[ISN] OPM outlines four steps for IT security training
isn at c4i.org
Tue Jun 15 01:53:03 EDT 2004
By Jason Miller
The Office of Personnel Management today outlined a four-step process
for agencies to follow to ensure employees, contractors and others who
access federal systems are adequately trained in IT security.
The final rule, effective today, requires agencies to develop an IT
security training plan.
The plan should identify employees with significant cybersecurity
responsibilities and provide role-specific training as detailed by the
National Institute of Standards and Technology guidance. The rule
* All users of agency systems must be exposed to security awareness
materials at least annually.
* Executives must receive training in IT security basics and policy
level training in security and planning management.
* Program managers, functional managers and IT functional and
operations personnel must received training in IT security basics,
management and implementation level training in security planning and
system security management, application lifecycle management,
risk management and contingency planning.
* CIOs, IT security program managers, auditors and other security
personnel, such as system and network administrators, must receive
training in security basics and broad training in security planning,
system and application security management, and system lifecycle,
risk and contingency planning management.
Agencies also must provide all new employees training before granting
them access to federal systems. Employees must be given refresher
training as determined necessary by the agency based on the
sensitivity of the information that the worker uses.
Departments also must provide new training whenever there is a
significant change in the IT environment or procedures.
More information about the ISN