Awareness and Training
Need
Awareness and training is a critical part of any information security program
People are the weakest link in any security defense
Components - there is a security learning continuum:
Awareness
Basic training
Functional training
Specialized education
Designing a program
Identify needs
Behavior (awareness)
Skills (training and education)
Plan
Get buy-in
Priorities
Material - audience focus is critical
Implementation
Explanation
Resources
Material
Medium
Cost
Schedule
Follow through
Monitoring
Feedback and evaluation
Change
Success indicators
KEY NIST DOCS:
800-50
Policy and Procedure
Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family:
800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES
Control:
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, [...]
Rules of Behavior
Any information security policy and Site Security Plan (SSP) should contain a section known as “Rules of Behavior” that establishes appropriate use and behavior of system users and the consequences of non-compliance.
From 800-100, Appendix B, FAQs:
Q - What are “Rules of Behavior”?
A - The rules should state the consequences of inconsistent behavior or noncompliance and [...]
POAMs
Plan of Action and Milestones
A POAM is a plan that describes specific measures to be taken to correct deficiences found during a security control assessment. The POAM should identify:
The tasks needed to correct the deficiency
The resources required to make the plan work
Milestones in completing the tasks
Scheduled completion dates for the milestones
An organizational strategy for developing [...]
Incident Response
Federal agencies are required by law to report incidents to the US Computer Readiness Team (CERT) office in DHS and must have a formal incident response capability.
INCIDENT RESPONSE METHODOLOGY
Prepare - accumulate knowledge, resources, tools, team members and training needed to handle incident reponse. Provide feedback into other processes (patch management…) that may help prevent [...]
Contingency Plan
Policy
Identify statutory or regulatory requirements
Create a policy statement
Get the policy statement approved
Publish the policy statement
Key elements of policy
Roles and responsibilities
Scope
Resources required
Training required
Testing and exercises schedule
Maintenance schedule
Backup and storage schedule
Business Impact Assessment (BIA)
The BIA is a critical piece of the CP that establishes requirements for the strategy and procedures in the rest of the CP.
Identify critical [...]
Wireless Restrictions
AC-18 WIRELESS RESTRICTIONS (NIST SP 800-53)
The organization: (i) establishes usage restrictions and implementation guidance for wireless technologies; and (ii) authorizes, monitors, controls wireless access to the information system.
NIST Special Publications 800-48 and 800-97 provide guidance on wireless network security. NIST Special Publication 800-94 provides guidance on wireless intrusion detection and prevention.
Overview of Wireless Networking [...]
