The National Academies Press

Currently Skimming:

Pages 98-117

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 98... ... 98 Chapter 6 Training: Building a Culture of Cybersecurity What is a Culture of Cybersecurity? In a security culture, security is an integral part of the daily routine. Read the entire page →
From page 99... ... 99 • Reduction of the attack surface • Addressing threats, mitigations, software/firmware update process • Addressing monitoring and detection methodologies • Ability to be audited for compliance • Change-management systems ( Source: APTA Recommended Practice, Part 2) Existing and planned workforce development initiatives of state DOTs and transit agencies include internship or apprenticeship programs and mentorship programs. Read the entire page →
From page 100... ... 100 Training category as a component of the Protect function. (The other four functions are Identify, Detect, Respond, and Recover.) Read the entire page →
From page 101... ... 101 developing comprehensive safety programs. Because transit systems around the world have been targets of terrorists, security was a concern for senior management of transit agencies even prior to September 11, 2001. Read the entire page →
From page 102... ... 102 It is important to note the differences between Awareness and Training. NCHRP Report 793 states that "security awareness is the cornerstone of a security culture." NIST SP 800-16 notes that "Awareness is not training. Read the entire page →
From page 103... ... 103 • Vulnerabilities unique to virtual computing environments; 3. "Role-Based Training" delivers the knowledge and skills required for specific roles and responsibilities with respect to Federal Organization information systems. Read the entire page →
From page 104... ... 104 • Model 3 – Centralized policy, distributed strategy and implementation NIST SP 800-50 (2003) also discusses how to structure awareness and training activity; how to conduct a needs assessment; how to develop an awareness and training plan; how to establish priorities; how to establish the level of complexity of the subject matter; and how to fund the program. Read the entire page →
From page 105... ... 105 and Recover. Each category of user is responsible for all five functions to varying extents. Read the entire page →
From page 106... ... 106 personnel is pertinent in ensuring the security of agency CIKR. Content A Cybersecurity Awareness and Training Program should cover IT security policies and procedures, rules of behavior for IT systems and information use, basic threats employees may encounter and actions that they should employ to counter them. Read the entire page →
From page 107... ... 107 While Awareness and Training resides in the "Protect" function, required training should to be aligned with each of these elements (categories) Read the entire page →
From page 108... ... 108 Figure 22: Sample Training Module Read the entire page →
From page 109... ... 109 Table 8: Sample Training Knowledge and Skills Awareness and Training Delivery Existing programs may be useful for the delivery of cybersecurity awareness and training. Agencies that offer a security awareness course may choose to incorporate a cybersecurity awareness module into the course. Read the entire page →
From page 110... ... 110 • Senior management can include security awareness in all of their communications to their employees. • Managers and supervisors can talk about security at meetings and events. Read the entire page →
From page 111... ... 111 turnover issues by improving workforce commitment to the organization. Interactive training solutions have been identified and discussed in NCHRP Synthesis Report 468 (2015) Read the entire page →
From page 112... ... 112 and systems and components tested for their operability. NIST SP 800-84 denotes training as a vehicle for informing and training personnel on their roles and responsibilities within IT plans and preparing them for participation in tests and exercises. Read the entire page →
From page 113... ... 113 Performance Indicators Indicators may be used to track and evaluate the performance of the Awareness and Training Program. Indicators may be intermediate indicators that describe the output of the program such as the number of trained personnel or they may be outcome indicators that reflect to what extent the program is meeting its goal(s) Read the entire page →
From page 114... ... 114 NICE developed the National Cybersecurity Workforce Framework which defines and categorizes the cybersecurity workforce through common taxonomy and lexicon. Thirty-two specialty areas are grouped into one of seven categories; also, the knowledge, skills, and abilities for each area are provided in the Framework. Read the entire page →
From page 115... ... 115 Figure 23: Sample Awareness Posters. Source: NIST SP 800-50, 2003 Read the entire page →
From page 116... ... 116 Figure 24: Sample Awareness and Training Program Template Read the entire page →
From page 117... ... 117 Table 9: Awareness and Training Subcategories and References Awareness and Training Subcategories References All users are informed and trained CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.7.2.2 NIST SP 800-53 Rev. 4 AT-2, PM-13 Privileged users understand roles and responsibilities CCS CSC 9 COBIT 5 APO07.02, DSS06.03 ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 NIST SP 800-53 Rev. Read the entire page →

From page 98...

... 98 Chapter 6 Training: Building a Culture of Cybersecurity What is a Culture of Cybersecurity? In a security culture, security is an integral part of the daily routine.