HostedDB - Dedicated UNIX Servers
fips191_48 FIPS PUB 191 Appendix D - Training and Awareness The Computer Security Act of 1987 (P.L. 100-235) states that "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." [TODD89] provides a framework for identifying computer security training requirements for a diversity of audiences who should receive some form of computer security training.   It focuses on learning objectives based upon the extent to which computer security knowledge is required by an individual as it applies to his or her job function.   For detailed discussion and guidance for general computer security training the reader is directed to [TODD89]. To maintain security in a LAN environment, training in certain areas of LAN operation and use should be received by LAN users.   Security mechanisms, procedures, etc. may not be effective if  they  are  used  improperly.    Training  areas  that  should  be  considered  are  listed  below  for functional  managers,  LAN  managers  and  general  users.     The  training  area  for  functional managers focuses on (1) the need to understand the importance of the security policy and (2) how that policy needs to be implemented into the LAN for it to be effective.   The training area for LAN managers focuses on the need to understand how security is provided for operationally on the LAN.  It also directs attention on the need for effective incident response.  The training area for all users focuses on (1) recognizing the user role in the security policy and the responsibilities assigned there, (2) using the security services and mechanisms effectively to maintain security, and (3) understanding how to use the incident response procedures.  Specifically these areas are discussed below. Functional Managers 1. Recognize the importance of the LAN security policy and how this policy drives the decisions made regarding LAN security.   Recognize the importance of determining adequate security for different types of information that the functional manager owns (or has responsibility for). 2. Recognize the LAN as a valuable resource to the organization and the need for protecting that resource.   Recognize the importance of providing for adequate protection (through funding, personnel, etc.). LAN Management 1.  Understand  how  the  LAN  operates  in  all  aspects.    Ability  to  recognize  normal  operating behavior versus abnormal operating behavior. 50