Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
5. ESTABLISHING EFFECTIVE RECRUITING, EDUCATING, AND AWARENESS PROGRAMS
The Department's 1999 CIP Plan recognized the need to recruit, retain, and educate both Department and contractor personnel in the areas of physical and information security. The Plan called for the completion of various programs to ensure that these needs were met. The Department has accomplished some of its efforts in the areas of recruitment, education and awareness. For example, the Department recently implemented a departmentwide initiative to provide computer security awareness training. However, we found that the recruitment and retention program called for in the Plan was not fully implemented.
The April 1999 CIP Plan stated that the Department would establish a program to address the recruitment and retention requirements necessary for a successful critical infrastructure protection program. The Department's 1999 CIP Plan recognized the need to recruit, retain, and educate both federal and contractor personnel in the areas of physical and information security. The requirements in this area were to include creating or modifying new job series/position descriptions to ensure that individuals charged with oversight and protection of the identified critical infrastructure assets are competent and trained. This effort was also to address the retention of trained personnel in order to ensure the continuity of program execution. Training and capability requirements for individuals were to be based on national standards and criteria.
The CIP Plan also stated that the Department would establish an education, training, and awareness program specifically targeted at critical infrastructure protection. This program was to ensure that all personnel within the Department recognize their individual responsibilities for infrastructure protection and the potential outcomes of negligent actions on their part.
To accomplish the requirements of the CIP Plan, the CIP Task Force was to work with JMD Personnel Staff to develop criteria for modifying or creating a new job series in support of critical infrastructure protection. The CIP Task Force was also to work with the Department's CIO and Security Officer to develop and promulgate training criteria and standards to ensure that individuals in key positions with the Department were proficient in their jobs, as related to critical infrastructure protection.
We found that the IMSS failed to address requirements for recruitment, education, and awareness in the April 2003 draft revision of the CIP Plan. The IMSS staff indicated that there was no reason for the omission, but they expect to include these areas in the next CIP Plan. The CIP Plan is expected be revised again after the Department completes its Project Matrix review.
We requested documentation for the recruitment and retention program established under the requirements of the CIP Plan. We were told that JMD had not established the recruitment program identified as necessary to implement a successful CIP program. We requested an explanation from IMSS staff as to why no formal recruitment program was established, but we received no response. We discussed with IMSS staff the process by which IT security personnel are recruited. We were told that the IMSS recruits for IT personnel through the Office of Personnel Management via job series GS-2210, Information Technology Specialist. Although we were told that the generic IT Specialist announcement is modified to meet the CIP role fulfilled by the IMSS, the IMSS was unable to provide copies of the modified announcements for our review.
The CIP Plan recognizes that education and training are necessary for the successful implementation of any information security program. These elements are related, but the elements involve distinctly different levels of learning. According to the CIAO's Practices for Securing Critical Information Assets guidance:
Training is geared to understanding the security aspects of the particular IT systems and applications that the individual uses. For example, all users need to learn the security features of the office automation software resident on their respective systems. Users also need to understand the security features of the local area network to which they are connected, as well as security issues related to connectivity to the Internet, intranet, and/or extranet. Education differs from training in both breadth and depth of knowledge and skills acquired. Security education, including formal courses and certification programs, is most appropriate for an organization's designated security specialists.
The Department's July 2001 document titled, "The Information Technology Security Awareness, Training, and Education Standard and Implementation Guidelines" (Guidelines), contained minimum training requirements and implementation guidelines applying to all individuals, organizations, and entities that control, operate, maintain, and access Department of Justice systems containing SBU information.
The Guidelines generally met the requirements of the CIP Plan for training and established that full-time security professionals (regardless of job title, series, or current level of expertise) must receive 40 hours of formal security training per year and all part-time security professionals must receive 24 hours of formal security training per year. This training may include, but is not limited to, workshops, free seminars, security conferences, computer-based training, and product-specific training, as long as the total number of hours in attendance is equal to or greater than 40. However, attendance at vendor marketing briefings cannot be used to meet this requirement.
We sought to test the extent to which IMSS staff met the annual training requirement. We were told that each IT security staff member was required to have the necessary 40 hours of security training and had met that requirement annually. However, we were unable to verify this assertion because the IMSS retained documentation only for course registration and not for course completion.
Security awareness can create sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them. The fundamental value of IT security awareness programs is that the programs set the stage for further training by bringing about a change in attitudes, which in turn can change the organizational culture.
The IMSS has implemented an IT Security Awareness Training Initiative for the Department. As part of this effort, the Department uses a commercial off-the-shelf product, known as Computer Security Awareness Training (CSAT), to provide awareness training. The CSAT is a web-based training tool that delivers important general IT security training to all Department Government and Contractor system users. The CSAT fulfills training requirements by providing instruction on a number of security topics such as the proper selection and protection of passwords, physical security, e-mail and Internet security, and virus protection. The Department's efforts appear sufficient to satisfy CIP requirements for computer awareness.
We recommend that the Assistant Attorney General for Administration: