Home > Uncategorized > IA Awareness Program development simulation based on the NIST 800-50

IA Awareness Program development simulation based on the NIST 800-50

05/31/2010 Leave a comment Go to comments

Assume you just been hired as a Chief Security Officer for a major financial institution.  (congratulations) This financial giant has offices all over the globe and is involved in multiple types of businesses.  Your first order of business is to develop an IA awareness training program.  (The human factor is the weakest link in a security program, so you’ve decided to address this first).

How are you going to do it?  What is the best way to maintain budget, coverage, and integrity (i.e. not get fired for making horrible decisions)

NIST has developed guidance on approaching this very problem.

The three models outlined by the NIST 800-50 are:

–Centralized – This model gives all responsibility for the program development and budget to a central authority.  Determination of a programs needs, content, and dissemination are all determined by the central authority.  Organizational units may be responsible for executing on the plan at the business unit level, but the guidance would come down from the central authority.

NIST 800-50 Centralized Approach

This model works great for smaller organizations and/or organization’s that have tightly aligned missions.  Additionally, because so much responsibility is given to a central authority, that office must have the in-depth expertise in order to succeed in the function.

–Partially Decentralized – This model still has a central authority, but the responsibilities of this office differ from the centralized model.  The central authority under this model determines strategy, policy, and budget for the business units.  It is the business unit’s responsibility to determine how the budget will be allocated, all aspects of the training materials, and deployment.  Typically the central authority would require metrics from the business units to determine effectiveness and compliance with the program.

This model works best for larger organizations over a wide geographic area.  Additionally, this model is suited well for organizations that have multiple business units with disparate missions.  By allowing the organization to develop the training materials and deployment strategy, the program can be best assimilated into the organization based each unit’s unique situation.

NIST 800-50 Partially Decentralized Approach

–Decentralized – This model has a central authority with the responsibility of issuing broad policy regarding the expectations of a security program.  Each organizational unit is responsible for executing an information security awareness program on their own.  A major benefit of this model is the needs assessment is conducted by the organizational unit that fully understands the needs and situation of their particular “world”.

This model is best for organizations that are highly decentralized with general responsibilities assigned by headquarters.  The department of defense comes to mind as a an excellent example of an organization that leverages this approach.

NIST 800-50 Decentralized Approach

As the ISO for U.S. Bank, I would move forward with the partially decentralized model for my information security awareness program.  The U.S. Bank is a large, geographically disbursed organization with its business units having unique missions.  These conditions are ideal for the partially decentralized model.  The strategy and overarching policy would come from the CISO office, but it would be each business unit’s responsibility to develop training materials and deployment plans.

This approach affords the flexibility required to deliver value-add information security awareness.  Different regions have unique cultures, customs and risks.  The organization leaders would be better positioned to develop materials that will address the needs of the organization and improve the security posture overall.  Additionally, the CISO is not in a position to be able to effectively determine the needs and approach for the training materials and deployments.  That is another convincing reason why the partially decentralized approach, leveraging the organizational unit’s leaders, is the optimal model to select.

I would suggest, depending on the feedback, metrics and quality of the information security program, migrating to a decentralized model within 5-7 years.  Hopefully, the program would have matured by this point and would be in a sustainability phase.  The organizational leaders would understand the ‘tone-at-the-top’ based on the programs history and would be enabled and equipped to successfully run their own programs.  The organizational leaders would be responsible for providing metrics to senior management to ensure visibility and oversight is taking place.

NIST 800-50 Building an Information Technology Security Awareness and Training Program.
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Advertisement
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.