fips191_48
FIPS PUB 191
Appendix D - Training and Awareness
The Computer Security Act of 1987 (P.L. 100-235) states that "Each agency shall provide for the
mandatory periodic training in computer security awareness and accepted computer practices of
all employees who are involved with the management, use, or operation of each Federal computer
system within or under the supervision of that agency."
[TODD89] provides a framework for identifying computer security training requirements for a
diversity of audiences who should receive some form of computer security training. It focuses
on learning objectives based upon the extent to which computer security knowledge is required
by an individual as it applies to his or her job function. For detailed discussion and guidance
for general computer security training the reader is directed to [TODD89].
To maintain security in a LAN environment, training in certain areas of LAN operation and use
should be received by LAN users. Security mechanisms, procedures, etc. may not be effective
if they are used improperly. Training areas that should be considered are listed below for
functional managers, LAN managers and general users. The training area for functional
managers focuses on (1) the need to understand the importance of the security policy and (2) how
that policy needs to be implemented into the LAN for it to be effective. The training area for
LAN managers focuses on the need to understand how security is provided for operationally on
the LAN. It also directs attention on the need for effective incident response. The training area
for all users focuses on (1) recognizing the user role in the security policy and the responsibilities
assigned there, (2) using the security services and mechanisms effectively to maintain security,
and (3) understanding how to use the incident response procedures. Specifically these areas are
discussed below.
Functional Managers
1. Recognize the importance of the LAN security policy and how this policy drives the decisions
made regarding LAN security. Recognize the importance of determining adequate security for
different types of information that the functional manager owns (or has responsibility for).
2. Recognize the LAN as a valuable resource to the organization and the need for protecting
that resource. Recognize the importance of providing for adequate protection (through funding,
personnel, etc.).
LAN Management
1. Understand how the LAN operates in all aspects. Ability to recognize normal operating
behavior versus abnormal operating behavior.
50