Date Published: March 2009
Comments Due:
Email Questions to:
Author(s)
Mark Wilson (NIST), Kevin Stine (NIST), Pauline Bowen (NIST)
Announcement
The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems. We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
This publication updates a document that was first published in April 1998. Since the initial publication date, there has been an increase at the national level in the attention paid to, and the need for, a properly trained information security workforce. The Federal Information Security Management Act (FISMA) of 2002 not only requires organizations to ensure that all users of information and information systems are aware of their information security responsibilities, but also requires departments and agencies to identify and train those with “significant responsibilities for information security.” Though FISMA does not specify role-based training for these individuals, the Office of Personnel Management (OPM) does in their June 2004 mandate – 5 CFR, Part 930. The OPM regulation reinforces what FISMA states regarding users being exposed to information security awareness, or “awareness training.” OPM takes the FISMA requirement for training of those with significant responsibilities for information security a step further, specifying “role-specific training in accordance with NIST standards and guidance.” This publication updates what was presented in 1998, and captures these latest federal mandates regarding information security “awareness training” and “role-based training.”
This publication updates a document that was first published in April 1998. Since the initial publication date, there has been an increase at the national level in the attention paid to, and the need for, a properly trained information security workforce. The Federal Information Security Management...
See full abstract
This publication updates a document that was first published in April 1998. Since the initial publication date, there has been an increase at the national level in the attention paid to, and the need for, a properly trained information security workforce. The Federal Information Security Management Act (FISMA) of 2002 not only requires organizations to ensure that all users of information and information systems are aware of their information security responsibilities, but also requires departments and agencies to identify and train those with “significant responsibilities for information security.” Though FISMA does not specify role-based training for these individuals, the Office of Personnel Management (OPM) does in their June 2004 mandate – 5 CFR, Part 930. The OPM regulation reinforces what FISMA states regarding users being exposed to information security awareness, or “awareness training.” OPM takes the FISMA requirement for training of those with significant responsibilities for information security a step further, specifying “role-specific training in accordance with NIST standards and guidance.” This publication updates what was presented in 1998, and captures these latest federal mandates regarding information security “awareness training” and “role-based training.”
Hide full abstract
Keywords
information security; role-based training
Control Families
None selected
