meaningful training federal or a private sector approach
play

Meaningful Training? Federal or a Private Sector approach? Dr. Luis - PowerPoint PPT Presentation

Apr 13, 2023 •176 likes •337 views

Meaningful Training? Federal or a Private Sector approach? Dr. Luis O. Noguerol President & CEO Advanced Division of Informatics & Technology, Inc. ISSO NOAA Fisheries, USA DC South-East Region Why Cybersecurity training is relevant in

  1. Meaningful Training? Federal or a Private Sector approach? Dr. Luis O. Noguerol President & CEO Advanced Division of Informatics & Technology, Inc. ISSO NOAA Fisheries, USA DC South-East Region

  2. Why Cybersecurity training is relevant in Federal Government? “ Federal information is an asset of the Nation, not of a particular federal agency or its subordinate organizations ” NIST 800-37, Rev. 1, Page D-3 Why Cybersecurity training is relevant in the Private Sector? New business opportunities and market trends – “Users on mind’” approach. • Multiple regulations on place (PCI, HIPPA, SOX) and flexibility to adopt the most • convenient framework Strong competition • Sense of ownership • Flexibility to allocate funds for cybersecurity training • Willing to pay more for a better qualified work force •

  3. Revision of Existing Controls SP 800s - Computer Security 1 (NIST 800-53, Rev. 4) Control Family : Awareness and Training (4 Controls and 6 Controls Enhancements) AT-01 - Security Awareness and Training Policy and Procedures The organization develops and formally documents security awareness and training policy (SATP); SATP consider purpose; scope; roles and responsibilities; disseminates formal documented SATP including contractors/sub-contractors; defines the frequency of the SATP. AT-02 - Security Awareness All new employees are required to attend the New Employee Orientation Briefing on IT • Security. In addition, they are required to complete the web-based security training course within 3 days of entrance on duty . IT security training above the awareness level shall be provided to personnel who manage, design, • implement or maintain systems. Management shall ensure that all network and system administrators having responsibility for • performing installation, configuration and maintenance of systems and networks are identified and receive appropriate training in systems security . Because of time and resources , levels and type of training in systems security will be determined by each System Owner.

  4. Revision of Existing Controls (NIST 800-53, Rev. 4) - 2 AT-02(1) - Security Awareness Practical exercises in security awareness training that simulate actual cyber attacks. AT-02(2) - Insider Threat The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. AT-03 - Security Training The organization provides role-based security-related training before authorizing access to the • system or performing assigned duties, and when required by system changes. The organization defines the frequency of refresher role-based security-related training. • The organization provides refresher role-based security-related training in accordance with the • organization-defined frequency .

  5. Revision of Existing Controls (NIST 800-53, Rev. 4) - 3 AT-03(1) - Security Training (Environmental Control) The organization provides employees with initial training in the employment and operation of • environment controls . The organization defines the frequency of refresher training in the employment and operation of • environmental controls . The organization provides refresher training in the employment and operation of environmental • controls in accordance with the organization-defined frequency. AT-03(2) - Security Training (P hysical security controls) The organization provides employees with initial training in the employment and operation of • physical security controls . The organization defines the frequency of refresher training in the employment and • operation of physical security controls . The organization provides refresher training in the employment and operation of physical • security controls in accordance with the organization-defined frequency

  6. Revision of Existing Controls (NIST 800-53, Rev. 4) - 4 AT-03(3) - Practical Exercises, (Scenarios’ Based) The organization includes practical exercises in security training that • reinforce training objectives. AT-03(4) - Suspicious Communications And Anomalous System Behavior The organization defines indicators of malicious code. • The organization provides training to its personnel on organization- • defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems. AT-04 - Security Training Records (a) The organization documents and monitors individual information system security training activities • including basic security awareness training and specific information system security training.

  7. Revision of Existing Controls (NIST 800-53, Rev. 4) - 5 AT-04 - Security Training Records (b) The organization defines the time period for retaining individual training records. • The organization retains individual training records in accordance with the organization-defined • time period. AT-05 - Contacts with Security Groups and Associations (withdrawn from AT) The organization establishes and institutionalizes contact with selected groups and associations within the security community to: a) facilitate ongoing security education and training for organizational personnel b) stay up to date with the latest recommended security practices, techniques, and technologies c) share current security-related information including threats, vulnerabilities, and incidents.

  8. Disputable considerations in Federal approach - 1 Redundant Controls – AT-02( 1 ); AT-02( 2 )... • Reactive approach – “... within 3 days of entrance on duty” • Confusing language – “... above the awareness level shall be provided to personnel • who manage...” Unclear definitions – “... system administrators ... receive appropriate training in • systems security...” Subliminal suggestions – “ Because of time and resources , levels and type of training • in systems security will be determined by each System Owner “Unique,” complex, and unpractical security Framework • Minimum consequences – personnel’ “pampering” • Lack of incentives and professional growth • Budget – never used in this control •

  9. Disputable considerations in Federal approach - 2 SA- System and Services Acquisition – Budget

  10. Disputable considerations in Federal approach - 3 Differentiated training - depending of Information System Classification – cost factor/administrative burden ? From: NIST SP 800-53 Revision 4, Page D-3

  11. Disputable considerations in Federal approach - 4 Lack of enforcement – only other 3 controls “enforced” a) Contingency Planning, (CP-3): Contingency Training a) Incident Response, (IR-2): Incident Response Training a) System and Services Acquisition, (SA-16): Developer- Provided Training

  12. Disputable considerations in Federal approach - 5 From: NIST SP 800-53 Revision 4, Page D-14 PM Family – Program Management “hanging”

  13. Electronic “Pearl Harbor” OBM Circular A-76 (Revised on May 29, 2003), recognized that federal agencies may be as or more efficient and • effective as private sector organizations. From 2009 – 2013, the number of data breaches in the Federal Government went from 26,942 to 46,605 (only • published) 21% all federal information security breaches in 2013 were traced to government workers who lacks of • appropriate training $10 billion was spent by the Federal Government in 2014 as effort to protect “privilege” information, but the • Associated Press publish a report in which assert at least 50% of federal data breaches this year were caused by federal personnel The Global Information Security Workforce estimated an increase of 13% each year, (after 2017), for highly • qualified personnel in Cybersecurity. McKinsey forecast over 150,000 untaken positions in Cybersecurity by 2018 because lack preparation and • specialization • TrendMicro consider that Cybersecurity professions will be growing 12 times faster than the whole job market by • 2018. 70 percent of the professional workforce will conduct their work on personal smart devices by 2018 • Cybercriminal underworld is becoming well-organized and the reasons are multiple and details unknown • USA Federal Government is projected to spend $65 billion on cybersecurity contracts between 2015 and 2020, but • the specific amount dedicated to training still under calculation

  14. Considerations • IT Certs, a college degree, diploma? • Simplification of existing controls • Practicality of existing framework (over 110 Controls as part of SP-800). • NIST 800- 53 , Rev. 4 = 462 pages > PCI = 112 pages

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Federal Labor Relations Authority 1 Comprehensive Arbitration Training August 3, 2016 Segment

Federal Labor Relations Authority 1 Comprehensive Arbitration Training August 3, 2016 Segment

Federal Labor Relations Authority 1 Comprehensive Arbitration Training August 3, 2016 Segment 1: 2 Introduction to Federal-Sector Arbitration & The Negotiated Grievance Procedure Private-Sector Arbitration 3 Submit unresolved

1.45k views • 127 slides
Ensuring Meaningful Collaboration with Private Sector Data and Analytic Partners Brookings Active

Ensuring Meaningful Collaboration with Private Sector Data and Analytic Partners Brookings Active

Ensuring Meaningful Collaboration with Private Sector Data and Analytic Partners Brookings Active Surveillance Implementation Council Meeting November 18, 2010 Dennis A. Ausiello, MD Dennis A. Ausiello, MD Jackson Professor of Medicine,

76 views • 4 slides
Partnership Worcestershire Training Providers colleges, private and third sector have

Partnership Worcestershire Training Providers colleges, private and third sector have

Partnership Worcestershire Training Providers colleges, private and third sector have long history of working together No-one provider can realistically fulfil all demands Many of the best providers work together in

276 views • 23 slides
Private Sector Engagement Policy Susan Rae Ross, Sr. Private Sector Engagement Advisor

Private Sector Engagement Policy Susan Rae Ross, Sr. Private Sector Engagement Advisor

Private Sector Engagement Policy Susan Rae Ross, Sr. Private Sector Engagement Advisor USAID/Global Health August 27, 2019 1 AGENDA Overview of PSE Policy Market-Based Approaches Who is the Private Sector in PSE Ways

875 views • 23 slides
Assessing Private Sector Investments for Biodiversity 5 May 2015 Mexico City Overview

Assessing Private Sector Investments for Biodiversity 5 May 2015 Mexico City Overview

Federal Department of the Environment, Transport, Energy and Communications DETEC Federal Office for the Environment FOEN Division Assessing Private Sector Investments for Biodiversity 5 May 2015 Mexico City Overview What have we done

111 views • 9 slides
INITIATIVES IN ENERGY EFFICIENCY IN THE INDUSTRY SECTOR Chiu Wen Tung 1 Public-Private

INITIATIVES IN ENERGY EFFICIENCY IN THE INDUSTRY SECTOR Chiu Wen Tung 1 Public-Private

SINGAPORES INITIATIVES IN ENERGY EFFICIENCY IN THE INDUSTRY SECTOR Chiu Wen Tung 1 Public-Private Partnership to Achieve Energy Efficiency Public Sector Private Sector * List of Training/ESCOs providers/Industry-led EE platforms are for

281 views • 13 slides
Training for Reform Protecting Minority Investors Herv Kaddoura Private Sector Specialist

Training for Reform Protecting Minority Investors Herv Kaddoura Private Sector Specialist

Training for Reform Protecting Minority Investors Herv Kaddoura Private Sector Specialist DECDB Development Economics Global Indicators February 12, 2019 I. Why does it matter? What does it measure and what does it not? II. III.

444 views • 25 slides
Private Sector Engagement in the GEF Partnership 1 2 2 The Two Pillars of GEF Private Sector

Private Sector Engagement in the GEF Partnership 1 2 2 The Two Pillars of GEF Private Sector

1 Private Sector Engagement in the GEF Partnership 1 2 2 The Two Pillars of GEF Private Sector Strategy Pillar II Pillar I The two pillars* are not directly linked - however synergies Blended Market Finance will be derived from their

368 views • 8 slides
IMPROVING PATIENT HEALTH FEDERAL HEALTH INITIATIVE: MEANINGFUL USE The Medicaid EHR Incentive

IMPROVING PATIENT HEALTH FEDERAL HEALTH INITIATIVE: MEANINGFUL USE The Medicaid EHR Incentive

Fall 2016 MEANINGFUL TECHNOLOGY TOOL-KIT TO IMPROVING PATIENT HEALTH FEDERAL HEALTH INITIATIVE: MEANINGFUL USE The Medicaid EHR Incentive Program provides incentive payments for eligible healthcare providers to adopt and use electronic

467 views • 25 slides
Private Sector Consultation Faisal Naru Chief Regulatory Advisor, USAID/VNCI Private Sector

Private Sector Consultation Faisal Naru Chief Regulatory Advisor, USAID/VNCI Private Sector

ASEAN-OECD Meeting on Regulatory Reform 25 26 November 2010 Private Sector Consultation Faisal Naru Chief Regulatory Advisor, USAID/VNCI Private Sector Consultation Agenda 1. Why Consult? 2. UK Consultation Code 3. Private Sector

553 views • 16 slides
Meaningful Stakeholder Engagement: A Collaborative Approach to Programs for People with

Meaningful Stakeholder Engagement: A Collaborative Approach to Programs for People with

Meaningful Stakeholder Engagement: A Collaborative Approach to Programs for People with Intellectual and Development Disabilities and Their Families Welcome to Todays Webinar Thank you for joining us to learn about meaningful stakeholder

594 views • 38 slides
CONSENT OF AGGRIEVED EMPLOYEES TO THE PRESENTATION OF A GROUP GRIEVANCE Federal Public Sector

CONSENT OF AGGRIEVED EMPLOYEES TO THE PRESENTATION OF A GROUP GRIEVANCE Federal Public Sector

Federal Commission des relations de Public Sector travail et de l'emploi dans le F.P.S.L.R.E.B. File Labour Number Relations and secteur Employment public Board fdral FOR OFFICE USE ONLY Form 19 Subsection 77(2) of the Federal Public Sector

37 views • 3 slides
Private Sector & Trade Policy Preparedness of the Private Sector Insider Views to Help

Private Sector & Trade Policy Preparedness of the Private Sector Insider Views to Help

Private Sector & Trade Policy Preparedness of the Private Sector Insider Views to Help You Ideas to Sharpen Your Strategy Most businesses dont know what they want (or what they dont want) Level of coordination and cooperation

670 views • 21 slides
Private Sector Housing Team An overview of the PSH function by Simon Brisk Private Sector

Private Sector Housing Team An overview of the PSH function by Simon Brisk Private Sector

21/11/19 Private Sector Housing Team An overview of the PSH function by Simon Brisk Private Sector Housing Manager Click to edit Master title style Meet the team Simon Brisk Private Sector Housing Manager Sam McKinley Care & Repair

300 views • 8 slides
Increasing Private Sector Impact in the Forest Sector Leveraging Private Finance in Support of

Increasing Private Sector Impact in the Forest Sector Leveraging Private Finance in Support of

Increasing Private Sector Impact in the Forest Sector Leveraging Private Finance in Support of Sustainable Forestry Presentation to World Forestry Congress October 22, 2009 Leveraging Investment in the Forest Sector 1. Context and

289 views • 24 slides
Transforming Africas Trade Support to the Private Sector 15th Annual Private Sector

Transforming Africas Trade Support to the Private Sector 15th Annual Private Sector

Transforming Africas Trade Support to the Private Sector 15th Annual Private Sector Conference (CASP) Yusuf Daya African Export-Import Bank Banque Africaine dImport -Export Senior Manager Trade Policy and Market Access Transforming

353 views • 17 slides
CUP Youth Program U11-U13 Boys and Girls Bringing the Best Together! #1 Club in

CUP Youth Program U11-U13 Boys and Girls Bringing the Best Together! #1 Club in

CUP Youth Program U11-U13 Boys and Girls Bringing the Best Together! #1 Club in Cincinnati for Player Development Mission of CUP The purpose of our Premier Program is to provide an educational and competitive environment

676 views • 24 slides
Health Impact Assessment Liz Feder, PhD Paula Tran Inzeo, MPH Penny Black, MS Marjory Givens,

Health Impact Assessment Liz Feder, PhD Paula Tran Inzeo, MPH Penny Black, MS Marjory Givens,

Transitional Jobs Health Impact Assessment Liz Feder, PhD Paula Tran Inzeo, MPH Penny Black, MS Marjory Givens, PhD, MPH What is Health Impact Assessment? HIA Definition Health Impact Assessment is a systematic process that uses an array

468 views • 33 slides
Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the

Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the

Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the Start.C OO P Modules The Training Guide Format Signs and their Meaning Roles of organizing group Activity 2B: Identifying root causes and effects

585 views • 22 slides
MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com

MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com

MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com Email: Pramila Mathew, Phone: +91-98409 88449 Contact: Overview: Excellent presentation skills give you a platform to demonstrate your

209 views • 5 slides
based history matching using wavelets EnKF workshop Bergen May 2013 Thophile Gentilhomme

based history matching using wavelets EnKF workshop Bergen May 2013 Thophile Gentilhomme

Adaptive multi-scale ensemble- based history matching using wavelets EnKF workshop Bergen May 2013 Thophile Gentilhomme , Dean Oliver, Trond Mannesth, Remi Moyen, Guillaume Caumon 6/4/2013 I - 2/21 Motivations Match the data and

643 views • 50 slides
International Behavioral Health Trauma Team Presentation to the LLUH Board of Trustees Dr. Bev

International Behavioral Health Trauma Team Presentation to the LLUH Board of Trustees Dr. Bev

International Behavioral Health Trauma Team Presentation to the LLUH Board of Trustees Dr. Bev Buckles, Dean School of Behavioral Health August 2019 L O In harmon rmony y with our r heritag itage e and global bal M A mission on: L

498 views • 15 slides
CHRISTIANA SHI, PRESIDENT DIRECT TO CONSUMER Thanks, Elliott. Good morning. I'm Christiana

CHRISTIANA SHI, PRESIDENT DIRECT TO CONSUMER Thanks, Elliott. Good morning. I'm Christiana

This transcript and slide presentation is provided by NIKE, Inc. only for reference purposes. Information presented was current only as of October 9, 2013, and may have subsequently changed materially. NIKE, Inc. does not update or delete

353 views • 12 slides
Jasper County Board of Education October 7, 2013 Dr. Princess Clarke Executive Director of

Jasper County Board of Education October 7, 2013 Dr. Princess Clarke Executive Director of

Jasper County Board of Education October 7, 2013 Dr. Princess Clarke Executive Director of Social Services 1 Purpose of the Meeting HHB Policy and Services Types of HHB Services Collaboration and Delivery of Services

395 views • 15 slides

More recommend