John. The Matrix - Computer Networks and Conferencing Systems Worldwide.
`Digital Press, 1990.
`
`Scherlis, William, S. Squires, and R. Pethia. Computer Emergency Response. 1989.
`
`Schultz, E., D. Brown, and T. Longstaff. Responding to Computer Security Incidents: Guidelines
`for Incident Handling. University of California Technical Report UCRL-104689, 1990.
`
`Proceedingsof the Third Invitational Workshop on Computer Security Incident Response.
`August 199].
`
`Wack, John. Establishing an Incident Response Capability. Special Publication 800-3.
`Gaithersburg, MD: National Institute of Standards and Technology. November1991.
`
`142
`
`

`

`Chapter 13
`
`AWARENESS, TRAINING, AND EDUCATION
`
`People, whoareall fallible, are usually recognized as one of the weakestlinks in securing systems.
`The purpose of computer security awareness,training, and education is to enhancesecurity by:
`
`e
`
`°
`
`e
`
`improving awarenessof the need to protect system resources;
`
`developing skills and knowledge so computerusers can perform their jobs more
`securely; and
`
`building in-depth knowledge, as needed, to design, implement, or operate security
`programs for organizations and systems.
`
`Making computer system users aware oftheir security responsibilities and teaching them correct
`practices helps users change their behavior.” It also supports individual accountability, which is
`one of the most important ways to improve computer security. Without knowing the necessary
`security measures (and to how to use them), users cannotbe truly accountable for their actions.
`The importance ofthis training is emphasized in the Computer Security Act, which requires
`training for those involved with the management, use, and operation of federal computer systems.
`
`This chapterfirst discusses the two overriding benefits of awareness, training, and education,
`namely: (1) improving employee behavior and (2) increasing the ability to hold employees
`accountable for their actions. Next, awareness, training, and education are discussed separately,
`with techniques used for each. Finally, the chapter presents one approach for developing a
`computersecurity awareness andtraining program.”
`
`13.1
`
`Behavior
`
`People are a crucial factor in ensuring the security of computer systems and valuable information
`resources. Human actions accountfor a far greater degree of computer-related loss than all other
`sources combined. Of suchlosses, the actions of an organization's insiders normally cause far
`more harm than the actions of outsiders. (Chapter 4 discusses the major sources of computer-
`related loss.)
`
`°° One often-cited goal of training is changing people's attitudes. This chapter views changing attitudes as just one
`step toward changing behavior.
`
`°° This chapter doesnot discuss the specific contents of training programs. Seethe references for details of suggested
`course contents.
`
`143
`
`

`

`IIT. Operational Controls
`
`The major causes of loss due to an organization's own employeesare: errors and omissions, fraud,
`and actions by disgruntled employees. Oneprincipal purpose of security awareness, training, and
`education is to reduce errors and omissions. However, it can also reduce fraud and unauthorized
`activity by disgruntled employees by increasing employees’ knowledge of their accountability and
`the penalties associated with such actions.
`
`Managementsets the example for behavior within an organization. If employees know that
`management doesnot care aboutsecurity, no training class teaching the importance ofsecurity
`and imparting valuable skills can be truly effective. This "tone from the top" has myriad effects an
`organization's security program.
`
`13.2
`
`Accountability
`
`Oneofthe keys to a successful computer security
`program is security awareness and taining. If
`employees are not informed of applicable
`organizational policies and procedures,they cannot
`be expected to acteffectively to securecomputer
`TeSOUICes..
`
`Both the dissemination and the enforcement
`of policyarecritical issues that are
`implemented and strengthened through
`training programs. Employees cannotbe
`expected to follow policies and procedures of
`which they are unaware. In addition,
`enforcing penalties may be difficult if users can claim ignorance when caught doing something
`wrong.
`
`Training employees mayalso be necessary to show that a standard of due care has been taken in
`protecting information. Simply issuing policy, with no follow-up to implementthat policy, may
`not suffice.
`
`Manyorganizations use acknowledgment statements whichstate that employees have read and
`understand computer security requirements.
`(An example is provided in Chapter 10.)
`
`13.3
`
`Awareness
`
`Awarenessstimulates and motivates those
`bej
`:
`.
`ing trained to care aboutsecurity and to
`:
`.
`:
`;
`remind them of important security practices.
`Explaining what happensto an organization,
`its mission, customers, and employeesif
`security fails motivates people to take security
`seriously.
`
`|
`Secuity awareness programs:(1) setthe stage for
`traliing by changing organizaliGnul
`realize the importance ofsecurity and the adverse
`ws
`oe
`:
`consequencesofits failure; and (2) remind users of
`the proceduresto be followed.
`
`Awareness can take on different forms for particular audiences. Appropriate awareness for
`managementofficials might stress management's pivotalrole in establishing organizational
`
`144
`
`

`

`13. Awareness, Training, and Education
`
`attitudes toward security. Appropriate awareness for other groups, such as system programmers
`or information analysts, should address the need for security asit relates to their job. In today's
`systems environment, almost everyone in an organization may have access to system resources —
`and therefore may have the potential to cause harm.
`
`Comparative Framework
`
`
`
`
`[awareness[teanne|epvcarton
`
`
`
`
`
`Objective:
`
`
`Media
`Teaching Method:
`
`
`
`
`- Videos
`- Lecture
`- Discussion Seminar
`
`
`- Case study workshop
`- Backgroundreading
`-Newsletters
`
`- Hands-on practice
`-Posters, etc.
`
`
`
`
`
`
`
`True/False
`Problem Solving
`Eassay
`(interpret learning)
`Multiple Choice
`(apply learning)
`
`
`
`
`(identify learning)
`
`
`Practical Instruction
`
`Theoretical Instruction
`
`Test Measure:
`
`
`
`Impact Timeframe
`
`Figure 13.1 compares someofthe differences in awareness,training, and education.
`
`Awareness is used to reinforce the fact that security supports the mission of the organization by
`protecting valuable resources. If employees view security as just bothersomerules and
`procedures, they are morelikely to ignore them. In addition, they may not make needed
`suggestions about improving security nor recognize and report security threats and vulnerabilities.
`
`Awarenessalso is used to remind people of basic security practices, such as logging off a
`computer system or locking doors.
`
`Techniques. A security awareness program can use many teaching methods,including video
`
`145
`
`

`

`If. Operational Controls
`
`tapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder
`notices at log-on, talks, or lectures. Awarenessis often incorporated into basic security training
`and can use any method that can change employees’attitudes.
`
`Effective security awareness programs need to
`be designed with the recognition that people
`tend to practice a tuning out process (also
`known as acclimation). For example, after a
`while, a security
`poster, no matter how well
`,
`¥P
`,
`designed, will be ignored;it will, in effect,
`simply blend into the environment. Forthis
`reason, awareness techniques should be
`creative and frequently changed.
`
`13.4
`
`Training
`
`Employeesoften regard computer security as an
`obstacle to productivity. A commonfeelingis that
`they are paid to produce, not to protect. To help
`meuvelrembloxees, aWateness shits
`how security, from a broader perspective, contributes
`to productivity. The consequences ofpoor security
`should be explained, whileavoiding the fear and
`intimidation that employees often associate with
`security.
`
`The purpose oftraining is to teach people the skills that will enable them to perform their jobs
`more securely. This includes teaching people what they should do and howthey should (or can)
`do it. Training can address manylevels, from basic security practices to more advanced or
`specialized skills.
`It can be specific to one computer system or generic enoughto addressall
`systems.
`
`Training is most effective when targeted to a specific audience. This enables the training to focus
`on security-related job skills and knowledge that people need performing their duties. Two types
`of audiences are general users and those whorequire specialized or advancedskills.
`
`General Users. Mostusers need to understand good computersecurity practices, such as:
`
`e
`
`e
`
`e
`
`protecting the physical area and equipment(e.g., locking doors, caring for floppy
`diskettes);
`
`protecting passwords(if used) or other authentication data or tokens(e.g., never
`divulge PINs); and
`
`reporting security violations or incidents (e.g., whom to call if a virusis
`suspected).
`
`In addition, general users should be taught the organization's policies for protecting information
`and computer systems and the roles and responsibilities of various organizational units with which
`they may haveto interact.
`
`146
`
`|
`
`

`

`13. Awareness, Training, and Education
`
`In teaching general users, care should be taken not to overburden them with unneededdetails.
`These people are the target of multiple training programs, such as those addressing safety, sexual
`harassment, and AIDS in the workplace. The training should be made useful by addressing
`security issues that directly affect the users. The goal is to improve basic security practices, not
`to make everyoneliterate in all the jargon or philosophyof security.
`
`Specialized or Advanced Training. Many groups need more advanced or more specialized
`training than just basic security practices. For example, managers may need to understand
`security consequencesandcosts so they can factor security into their decisions, or system
`administrators may need to know how to implementand usespecific access control products.
`
`
`
`There are many different ways to identify
`Onegroupthat has beentargeted for specialized
`individuals or groups whoneedspecialized or
`training is executives and functional managers. The
`advancedtraining. One methodis to lookat
`training for managementpersonnelis specialized
`job categories, such as executives, functional
`aor naaee eeyiuse Maneeer ae not rs .
`managers, or technology providers. Another
`general rule) need to understarid the technical details
`rad
`:
`.
`ofsecurity. However, they do need to understand
`methodis to look at job functions, such as
`howto organize, direct, and evaluate security
`system design, system operation, or system
`measures and programs, They also need to
`use. A third methodis to look at the specific
`understand risk acceptance.
`technology and products used, especially for
`advancedtraining for user groups and (raining mmmmmmmnnenemeeenmmemmses
`for anew system. This is further discussed in
`the section 13.6 of this chapter.
`
`Techniques. A security training program normally includestrainingclasses, either strictly devoted
`to security or as added special sections or modules within existing training classes. Training may
`be computer- or lecture-based (or both), and may include hands-on practice and casestudies.
`Training, like awareness, also happenson the job.
`
`13.5
`
`Education
`
`Security education is more in-depth than security training andis targeted for security professionals
`and those whose jobs require expertise in security.
`
`Techniques. Security education is normally outside the scope of most organization awareness and
`training programs.
`It is more appropriately a part of employee career development. Security
`education is obtained through college or graduate classes or through specialized training
`programs. Because ofthis, most computer security programs focus primarily on awareness and
`
`147
`
`

`

`III. Operational Controls
`
`training, as does the remainderof this chapter.”
`
`13.6
`
`Implementation”
`
`An effective computer security awareness and training (CSAT) program requires proper planning,
`implementation, maintenance, and periodic evaluation. The following seven steps constitute one
`approach for developing a CSAT program.”
`
`Step 1:
`
`Identify Program Scope, Goals, and Objectives.
`
`Step 2:
`
`Identify TrainingStaff.
`
`Step 3:
`
`Identify Target Audiences.
`
`Step 4: Motivate Management and Employees.
`
`Step 5:
`
`Administer the Program.
`
`Step 6: Maintain the Program.
`
`Step 7:
`
`Evaluate the Program.
`
`13.6.1 Identify Program Scope, Goals, and
`Objectives
`
`The first step in developing a CSAT program
`is to determine the program's scope, goals,
`and objectives. The scope of the CSAT
`program should providetrainingtoall types of
`people whointeract with computer systems.
`The scope of the program canbe anentire
`organization or a subunit. Since users need
`training whichrelates directly to their use of
`
`The Computer Security Act of 1987 requires federal
`agencies to “provide for the mandatory periodic
`training in computer security awareness and accepted
`computer practices of all employees who are involved
`with the management, use, or operation of each
`federal computer system within or under the
`supervision of that agency.” The scope and goals of
`federal computer security awarenessand training
`programs must implementthis broad mandate.
`(Other federal requirements for computer security
`training are contained in OMB Circular A-130,
`Appendix Tl, and OPM regulations.)
`
`*7 Unfortunately, college and graduate security courses are not widely available.
`address general security.
`
`In addition, the courses may only
`
`** This section is based on material prepared by the Departmentof Energy's Office of Information Managementforits
`unclassified security program.
`
`” This approachis presented to familiarize the reader with someof the important implementation issues. It is not the only
`approach to implementing an awareness andtraining program.
`
`
`
`

`

`13. Awareness, Training, and Education
`
`particular systems, a large organizationwide program may need to be supplemented by more
`specific programs.
`In addition, the organization should specifically address whether the program
`applies to employeesonly or also to other users of organizational systems.
`
`Generally, the overall goal of a CSAT programis to sustain an appropriate level of protection for
`computer resources by increasing employee awareness of their computer security responsibilities
`and the waysto fulfill them. More specific goals may need to be established. Objectives should
`be defined to meet the organization's specific goals.
`
`13.6.2 Identify Training Staff
`
`There are many possible candidates for conducting the training including internaltraining
`departments, computer security staff, or contract services. Regardless of who is chosen,it is
`important that trainers have sufficient knowledge of computersecurity issues, principles, and
`techniques.
`It is also vital that they know how to communicate information and ideaseffectively.
`
`13.6.3 Identify Target Audiences
`
`Not everyone needs the same degree or type of computersecurity information to do their jobs. A
`CSATprogram that distinguishes between groups of people, presents only the information needed
`by the particular audience, and omits irrelevant information will have the best results. Segmenting
`audiences(e.g., by their function or familiarity with the system) can also improve the effectiveness
`of a CSAT program. Forlarger organizations, some individuals will fit into more than one group.
`For smaller organizations, segmenting may not be needed. The following methods are some
`examples of ways to dothis.
`
`Individuals may be separated into groups according to
`Segment according to level of awareness.
`their current level of awareness. This may require research to determine how well employees
`follow computersecurity procedures or understand how computersecurityfits into their jobs.
`
`Segmentaccording to general job task orfunction. Individuals may be grouped as data
`providers, data processors, or data users