IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Security Training

1.0 Identification Data
1.1 BSP Number
00004
1.2 BSP Title/Name
Security Training at USAID Missions
1.3 Version Number
1.1
1.4 Adoption Date
January 23, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
Security Training (SPF 1.3; SSE CMM PA-21; OMB A-130 Appendix III, Section A: 3.a.3 and 3.a.2.b)
1.9 Reserved
1.10 Points of Contact
Government BSP Owner:
  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    1300 Pennsylvania Ave., Suite 2.12-032
    Washington, DC 20523-2120
    Telephone: 202-712-5460
    Fax: 202-216-3053
    E-mail: jcraft@usaid.gov

Vendor Partner:

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP describes how USAID’s Information System Security Team conducts basic computer security training during cyber-assistance visits to USAID missions around the globe. This training is provided to the end users that have access to Agency unclassified computer systems including those that process sensitive but unclassified (SBU) information. This training is also provided to Information System Security professionals responsible for training both the general user population and the Information technologists who operate and maintain Agency equipment and systems.
2.3 Requirements for this BSP
OMB A-130 Appendix III:
  • Section A.3.a.3 states: "Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."
  • Section A.3.a.2.b states: "Training: Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall assure that employees are versed in the rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them about available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system."
2.3 Success Stories
Basic computer security training is integral to cyber-assistance visits. The training was most recently provided to the USAID missions in Phnom Penh, Cambodia and Manila, Philippines during November and December of 2000. The correspondence below is from another customer organization expressing their appreciation for raising their security posture through the use of this Training Process.

Subject: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February [1999] visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

In addition, they trained some 80 employees to become aware of computer security pitfalls.

And last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

USAID/Peru was selected as a Beta site to define the model/templates for the Computer Security Program to be applied in all overseas Missions.

Starting February 19 to February 25 [1999], during five workdays, a Computer Security Team belonging to the IRM/ Security Group was in Lima. The team had five members. Jim Craft acted as the team Leader.

Computer Security is a dynamic activity and demands coordination and permanent follow-up. The Computer Security Team's role in the implementation of the Computer Security Program in each Mission is critical. Computer Security activity involves the entire USAID organization, starting from Washington and reaching out worldwide to all Missions. If one Mission security system fails, it endangers the entire USAID organization.

3.0 What This BSP Is
3.1 Description of BSP
This training introduces the basic concepts behind computer security practices and underlines the need to protect the information at a USAID Mission location from vulnerabilities to known threats.
   3.1.1 Inputs
  • General Curriculum for Computer Security Basics.
  • Skilled instructor
  • Selected resources of Computer Security Courseware (based on target audience analysis)
  • Logistic requirements (space, equipment, time)
3.1.2 Process

Determine Target Audience: general population and users; IT professionals who train end users and Information Technologists who operate and maintain the system.

Survey: identify requirements of the general user population, system operators and IT professionals.

Evaluation: analyze mission requirements; design program to meet the mission requirements.

Scheduling: involves arranging for classroom spaces, time slots, sending e-mail announcements, acquiring and setting up audio-visual equipment, and focusing content for the required training.

Delivery: present the material to selected audiences or arrange that the required expertise is available and scheduled to present the security materials.

  • Setup equipment (laptop, video player, sound system, projector, and/or overhead)
  • Pass out prepared material (developed for Mission needs).
  • Make sure everyone signs the attendance roster (Make sure ISS trainer gets and records attendee compliance with annual or new hire briefing requirements).
  • Have attendees sign user agreement (Rules of Behavior).
  • Be open for discussion with class (Answer their questions).

Feedback: solicit responses from audiences using a Class Evaluation Survey form, and personally from system administrator and EXO, and adjust training as required. Save copies of the Evaluation Surveys at the training location and at USAID Headquarters, to help future trainers prepare materials.

Follow-up: two weeks after return from a cyber-assistance visit, send e-mail to inquire as to any follow on assistance required.

3.1.3 Outputs
  • Course completion certificates, test scores, list of trained personnel; training records.
3.2 Relationship to Other BSPs
The Cyber-Assistance Review process comprises several subprocesses, one of which is the training process. Additional relationships will be added as additional BSPs are documented.
4.0 How To Use This BSP
4.1 Implementation Guidance
  • Successful USAID Computer Security training sessions were conducted at various missions around the world. These successes were achieved in the most part by having great support from each of the mission's management. This is critical for the implementation of a security training program. A second point: the mission senior management should identify an individual Information Systems Security Training Manager. This allows that individual to receive training from the visiting team, develop a network of INFOSEC trainers, and helps that individual develop a program tailored to specific mission requirements.
  • Training must be an on-going process; training on the heels of a cyber-assistance review has been well received and is seen as very useful; training on how to conduct a RA helps promote regularly scheduled reviews by local personnel to conduct the required reviews.
  • These routine curriculum reviews help keep course content current and relevant to current requirements.
  • Training completion records may contain personal information and therefore may be subject to appropriate protection under the Personal Privacy Act.
4.2 Implementation Resource Estimates
Personnel: 1 per classroom session

Time per Training Session: 45-60 minutes

Preparation Time up-front: 3-5 days

On-Site Time: 5 days per mission (dependent upon results of assessment conducted)

Cost: Contractor-provided labor charges approximate $800 per day. Travel and Per Diem charges are accounted separately.

4.3 Performance Goals and Indicators (Metrics)
General Goal: The goal of cyber-assistance training is to provide initial and refresher information systems security training for all mission personnel. Secondly, provide the on-site information systems manager with hands-on training for information systems security, up-to-date security training materials, points of contact, and access to an agency-wide network of security professionals. Finally, the third goal is to build upon the network of knowledgeable personnel needed to implement an OMB-A130 compliant program.

Performance Goal: Provide training to 80% of each mission's employees.

Outcome Goal: To have an OMB-A130 compliant agency as it pertains to information systems security training requirements.

Output goal: To make all agency personnel aware of their federally mandated responsibilities as they pertain to information systems security.

General Objective: To build and maintain an OMB-A130 compliant information systems security training program.

Performance Indicator:

  • Eliminate and resolve all identified OIG material weaknesses in the ISS training area.
  • Maintain and document a periodic visit to each mission to perform information systems security training as part of a Cyber-Assistance Review.
4.4 Tools
The tools used to perform the Cyber-Assistance Training Program:
  • Classrooms
  • Trainers
  • A variety of instructional techniques
  • Courses (locally or professionally developed)
  • Pamphlets (To receive a sample of the following pamphlets, contact Bill Cleveland wclevela@csc.com)
    • Why Do We Need Computer Security
    • Network Security Guidelines
    • Workstation Security Guidelines
    • Passwords and You
    • Internet Usage Guidelines
    • Malicious Software
    • What Should You Do If You Have a Virus?
    • Junk E-Mail
    • Incident Response
    • USAID Information System Security General Guidelines
  • CDs (available from: www.disa.mil/infosec):
    • Federal INFOSEC Awareness
    • Information Age Technology
    • Information Technology Security Awareness
    • Operational Information Systems Security Vol. 1
    • Operational Information Systems Security Vol. 2
  • Videos (available from: www.disa.mil/infosec):
    • Understanding Public Key Infrastructure
    • Computer Security 101: For Sensitive Eyes Only
    • Computer Security: The Executive Role
    • Networks At Risk
    • Protect Your AIS
    • Information Frontline
    • Bringing Down Your House
    • The Scarlet V
  • PowerPoint Presentations:
  • Sample USAID Security Training On-line (Screen Capture of USAID's Intranetsecurity training homepage)
4.5 Training Materials
Training local IS professionals to maintain a local security training program was conducted with the foundations provided in the basic courseware. No uniquely developed tools were used.
Appendices
A Executive Overview and Briefing
Appendix A
B Reference List
None specific
C Procurement Information
The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C.
D Evaluation Information
Not yet evaluated
E Recommended Changes
Version 1.0 of the BSP was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December, 2000. The review has determined the original BSP remains valid and has incorporated minor editorial revisions.
F Glossary
Not available.