Introduction

A draft of NIST Special Publication 800-16 Revision 1 “Information Security Training Requirements: A Role- and Performance-Based Model” has been released by NIST for public comment.  NoticeBored easily satisfies many of the requirements detailed in the SP800-16, providing elements that cover all levels of security awareness, training and education identified by NIST:

• Our induction/new employee orientation module, supplied at no extra charge to all NoticeBored subscribers, largely satisfies the requirement for “Basic Security Awareness”.  Simpler materials in every module supplement and reinforce the basics where relevant.
• We believe the NoticeBored materials fulfill all of the requirements of “Awareness Training (Basics and Literacy)”, described as “a transitional stage between “Basic Awareness” and “Role-based Training””, as demonstrated by the awareness topics listed in the table below.
• “Role-based Training” is covered by NoticeBored to some extent in that more detailed and technical materials are provided in the IT professionals stream in every module.
• NoticeBored supports the broader needs for “Education” by frequently highlighting the recent incidents, risks and controls, helping to ensure that subscribers’ employees (i.e. staff, managers and IT professionals) are kept up to date with the latest developments in the field of information security.
• While we do not claim to offer “Professional Development” to the extent of undergraduate and postgraduate degrees in information security, the depth and breadth of NoticeBored coverage mirrors courses for CISSP, CISM and similar professional qualifications, providing a solid basis for more in-depth personal study.

The topics

According to SP800-16 Rev 1, “The curriculum framework was developed by the Information Systems Security Line of Business (ISS LOB) Tier 1 Awareness Training Working Group, and was adopted by the Office of Management and Budget (OMB).  The topics below represent the minimum topics that the ISS LOB Tier 1 Awareness Training Shared Service Centers (SSCs) have been instructed to incorporate into their awareness training products being developed for departments and agencies.”  The federally-required awareness topics are listed in the left-hand column of the table.  On the right, we have indicated how NoticeBored meets these requirements.  Please refer to our descriptions of the induction and monthly modules elsewhere on this website for further information on the nature of our coverage.

US Federal requirements NoticeBored coverage Roles and responsibilities in information security Information security responsibilities and accountabilities associated with ownership of valuable information assets are covered in depth in the responsibility and accountability module.  Relevant security-related roles and responsibilities are highlighted in every module (e.g. in the model policies we supply). Ways to protect shared data (e.g., encryption, backups) Security controls such as these are covered in every module.  Encryption is covered specifically in the keeping secrets/confidentiality module.  Backups are covered specifically in the availability module. Examples of internal and external threats (e.g., social engineering, hackers) Security threats such as these are covered in every module.  Social engineering is covered in depth in the social engineering module.  Hackers are covered in depth in the hacking module. Malicious code (e.g., viruses, worms) Covered in depth in the malware module. Security controls Information security risks and controls are covered in every NoticeBored module, particularly in the newsletters, seminar presentations and briefings. Ways to recognize an information security incident Security incidents relating to the topic at hand are covered in every module.  Incident responses are covered in depth in the incident management module. Principles of information security General security principles are outlined in the induction/new employee orientation module, with relevant aspects reiterated in each monthly module.  Key principles and security objectives are covered in detail in the policy manual based on ISO/IEC 27002. Passwords Passwords are covered in depth in the passwords/biometrics module.  They are also covered by the induction/new employee orientation, network security and authentication/identity management modules. Social engineering Covered in depth in the social engineering module.  Data backup and storage Covered in the availability module. Computer viruses and worms Covered in depth in the malware module. Incident response Covered in depth in the incident management module. Personal use and gain Covered in the induction and office security modules. Privacy Covered in depth in the privacy and data protection module. Personally identifiable information (PII) Covered in the privacy and data protection module. Identity theft Covered in the network security, authentication and IT fraud modules. Internet surfing Covered in the network security module. Inventory control Covered in the change and configuration management plus physical security modules. Physical security Covered in depth in the physical security module. Spyware Covered in the malware and IT fraud modules. Phishing Covered in depth in the identity theft module, plus in the fraud and authentication modules. Scams and spam Covered primarily in the IT fraud and email security modules. Mobile devices (e.g., laptops, PDAs) Covered in depth in the mobile IT/gizmos module. Portable storage devices (e.g., CDs, USB drives) Covered in depth in the mobile IT/gizmos module.  Remote access Covered by the authentication and identity management module. Copyright infringement and software piracy Covered by the compliance module. Use and abuse of e-mail Covered in depth in the email security module. E-mail do’s and don’ts Covered in depth in the email security module. Peer-to-peer file sharing threats Covered in the network security module. National security information/systems, where applicable Not entirely applicable but classification is covered in the access control module. Consequences of user actions Covered to some extent in every module. Use and abuse of all/any systems and/or applications, not just e-mail Covered in practically every NoticeBored module. Prohibited use (e.g., downloading/viewing pornography, gambling) Covered in the network, office security and mobile/home working modules. Help desk reference Incorporated into almost every awareness item.  Covered in more depth in the incident management module. Links to policies (e.g., federal, department, agency, local) Not directly applicable (although we do supply model policies, procedures, guidelines etc. on a wide range of topics).

Other topics and added value

In addition to the topics noted above, NoticeBored also covers a number of other important information security considerations through its modules on information security risk management, contingency planning, third party security, computer auditing, IT and security governance, ethics, bugs, SCADA/industrial control systems security, trade secrets, database security, security aspects of software development and more - please see the topics page or contact us for more information.  We are always open to suggestions for additional topics and create new awareness modules from time to time as the need arises (e.g. the forthcoming module on IT forensics, due out later in 2009).

By providing well-written general-purpose awareness content off-the-shelf, NoticeBored forms an excellent basis for cutting-edge security awareness programs for all organizations including government departments and agencies, government contractors, commercial companies, utilities, banks, insurance companies, SMEs, charities ... in fact we struggle to think of any organization for which our product would be unsuitable.  The key advantages for subscribers of our approach include the sharing of good practices between industries and organizations, and very low costs (we charge a small fraction of the price normally incurred to design and develop bespoke security awareness content from scratch, whether this is done in-house or outsourced to awareness and training specialists).

Copyright © 2013  IsecT Ltd.