National Association of State Chief Information Officers

What did the VASAT enterprise service offer?
What department of government partnered with the Department of Technology Planning to create an electronic training and assessment solution?

Transcription

1 National Association of State Chief Information Officers Nominations for 2002 Recognition Awards for Outstanding Achievement in the Field of Information Technology Nomination Form Title of Nomination: Product/System Manager: Agency: Virginia Security Awareness Training (VASAT) enterprise service Rodney Willett General Manager Virginia Information Providers Network (VIPNet) Department: Address: Bank of America Center 1111 East Main Street, Suite 901 City/State/Zip: Richmond, VA Telephone: Fax: Category for Judging: Person Nominating: Security and Business Continuity The Honorable George Newstrom Secretary of Technology

2 1. EXECUTIVE SUMMARY In 2001, the Commonwealth of Virginia s Department of Technology Planning (DTP), enacted a comprehensive requirement that all state agencies must establish information security awareness programs for their employees so that they are aware of their information security responsibilities and how to fulfill them. In response to that requirement, agencies initially pursued traditional education and training solutions, including the development of information security seminar presentations and printed materials. However, the agencies quickly found that those solutions were too expensive and impractical to reach an affected workforce of more than 100,000 employees spread hundreds of miles across the state. As an alternative to those traditional training approaches, a group of state agencies including DTP, private companies, and the Virginia Information Providers Network (VIPNet), partnered to create an electronic, Web-based training and assessment solution that would be accessible via the convenience of the employees desktop computers and the Internet. That solution, the Virginia Security Awareness Training (VASAT) enterprise service, incorporates the general information security training guidelines and requirements of DTP, as well as the specific policies of each participating agency. Employees review the policies via secure access to VASAT and then complete an online test and certification process. All employees who use information technology resources must obtain such certification at least annually. The enterprise nature of the Web-based VASAT service now means that agencies may provide the required information security awareness training in a timely and affordable manner. State employees enjoy the convenience of being able to access VASAT via their Internet browsers. Further, the entire state and its citizens are benefiting from the improved information and data security that the security awareness requirement and online training service are providing.

3 2. PROJECT DESCRIPTION & LENGTH OF TIME IN OPERATION Virginia enacted the information security-training requirement for all state agencies in Specifically, the standard states: B.1 Standards B.1.a) Each Agency must establish and maintain information technology security awareness programs to ensure that all individuals are aware of their security responsibilities and know how to fulfill them. B.1.b) A security awareness-training program must: be approved by the Agency s Information Systems Security Officer (ISSO); specify timeframes for receiving training (initial, ongoing and/or refresher); provide both general and position appropriate security awareness content; and, be documented on an auditable medium. B.1.c) All new hires who use information resources or who have access to areas where information resources reside, must receive formal security awareness training as designed by their Agency within 30 calendar days of their start date. B.1.d) Receipt of Security Awareness Training must be documented in the employee s personnel file with employee s acknowledgement of receipt and understanding. B.1.e) Security Awareness Refresher Training must be provided to personnel annually at a minimum. The training requirement applies to any employee who uses or is in any way involved with state information technology equipment and data. State agencies must certify that their employees have had assessment training at least annually. The purpose of the requirement is to ensure that employees are familiar with and adequately utilizing appropriate information security policies and practices. Those policies include, for example, requirements for the creation and protection of network passwords. Initially, agencies pursued the development of traditional education and training solutions in response to the information security awareness policy. Those proposed solutions included information security seminar presentations and printed materials. However, the agencies quickly found that those traditional training solutions were too expensive and impractical to reach a workforce of more than 100,000 affected employees spread hundreds of miles across the state.

4 Early in 2002, a group of agencies including the Department of Technology Planning and Department of Transportation, private software and technology firms, and the Virginia Information Providers Network, VIPNet, partnered to explore the creation of an electronic, Web-based training and assessment solution. That partnership then led to the eventual development and launch of the Virginia Security Awareness Training (VASAT) enterprise service. VASAT incorporates the general information security training guidelines of DTP, as well as the specific policies of each participating agency including the Department of Transportation. The technology-consulting firm Keene, Inc. then used those guidelines and policies to modify the online security training software provided by CorpNet Security. VIPNet hosts VASAT on its secure servers and oversees the maintenance and administration of the service. Employees access VASAT via the convenience of their desktop computers and Internet browsers. After accessing the secure service via user name and password, employees may review the policies and are then required to complete an online test and certification process. That assessment process leads the employees through a series of questions related to the security policies. Users may receive different types of questions based on their level of information technology use (i.e., network system administrators must review and pass additional information use requirements specific to their work). Employees must correctly respond to the questions within service s time and accuracy parameters. Upon the employees successful completion of the assessment, VASAT provides each user with an electronic, printable certificate. Participating agency administrators have online access to confirm that their employees have successfully completed the online assessment. Those online logs also provide certification summaries that the administrators may use for confirmation of the agency s compliance with the information security training requirements. Agency administrators may add and modify their information security policies that are included in VASAT via secure access to the agencies policy vaults. Agency administrators and DTP also may request modifications to the training questions and accompanying user screens.

5 3. SIGNIFICANCE TO THE IMPROVEMENT OF THE OPERATION TO GOVERNMENT Even the most secure computer network in the world remains vulnerable to one type of threat: its users. Thus, strong, well implemented information security policies and awareness training programs are essential in order to prevent serious security lapses that could arise simply by a user selecting a network password that is too obvious to lurking hackers. Virginia s Department of Technology Planning addressed that concern when it enacted a comprehensive, statewide information security assessment requirement for affected government entities and their employees. The subsequent creation of the Web-based VASAT enterprise service now means that those government entities may provide their employees with the necessary training and assessment via an affordable and readily available solution. As an enterprise service, VASAT enables any affected state government entity to participate in the online information security training. Further, VASAT is available to any government entity, including local governments, not affected by the state requirement but still desiring to provide such training. Although VASAT has enabled Virginia government entities to quickly comply with the training requirement, the most significant benefit of the service comes from the assurance that state employees are familiar with and using the appropriate and required information security procedures. VASAT also provides agencies an ongoing tool for that assessment process. Agencies may immediately add new employees to the service and then re-test all employees annually or more frequently, if desired.

6 4. BENEFITS REALIZED BY SERVICE RECIPIENTS State employees across the Commonwealth benefit from the convenience of VASAT s Web-based training. Employee users may access VASAT via their Internet browsers and are not constrained by the coordination of training presentation times and locations. Following VASAT s inception earlier this year, the initial participating agencies projected online training for more then 25,000 of their employees. That number is expected to grow substantially in the coming months as more agencies join the service, given that the information security assessment requirement affects more than 100,000 state employees. Further, local governments have expressed interest in adding their employees to VASAT. VASAT also has benefited Virginia as a whole by facilitating the implementation of a statewide information policy with the employees trusted to maintain and protect the integrity of state computer systems and citizen data.

7 5. RETURN ON INVESTMENT, SHORT-TERM/LONG-TERM PAYBACK When Virginia agencies first explored using traditional training solutions in order to meet the information security assessment requirement, the high cost and cumbersome administration of such programs quickly pointed them towards an electronic alternative. Conservatively, agencies were projecting that they would need to spend $45 to $50 per user in developing the necessary training materials and presentations. That per user expense did not include any allowance for travel time and lost work hours if employees were away from their offices for the security training. For a single agency that needs to provide training to 1,000 employees, the traditional solutions would cost a minimum of between $45,000 and $50,000. And those agencies must provide the training annually. Agencies participating in the VASAT enterprise service pay a per user fee of $2.50 annually. That fee covers all software licensing, hosting, and administration fees for the service. Agencies may incur additional expenses if they require development and customization of the online versions of their information security policies. The longer-term return on investment of VASAT is even greater because of its enterprise nature: VASAT can provide 100,000 state employees online training for a total cost of $250,000, versus the at least $4.5 million that traditional training solutions would cost. Any government entity affected by the training requirement may enroll its employees in VASAT and take advantage of the online assessment and administrative tools. Further, because agencies must base their information security policies on the guidelines provided by DTP, new agencies joining VASAT do not need to spend more significant resources on the customization of their online policies.