NIST SP 800-50 IMPLEMENTATION PLAN 1

NIST SP 800-50 Implementation Plan

Alyssa Evans

University of Advancing Technology

NIST SP 800-50 IMPLEMENTATION PLAN 2

TABLE OF CONTENTS

ABSTRACT.......................................................................................................................................................... 3
INTRODUCTION ................................................................................................................................................ 3
PURPOSE ............................................................................................................................................................ 4
PROBLEM ........................................................................................................................................................... 4
SOLUTION .......................................................................................................................................................... 4
TIMELINE ........................................................................................................................................................... 7
BUDGET .............................................................................................................................................................. 7
EVALUATING THE PROGRAM ....................................................................................................................... 8
BENEFITS ........................................................................................................................................................... 8
CONCLUSION .................................................................................................................................................... 8
REFERENCES ..................................................................................................................................................... 9
NIST SP 800-50 IMPLEMENTATION PLAN 3

NIST SP 800-50 Implementation Plan

Abstract

This documented was created to inform the reader of viable ways to build an adequate

information technology security awareness and training program. There are several areas that can

be heavily focused on to best fit the organizations needs and concerns. The topics covered are

some of the most common issues found in organizations and it is encouraged that they be

considered seriously. This document will also discuss several formats the awareness and training

program can be presented to best meet the needs of the organization. The final portions of this

document will review a tentative timeline, budget, and ways to determine future courses of

action based on receptiveness of the program implemented.

Introduction

Information technology security awareness and training is crucial for an organization to better

prepare its personnel and be less prone to issues caused by the user. No matter what is done, the

user is the weakest link in an organization. These programs attempt to minimize the damage

caused by the user and the data breaches that could occur due to an unknowing mistake. One of

the things the awareness and training program can address is regulatory requirements. This not

only protects the company, but the employee as well. If the employee is unaware of any required

practices, they would be made aware during the program. This also means that if a change was

made, they would be informed as well. Keeping constantly aware of new threats and ways to

avoid or deal with possible issues is another reason to implement an awareness and training

program. It’s more difficult to trick someone if they know what to look for. The final reason to

implement this plan is to help users recognize the danger of adding their personal devices to the
NIST SP 800-50 IMPLEMENTATION PLAN 4

company’s network. It is difficult to defend the network when there are devices connected that

do not abide by the security policies put into place. Explaining in detail the potential danger they

are causing would eliminate some of the strain and allow for proper cyber hygiene.

Purpose
This is meant to address the weakest link in Information Technology security by providing the

means to build an awareness and training program. A person who is aware and knows what to do

is less likely to cause preventable issues in the future. Keeping an up-to-date program keeps the

user properly informed and current with the tactics they may be faced with if a person with

malicious intent targeted them.

Problem
The problem is that no matter what technology is in place or all of the measures taken to keep

those with malicious intent out. It’s difficult to protect the network if those that aren’t to stay out

and willingly brought in by those that are meant to be protected. Generally it’s not even the

user’s intention to let these unwanted guests in. The employees just do not know any better. The

lack of knowing is similar to an infant. The child does not know what is wrong until told and

learning the consequences of disobeying. An information technology security awareness and

training program would have a similar effect.

Solution
There are several areas that can be addressed in the awareness and training program. Some of the

common issues include how to identify phishing emails, storing login information, giving out

sensitive information, and visiting websites infected with malware. These things can be brought

to the attention of the user through posters, presentations, newsletters, classes, helpful websites,
NIST SP 800-50 IMPLEMENTATION PLAN 5

or tips at the bottom of emails. It’s also good to review security policies, best practices to handle

data, how to keep the workstation secure, the dangers of wireless, password security, hoaxes,

malware, and sharing information

Security policies are what should hopefully be the first thing reviewed. They should describe the

dos and don’ts for the network. It should also explain some of the practices expected of an

employee allowed access to the network and the consequences if these policies are not followed.

Not only would this ensure that the user reads it as they should, but it gives them the chance to

ask question and have things explained to them if necessary. It should also be addressed first

since many of the other issues that would be addressed in the program will hopefully be in these

documents. This means when they come up later, they will have a better idea of what is being

discussed. Understanding is a main focus and that’s difficult to have if the employee has no idea

what is being discussed whatsoever and it’s assumed that they know more than what they do.

When allowed to handle the user should remember that only those who were given permission

should access to it. This means that they will not need any personal information such as

username and password from another to gain access. It also means that they should not just have

information lying out in the open. It should be stressed that they should not t5ell others what they

have access to especially to strangers or when it’s classified. They should be made aware that

sometimes just knowing who to target is all that’s needed.

Though it may be in the security policies, it cannot be stressed enough the power an attacker

could have if their workstation is not properly secured. This means locking systems when away,
NIST SP 800-50 IMPLEMENTATION PLAN 6

keeping sensitive information locked away from wandering eyes, and reminding the user to do

these simple actions. It’s the little things that go a long way and make things less difficult protect.

Wireless should be treated with care is utilized. Awhile convenient, it also enables a large

number of attacks. Notifying the employee that strange behavior caused by their wireless devices

is common and the signs to point out this behavior should be listed beforehand to provide the

employee with the best chance to spot anything. Wireless networks also mean that there is the

potential that an attacker can pretend be someone they’re not. The user should be made aware

that they should not connect to unknown devices or visit unknown websites.

Passwords should be kept hidden and never shared. They should be as unique as possible,

including upper and lower case letters, numbers, and special characters if allowed. The longer

the password is the more secure it will be. It is also important to not generate a password based

on their personal information or the personal information of someone knowingly close to them.

These passwords are easily guessed and will not take a long time to figure out.

Hoaxes and phishing is one of the most common ways a user is targeted. It is very easy to fall

prey to these attacks and users should be given multiple examples and consistently tested to be

sure they can recognize these threats. Employees should have it be common practice to verify

that what they are receiving is legitimate and not an attacker pretending to be someone within the

company.
NIST SP 800-50 IMPLEMENTATION PLAN 7

The last things to be discussed are malware and sharing information. Malware is very dangerous

and the doorway to more malicious attacks that are increasingly more difficult to get rid of.

Avoiding websites and downloading from unknown places and people will help minimize this. It

is important to remind the user not to click on any links if they do not recognize where it goes or

if it seems as if the email is spam. Sharing information may seem harmless, but given the right

thing and an individual with malicious intent will know exactly where to look to have access to

the network without permission.

Timeline
Developing the program will most likely take the most time. It will require coordinating with

employees to best take the time to teach them without taking away from the average work day.

This could take anywhere from 6 months to a year depending on whether there will be classes

and how prepared those developing the program are. They will not only need to create materials,

but also research to see what are the common issues the users have within their company. Some

topics will require more detail and others will only need to be glossed over so as not to be

forgotten.

Budget
The budget for this program should be based on the materials needed to provide awareness and

to possibly pay an outsider to train the employees. This could range from anywhere from

$10,000 to $100,000 based on what’s required and how large the company is. It is always good

to remember that overspending is a possibility and the price should be seriously considered

before making any final decisions.

NIST SP 800-50 IMPLEMENTATION PLAN 8

Evaluating the Program

To determine if the program is effective surveys should be given to see how the users think they

are doing in terms of awareness in conjunction with a test to verify the information they should

know. This is also a good way to determine what needs to be focused on in the future. There is

always room for improvement.

Benefits
With this program in place, the user becomes less of an issue. Those with malicious intent will

have a more arduous time trying to gain entry to the network than if the user had no idea about

anything. It also encourages the company to stay current with the possible threats they may face.

Technology is constantly changing as are the ways to gain entry to them.

Conclusion
Developing an information technology security awareness and training program is possibly

costly and time consuming, but it also addresses the weakest link of a network’s security. It is

able to address any of the needs a company may have in terms of what be breached because of

the user. It also allows for all to be made aware of how best to follow the regulatory

requirements the organization must follow. Time is t5he most likely issue and is worth the

challenge of working around. The overall gain of avoiding a large number of breaches outweighs

the loss of time and money to put the program into action.
NIST SP 800-50 IMPLEMENTATION PLAN 9

References
Brodie, C. (2008, June 30). The Importance of Security Awareness Training. Retrieved August

17, 2016, from https://www.sans.org/reading-room/whitepapers/awareness/importance-

security-awareness-training-33013

Goicochea, T. (2015, October 8). Top 3 Reasons You Need Cyber Security Awareness Training.

Retrieved August 17, 2016, from https://trushieldinc.com/top-3-reasons-you-need-cyber-

security-awareness-training/

Gupta, M. (n.d.). Designing and developing an effective Security Awareness and Training

program. Retrieved August 17, 2016, from http://csrc.nist.gov/organizations/fissea/2009-

conference/presentations/fissea09-mgupta-day3-panel_process-program-build-effective-

training.pdf

Information Supplement: Best Practices for Implementing a Security Awareness Program. (2014,

October). Retrieved August 17, 2016, from

https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Im

plementing_Security_Awareness_Program.pdf

Russell, C. (2002, October 25). Security Awareness - Implementing an Effective Strategy.

Retrieved August 17, 2016, from https://www.sans.org/reading-

room/whitepapers/awareness/security-awareness-implementing-effective-strategy-418

Security Awareness: A Sound Business Strategy. (n.d.). Retrieved August 17, 2016, from

http://www.nativeintelligence.com/ni-programs/whyaware.asp

Shinder, D. (2013, June 12). Security Awareness Training: Your First Line of Defense (Part 1).

Retrieved August 17, 2016, from http://www.windowsecurity.com/articles-

tutorials/misc_network_security/security-awareness-training-your-first-line-defense-

part1.html
NIST SP 800-50 IMPLEMENTATION PLAN 10

Wilson, M., & Hash, J. (2003, October). Building an Information Technology Security

Awareness and Training Program. Retrieved August 17, 2016, from

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Winkler, I., & Wankem, S. (2013, May 01). The 7 elements of a successful security awareness

program. Retrieved August 17, 2016, from

http://www.csoonline.com/article/2133408/network-security/network-security-the-7-

elements-of-a-successful-security-awareness-program.html