Professional Documents
Culture Documents
Alyssa Evans
TABLE OF CONTENTS
ABSTRACT.......................................................................................................................................................... 3
INTRODUCTION ................................................................................................................................................ 3
PURPOSE ............................................................................................................................................................ 4
PROBLEM ........................................................................................................................................................... 4
SOLUTION .......................................................................................................................................................... 4
TIMELINE ........................................................................................................................................................... 7
BUDGET .............................................................................................................................................................. 7
EVALUATING THE PROGRAM ....................................................................................................................... 8
BENEFITS ........................................................................................................................................................... 8
CONCLUSION .................................................................................................................................................... 8
REFERENCES ..................................................................................................................................................... 9
NIST SP 800-50 IMPLEMENTATION PLAN 3
Abstract
This documented was created to inform the reader of viable ways to build an adequate
information technology security awareness and training program. There are several areas that can
be heavily focused on to best fit the organizations needs and concerns. The topics covered are
some of the most common issues found in organizations and it is encouraged that they be
considered seriously. This document will also discuss several formats the awareness and training
program can be presented to best meet the needs of the organization. The final portions of this
document will review a tentative timeline, budget, and ways to determine future courses of
Introduction
Information technology security awareness and training is crucial for an organization to better
prepare its personnel and be less prone to issues caused by the user. No matter what is done, the
user is the weakest link in an organization. These programs attempt to minimize the damage
caused by the user and the data breaches that could occur due to an unknowing mistake. One of
the things the awareness and training program can address is regulatory requirements. This not
only protects the company, but the employee as well. If the employee is unaware of any required
practices, they would be made aware during the program. This also means that if a change was
made, they would be informed as well. Keeping constantly aware of new threats and ways to
avoid or deal with possible issues is another reason to implement an awareness and training
program. It’s more difficult to trick someone if they know what to look for. The final reason to
implement this plan is to help users recognize the danger of adding their personal devices to the
NIST SP 800-50 IMPLEMENTATION PLAN 4
company’s network. It is difficult to defend the network when there are devices connected that
do not abide by the security policies put into place. Explaining in detail the potential danger they
are causing would eliminate some of the strain and allow for proper cyber hygiene.
Purpose
This is meant to address the weakest link in Information Technology security by providing the
means to build an awareness and training program. A person who is aware and knows what to do
is less likely to cause preventable issues in the future. Keeping an up-to-date program keeps the
user properly informed and current with the tactics they may be faced with if a person with
Problem
The problem is that no matter what technology is in place or all of the measures taken to keep
those with malicious intent out. It’s difficult to protect the network if those that aren’t to stay out
and willingly brought in by those that are meant to be protected. Generally it’s not even the
user’s intention to let these unwanted guests in. The employees just do not know any better. The
lack of knowing is similar to an infant. The child does not know what is wrong until told and
Solution
There are several areas that can be addressed in the awareness and training program. Some of the
common issues include how to identify phishing emails, storing login information, giving out
sensitive information, and visiting websites infected with malware. These things can be brought
to the attention of the user through posters, presentations, newsletters, classes, helpful websites,
NIST SP 800-50 IMPLEMENTATION PLAN 5
or tips at the bottom of emails. It’s also good to review security policies, best practices to handle
data, how to keep the workstation secure, the dangers of wireless, password security, hoaxes,
Security policies are what should hopefully be the first thing reviewed. They should describe the
dos and don’ts for the network. It should also explain some of the practices expected of an
employee allowed access to the network and the consequences if these policies are not followed.
Not only would this ensure that the user reads it as they should, but it gives them the chance to
ask question and have things explained to them if necessary. It should also be addressed first
since many of the other issues that would be addressed in the program will hopefully be in these
documents. This means when they come up later, they will have a better idea of what is being
discussed. Understanding is a main focus and that’s difficult to have if the employee has no idea
what is being discussed whatsoever and it’s assumed that they know more than what they do.
When allowed to handle the user should remember that only those who were given permission
should access to it. This means that they will not need any personal information such as
username and password from another to gain access. It also means that they should not just have
information lying out in the open. It should be stressed that they should not t5ell others what they
have access to especially to strangers or when it’s classified. They should be made aware that
Though it may be in the security policies, it cannot be stressed enough the power an attacker
could have if their workstation is not properly secured. This means locking systems when away,
NIST SP 800-50 IMPLEMENTATION PLAN 6
keeping sensitive information locked away from wandering eyes, and reminding the user to do
these simple actions. It’s the little things that go a long way and make things less difficult protect.
Wireless should be treated with care is utilized. Awhile convenient, it also enables a large
number of attacks. Notifying the employee that strange behavior caused by their wireless devices
is common and the signs to point out this behavior should be listed beforehand to provide the
employee with the best chance to spot anything. Wireless networks also mean that there is the
potential that an attacker can pretend be someone they’re not. The user should be made aware
that they should not connect to unknown devices or visit unknown websites.
Passwords should be kept hidden and never shared. They should be as unique as possible,
including upper and lower case letters, numbers, and special characters if allowed. The longer
the password is the more secure it will be. It is also important to not generate a password based
on their personal information or the personal information of someone knowingly close to them.
These passwords are easily guessed and will not take a long time to figure out.
Hoaxes and phishing is one of the most common ways a user is targeted. It is very easy to fall
prey to these attacks and users should be given multiple examples and consistently tested to be
sure they can recognize these threats. Employees should have it be common practice to verify
that what they are receiving is legitimate and not an attacker pretending to be someone within the
company.
NIST SP 800-50 IMPLEMENTATION PLAN 7
The last things to be discussed are malware and sharing information. Malware is very dangerous
and the doorway to more malicious attacks that are increasingly more difficult to get rid of.
Avoiding websites and downloading from unknown places and people will help minimize this. It
is important to remind the user not to click on any links if they do not recognize where it goes or
if it seems as if the email is spam. Sharing information may seem harmless, but given the right
thing and an individual with malicious intent will know exactly where to look to have access to
Timeline
Developing the program will most likely take the most time. It will require coordinating with
employees to best take the time to teach them without taking away from the average work day.
This could take anywhere from 6 months to a year depending on whether there will be classes
and how prepared those developing the program are. They will not only need to create materials,
but also research to see what are the common issues the users have within their company. Some
topics will require more detail and others will only need to be glossed over so as not to be
forgotten.
Budget
The budget for this program should be based on the materials needed to provide awareness and
to possibly pay an outsider to train the employees. This could range from anywhere from
$10,000 to $100,000 based on what’s required and how large the company is. It is always good
to remember that overspending is a possibility and the price should be seriously considered
are doing in terms of awareness in conjunction with a test to verify the information they should
know. This is also a good way to determine what needs to be focused on in the future. There is
Benefits
With this program in place, the user becomes less of an issue. Those with malicious intent will
have a more arduous time trying to gain entry to the network than if the user had no idea about
anything. It also encourages the company to stay current with the possible threats they may face.
Conclusion
Developing an information technology security awareness and training program is possibly
costly and time consuming, but it also addresses the weakest link of a network’s security. It is
able to address any of the needs a company may have in terms of what be breached because of
the user. It also allows for all to be made aware of how best to follow the regulatory
requirements the organization must follow. Time is t5he most likely issue and is worth the
challenge of working around. The overall gain of avoiding a large number of breaches outweighs
the loss of time and money to put the program into action.
NIST SP 800-50 IMPLEMENTATION PLAN 9
References
Brodie, C. (2008, June 30). The Importance of Security Awareness Training. Retrieved August
security-awareness-training-33013
Goicochea, T. (2015, October 8). Top 3 Reasons You Need Cyber Security Awareness Training.
security-awareness-training/
Gupta, M. (n.d.). Designing and developing an effective Security Awareness and Training
conference/presentations/fissea09-mgupta-day3-panel_process-program-build-effective-
training.pdf
Information Supplement: Best Practices for Implementing a Security Awareness Program. (2014,
https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Im
plementing_Security_Awareness_Program.pdf
room/whitepapers/awareness/security-awareness-implementing-effective-strategy-418
Security Awareness: A Sound Business Strategy. (n.d.). Retrieved August 17, 2016, from
http://www.nativeintelligence.com/ni-programs/whyaware.asp
Shinder, D. (2013, June 12). Security Awareness Training: Your First Line of Defense (Part 1).
tutorials/misc_network_security/security-awareness-training-your-first-line-defense-
part1.html
NIST SP 800-50 IMPLEMENTATION PLAN 10
Wilson, M., & Hash, J. (2003, October). Building an Information Technology Security
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Winkler, I., & Wankem, S. (2013, May 01). The 7 elements of a successful security awareness
http://www.csoonline.com/article/2133408/network-security/network-security-the-7-
elements-of-a-successful-security-awareness-program.html