||Security Training at USAID
||January 23, 2001
||CIO Council Security Practices Subcommittee (SPS)
States Agency for International Development (USAID), Bureau for Management,
Information Resources Management (M/IRM), Information Systems Security Team
||Level of BSP
||Security Processes or other
||Security Training (SPF 1.3; SSE CMM PA-21; OMB
A-130 Appendix III, Section A: 3.a.3 and 3.a.2.b)
||Points of Contact
||Government BSP Owner:
- James P. Craft, CISSP
USAID Information Systems Security Officer
1300 Pennsylvania Ave., Suite 2.12-032
Washington, DC 20523-2120
||What This BSP Does
||This BSP describes how USAIDs Information
System Security Team conducts basic computer security training during cyber-assistance
visits to USAID missions around the globe. This training is provided to the end users that
have access to Agency unclassified computer systems including those that process sensitive
but unclassified (SBU) information. This training is also provided to Information System
Security professionals responsible for training both the general user population and the
Information technologists who operate and maintain Agency equipment
||Requirements for this BSP
||OMB A-130 Appendix III:
- Section A.3.a.3 states: "Review of Security Controls. Review the
security controls in each system when significant modifications are made to the system,
but at least every three years. The scope and frequency of the review should be
commensurate with the acceptable level of risk for the system. Depending on the potential
risk and magnitude of harm that could occur, consider identifying a
deficiency pursuant to OMB Circular No. A-123, "Management Accountability and
Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no
assignment of security responsibility, no security plan, or no authorization to process
for a system."
- Section A.3.a.2.b states: "Training: Ensure that all individuals are
appropriately trained in how to fulfill their security responsibilities before allowing
them access to the system. Such training shall assure that employees are versed in the
rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them
about available assistance and technical security products and techniques. Behavior
consistent with the rules of the system and periodic refresher training shall be required for continued access to the system."
||Basic computer security training is integral to
cyber-assistance visits. The training was most recently provided to the USAID missions in
Phnom Penh, Cambodia and Manila, Philippines during November and December of 2000. The
correspondence below is from another customer organization expressing their appreciation
for raising their security posture through the use of this Training Process.
Subject: COMPUTER SECURITY TEAM VISIT
Source: David Bayer, USAID Peru Executive Office
If you have the opportunity to have the Information Systems Security
Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy,
visit your Mission with their team of computer security experts, then take advantage of
it. They did one hell of a job during their February  visit with us at USAID/Peru in
getting us up to speed and raising our level of consciousness about
security issues. This is not to say that our dedicated IRM staff, led by Systems Manager,
Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a
real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike
Reiter and Steve Bui come in and sit down to review your Computer Security Program and
Computer Contingency Plan with you.
In addition, they trained some 80 employees to become aware of computer
And last but not least, they have given us some key advice and methods
for closing out some computer security audit issues which are not only USAID/Peru
exposures but endemic to all Missions worldwide.
Computer security is becoming an important issue in for USAID and all
organizations. In this environment, new security standards and having a formal security
program in each overseas Mission is very important.
USAID/Peru was selected as a Beta site to define the model/templates for
the Computer Security Program to be applied in all overseas
Starting February 19 to February 25 , during five workdays, a
Computer Security Team belonging to the IRM/ Security Group was in Lima. The team had five
members. Jim Craft acted as the team Leader.
Computer Security is a dynamic activity and demands coordination and
permanent follow-up. The Computer Security Team's role in the implementation of the
Computer Security Program in each Mission is critical. Computer Security activity involves the entire USAID organization, starting from Washington and
reaching out worldwide to all Missions. If one Mission security system fails, it endangers
the entire USAID organization.
||What This BSP Is
||Description of BSP
||This training introduces
the basic concepts behind computer security practices and underlines the need to protect
the information at a USAID Mission location from vulnerabilities to known threats.
- General Curriculum
for Computer Security Basics.
- Skilled instructor
- Selected resources of Computer Security Courseware (based on target
- Logistic requirements (space, equipment, time)
Determine Target Audience: general population and users; IT professionals who train end users and Information Technologists who operate and maintain the system.
Survey: identify requirements of the general user population,
system operators and IT professionals.
Evaluation: analyze mission requirements; design program to meet
the mission requirements.
Scheduling: involves arranging for classroom spaces, time slots,
sending e-mail announcements, acquiring and setting up audio-visual equipment, and
focusing content for the required training.
Delivery: present the material to selected audiences or arrange
that the required expertise is available and scheduled to present the security materials.
- Setup equipment (laptop, video player, sound system, projector, and/or
- Pass out prepared material (developed for Mission needs).
- Make sure everyone signs the attendance roster (Make sure ISS trainer
gets and records attendee compliance with annual or new hire briefing requirements).
- Have attendees sign user agreement (Rules of Behavior).
- Be open for discussion with class (Answer their questions).
Feedback: solicit responses from audiences using a Class Evaluation Survey
form, and personally from system administrator and EXO, and adjust training as required.
Save copies of the Evaluation Surveys at the training location and at USAID Headquarters,
to help future trainers prepare materials.
Follow-up: two weeks after return from a cyber-assistance visit,
send e-mail to inquire as to any follow on assistance required.
Course completion certificates, test
scores, list of trained personnel; training records.
||Relationship to Other BSPs
||The Cyber-Assistance Review process comprises
several subprocesses, one of which is the training process. Additional relationships will
be added as additional BSPs are documented.
||How To Use This BSP
- Successful USAID Computer Security training sessions were conducted at
various missions around the world. These successes were achieved in the most part by
having great support from each of the mission's management. This is critical for the
implementation of a security training program. A second point: the mission senior
management should identify an individual Information Systems Security Training Manager.
This allows that individual to receive training from the visiting team, develop a network
of INFOSEC trainers, and helps that individual develop a program
tailored to specific mission requirements.
- Training must be an on-going process; training on the heels of a
cyber-assistance review has been well received and is seen as very useful; training on how
to conduct a RA helps promote regularly scheduled reviews by local personnel to conduct
the required reviews.
- These routine curriculum reviews help keep course content current and
relevant to current requirements.
- Training completion records may contain personal information and
therefore may be subject to appropriate protection under the Personal Privacy Act.
||Implementation Resource Estimates
||Personnel: 1 per classroom session
Time per Training Session: 45-60 minutes
Preparation Time up-front: 3-5 days
On-Site Time: 5 days per mission (dependent upon results of
Cost: Contractor-provided labor charges approximate $800 per day.
Travel and Per Diem charges are accounted separately.
||Performance Goals and
||General Goal: The goal of cyber-assistance
training is to provide initial and refresher information systems security training for all
mission personnel. Secondly, provide the on-site information systems manager with hands-on
training for information systems security, up-to-date security training materials, points
of contact, and access to an agency-wide network of security professionals. Finally, the
third goal is to build upon the network of knowledgeable personnel needed to implement an
OMB-A130 compliant program.
Performance Goal: Provide
training to 80% of each mission's employees.
Outcome Goal: To have an OMB-A130 compliant agency as it pertains
to information systems security training requirements.
Output goal: To make all agency personnel aware of their
federally mandated responsibilities as they pertain to information systems security.
General Objective: To build and maintain an OMB-A130 compliant
information systems security training program.
- Eliminate and resolve all identified OIG material weaknesses in the ISS
- Maintain and document a periodic visit to each mission to perform
information systems security training as part of a Cyber-Assistance Review.
||The tools used to perform the Cyber-Assistance
- A variety of instructional techniques
- Courses (locally or professionally developed)
- Pamphlets (To receive a sample of the following pamphlets, contact Bill
- Why Do We Need Computer Security
- Network Security Guidelines
- Workstation Security Guidelines
- Passwords and You
- Internet Usage Guidelines
- Malicious Software
- What Should You Do If You Have a Virus?
- Junk E-Mail
- Incident Response
- USAID Information System Security General Guidelines
- CDs (available from: www.disa.mil/infosec):
- Federal INFOSEC Awareness
- Information Age Technology
- Information Technology Security Awareness
- Operational Information Systems Security Vol. 1
- Operational Information Systems Security Vol. 2
- Videos (available from: www.disa.mil/infosec):
- Understanding Public Key Infrastructure
- Computer Security 101: For Sensitive Eyes Only
- Computer Security: The Executive Role
- Networks At Risk
- Protect Your AIS
- Information Frontline
- Bringing Down Your House
- The Scarlet V
- PowerPoint Presentations:
- Sample USAID Security
Training On-line (Screen Capture of USAID's Intranetsecurity training
||Training local IS professionals to maintain a
local security training program was conducted with the foundations provided in the basic
courseware. No uniquely developed tools were used.
||Executive Overview and
||The United States Agency for International
Development (USAID) has contracted for general IRM support with Computer
Sciences Corporation (CSC) under the Agency's Principle Resource for Information
Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM.
USAID obtains its information system security support from CSC under the
PRIME contract using the Performance Work Statement (PWS) at Appendix C.
||Not yet evaluated
||Version 1.0 of the BSP was reviewed after
conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during
November and December, 2000. The review has determined the original BSP remains valid and
has incorporated minor editorial revisions.