• James P. Craft, CISSP
  USAID Information Systems Security Officer
  1300 Pennsylvania Ave., Suite 2.12-032
  Washington, DC 20523-2120
  Telephone: 202-712-5460
  Fax: 202-216-3053
  E-mail: jcraft@usaid.gov

Vendor Partner:

• William R. Cleveland
  USAID PRIME Security Program Manager
  Computer Sciences Corporation
  1100 Wilson Blvd., Suite 1100
  Rosslyn, VA 22209
  Telephone: 703-465-7054
  Fax: 703-465-7193
  E-mail: wclevela@csc.com or cassistance@usaid.gov

• Section A.3.a.3 states: "Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."
• Section A.3.a.2.b states: "Training: Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall assure that employees are versed in the rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them about available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system."

Subject: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February [1999] visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

In addition, they trained some 80 employees to become aware of computer security pitfalls.

And last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

USAID/Peru was selected as a Beta site to define the model/templates for the Computer Security Program to be applied in all overseas Missions.

Starting February 19 to February 25 [1999], during five workdays, a Computer Security Team belonging to the IRM/ Security Group was in Lima. The team had five members. Jim Craft acted as the team Leader.

Computer Security is a dynamic activity and demands coordination and permanent follow-up. The Computer Security Team's role in the implementation of the Computer Security Program in each Mission is critical. Computer Security activity involves the entire USAID organization, starting from Washington and reaching out worldwide to all Missions. If one Mission security system fails, it endangers the entire USAID organization.

• General Curriculum for Computer Security Basics.
• Skilled instructor
• Selected resources of Computer Security Courseware (based on target audience analysis)
• Logistic requirements (space, equipment, time)

Determine Target Audience: general population and users; IT professionals who train end users and Information Technologists who operate and maintain the system.

Survey: identify requirements of the general user population, system operators and IT professionals.

Evaluation: analyze mission requirements; design program to meet the mission requirements.

Scheduling: involves arranging for classroom spaces, time slots, sending e-mail announcements, acquiring and setting up audio-visual equipment, and focusing content for the required training.

Delivery: present the material to selected audiences or arrange that the required expertise is available and scheduled to present the security materials.

• Setup equipment (laptop, video player, sound system, projector, and/or overhead)
• Pass out prepared material (developed for Mission needs).
• Make sure everyone signs the attendance roster (Make sure ISS trainer gets and records attendee compliance with annual or new hire briefing requirements).
• Have attendees sign user agreement (Rules of Behavior).
• Be open for discussion with class (Answer their questions).

Feedback: solicit responses from audiences using a Class Evaluation Survey form, and personally from system administrator and EXO, and adjust training as required. Save copies of the Evaluation Surveys at the training location and at USAID Headquarters, to help future trainers prepare materials.

Follow-up: two weeks after return from a cyber-assistance visit, send e-mail to inquire as to any follow on assistance required.

• Course completion certificates, test scores, list of trained personnel; training records.

• Successful USAID Computer Security training sessions were conducted at various missions around the world. These successes were achieved in the most part by having great support from each of the mission's management. This is critical for the implementation of a security training program. A second point: the mission senior management should identify an individual Information Systems Security Training Manager. This allows that individual to receive training from the visiting team, develop a network of INFOSEC trainers, and helps that individual develop a program tailored to specific mission requirements.
• Training must be an on-going process; training on the heels of a cyber-assistance review has been well received and is seen as very useful; training on how to conduct a RA helps promote regularly scheduled reviews by local personnel to conduct the required reviews.
• These routine curriculum reviews help keep course content current and relevant to current requirements.
• Training completion records may contain personal information and therefore may be subject to appropriate protection under the Personal Privacy Act.

Time per Training Session: 45-60 minutes

Preparation Time up-front: 3-5 days

On-Site Time: 5 days per mission (dependent upon results of assessment conducted)

Cost: Contractor-provided labor charges approximate $800 per day. Travel and Per Diem charges are accounted separately.

Performance Goal: Provide training to 80% of each mission's employees.

Outcome Goal: To have an OMB-A130 compliant agency as it pertains to information systems security training requirements.

Output goal: To make all agency personnel aware of their federally mandated responsibilities as they pertain to information systems security.

General Objective: To build and maintain an OMB-A130 compliant information systems security training program.

Performance Indicator:

• Eliminate and resolve all identified OIG material weaknesses in the ISS training area.
• Maintain and document a periodic visit to each mission to perform information systems security training as part of a Cyber-Assistance Review.

• Classrooms
  
• Trainers
  
• A variety of instructional techniques
  
• Courses (locally or professionally developed)
  
• Pamphlets (To receive a sample of the following pamphlets, contact Bill Cleveland wclevela@csc.com)
• Why Do We Need Computer Security
• Network Security Guidelines
• Workstation Security Guidelines
• Passwords and You
• Internet Usage Guidelines
• Malicious Software
• What Should You Do If You Have a Virus?
• Junk E-Mail
• Incident Response
• USAID Information System Security General Guidelines
• CDs (available from: www.disa.mil/infosec):
  • Federal INFOSEC Awareness
  • Information Age Technology
  • Information Technology Security Awareness
  • Operational Information Systems Security Vol. 1
  • Operational Information Systems Security Vol. 2
    
• Videos (available from: www.disa.mil/infosec):
• Understanding Public Key Infrastructure
• Computer Security 101: For Sensitive Eyes Only
• Computer Security: The Executive Role
• Networks At Risk
• Protect Your AIS
• Information Frontline
• Bringing Down Your House
• The Scarlet V
• PowerPoint Presentations:
• New Hire Brief
• Mission Awareness Brief
• System Administration for NT (Intro, Modules 1, 3, 4, 6, 7, 8, and 9)
• Sample USAID Security Training On-line (Screen Capture of USAID's Intranetsecurity training homepage)