[ISN] OPM outlines four steps for IT security training

[InfoSec News]

http://www.gcn.com/vol1_no1/daily-updates/26205-1.html

By Jason Miller 
GCN Staff
06/14/04 

The Office of Personnel Management today outlined a four-step process
for agencies to follow to ensure employees, contractors and others who
access federal systems are adequately trained in IT security.

The final rule, effective today, requires agencies to develop an IT
security training plan.

The plan should identify employees with significant cybersecurity
responsibilities and provide role-specific training as detailed by the
National Institute of Standards and Technology guidance. The rule
said:

* All users of agency systems must be exposed to security awareness 
  materials at least annually. 

* Executives must receive training in IT security basics and policy 
  level training in security and planning management. 

* Program managers, functional managers and IT functional and 
  operations personnel must received training in IT security basics, 
  management and implementation level training in security planning and 
  system security management, application lifecycle management, 
  risk management and contingency planning. 

* CIOs, IT security program managers, auditors and other security 
  personnel, such as system and network administrators, must receive 
  training in security basics and broad training in security planning, 
  system and application security management, and system lifecycle, 
  risk and contingency planning management. 

Agencies also must provide all new employees training before granting
them access to federal systems. Employees must be given refresher
training as determined necessary by the agency based on the
sensitivity of the information that the worker uses.

Departments also must provide new training whenever there is a
significant change in the IT environment or procedures.