Information Type

Information Type: Company-Wide Discretionary Practice

INTEK- - Security Awareness, Training & Education (SATE)

The following is basic guidance for managing security awareness, training, and education (SATE) program. Points of contact are provided for more information on this process. Education and Training are most important to enable a company wide SECURE environment.

1. Provide Guidance, Material, Policy on Systems SATE

2. Conduct Quarterly/Annual Training Metric Consolidation

3. Manage Information Protection Seminars

4. Hold Annual INTEK- Information Assurance Workshop/Conference

5. Conduct SATE Review and Provide Department Assistance Visits Based upon Need and Installation Request

The SATE program is a single, integrated communications awareness, training, and education effort covering communications security (COMSEC), computer security (COMPUSEC), and wireless emission security (WEMSEC) disciplines. The program emphasizes information protection precepts and promotes consistent application of security principles in the use of Company information systems.

Company SOP states all personnel will receive four types of SATE training:

Accession, initial/recurring, awareness, and specialized. An individual trained in information protection principles and concepts will conduct this training.

The SATE program managers customize training to accomplish the SATE program objectives prescribed. They must convey the degree of reliance on information systems, the potential consequences arising from the lack of secure information systems, the organization’s commitment to secure information systems, and the means by which users can protect information systems. Mission sensitivity and the potential for mission degradation from the lack of proper information protection must influence the design of recurring and awareness training. This includes interruption or exploitation of service, exploitation through interception, unauthorized electronic access or related technical threats, and corruption through falsification of information or damages to storage media. Use computer based training for both initial and recurring information protection training.

a. CorporateTraining: Headquarters Education and Training Company (HQ ETC) will:

	Conduct information protection accession training during initial company training.
	-Train new employees on basic information operations (IO) and information warfare (IW) concepts to establish a foundation of information protection awareness.
	-- Make sure they understand that certain vulnerabilities and threats exist in information systems and require protection.
	-Define information protection by including the concepts of COMSEC, COMPUSEC and WEMSEC.
	-Stress that there is a point of contact for SATE at every Company location and at the information protection Office.
	-Administer information protection training, through INTEK.
		-Coordinate information protection training material with HQ through the department SATE manager.
		-The Company Personnel Manager will provide information protection training for career programs.

b. Initial/Recurring Training: Consist of at least one hour annually:

	-Company and contract personnel will receive information protection awareness-level training within 60 days of permanent change of station/permanent change of assignment to a new organization.
	-Personnel will take appropriate computer based training (CBT) modules before they are issued user IDs or passwords or otherwise granted network access.
	-Personnel will take appropriate CBT module(s) before they are issued a key for any secure voice telephone.
	-Personnel who do not use an information system in the performance of duties are exempt from the use of CBT tools in initial, recurring, or specialized information protection awareness-level training.
	-Use company-tailored, INTEK-produced, or other educational materials to reemphasize information protection obligations.

c. Awareness Training: The SATE program managers satisfy awareness training requirements by displaying information protection-related awareness aids, using public service announcements, or providing applicable articles from company publications to unit personnel. Managers will encourage the use of information protection screen savers and take advantage of local cable public service channels to advance information protection awareness.

d. Specialize Training--Formal Course Integration: (Formal Course Integration). INTEK and the Company will provide students with an understanding of IO and IW and of the threat to, and vulnerabilities of Company information systems, knowledge of countermeasures available to overcome the threat, and ways to apply the countermeasures.

Points of Contact

Organization	Commercial	Service Charge

INTEK	(314) 596-8750	CUSTOM QUOTE REQUIRED

1. Provide Guidance, Material, Policy on Systems SATE

The department SATE Program Manager provides detailed guidance and policies for implementing a Security Awareness, Training, and Education (SATE) program.

After conducting trend analysis and threat assessment, the department issues awareness material and provides guidance to implement preventive measures to the department SATE Manager. Once at a given base/installation, the department SATE manager determines the validity of the threat information at that site and publishes local "advisories" to all Automated Information Systems (AIS) users at that installation. This is usually done via email, bulletins, papers, or broadcast messages.

Return to List

2. Conduct Quarterly/Annual Training Metric Consolidation

Company SOP requires that all department SATE program managers report the number of personnel receiving SATE training and the total number of hours actually spent in providing training to the department SATE Program Manager. The department will consolidate all the base inputs and submit the report to the Company Communications/ Information Protection Division.

Departments are responsible for establishing specific procedures to acquire, compile, and report company training information. An easy way to acquire these figures for refresher training is to have your SATE managers keep track of how many personnel within their organization received specific security training by month.

Inputs: Collection of data from department SATE Managers

Outputs: Annual Metric Report

Return to List

3. Manage Information Protection Seminars

Information Protection (IP) Seminars are conducted by INTEK on location. The seminar is designed for personnel within all departments (COMPUSEC, SATE, COMSEC & WEMSEC managers); however, any individual working in a related specialty may request attendance. It is an awareness seminar designed for all Company and contractor personnel at the department levels.

The objectives of these seminars are to ensure that all personnel understand current security directives; understand the threats and associated risks to AIS systems and networks; understand individual responsibilities; and understand how to implement Company security procedures.

INTEK- company personnel will be selected to attend each IP seminar. We will be selecting nominees based on their IP background to ensure we have a good mixture of COMPUSEC, COMSEC, and SATE attendees. This is good for cross feed. This includes having one or two department level attendees at each seminar.

INTEK- will accept nominees ONLY from departments. A message will be sent requesting nominees usually no earlier than 2 months prior to the class start date. Selection will be made 1 month prior to the class start date.

All nomination information must be submitted to the INTEK- SATE- Company Program Manager using the following department format:

IP Seminar:

Full Name:

Title:

Name to be referred to in class:

Employee ID:

FAX #:

E-mail:

Responsibilities:

Complete mailing address:

Return to List

4. Hold Annual INTEK Information Assurance Workshop/Conference

The INTEK Information Assurance Office hosts an annual workshop target for base level Information Assurance (IA) (COMPUSEC, COMSEC, and SATE) professionals. However, standing invitations are open to all system administrators, and program directors that would like to receive and participate in the exchange of security information and technologies relating to AISs.

This workshop can be held on-site at any company location or hosted by an agreed upon INTEK location. A formal message is sent to the communications department/group CSO and the Information Protection Office at least 3 months in advance of the workshop.

Inputs:

Outputs: Exchange of information

Return to List

5. Conduct SATE Review and Provide Staff Assistance Visits Based upon Need and Installation Request

The Company will assess quality of security training provided to individuals responsible for the operation of information systems, systems administrators, personnel responsible for Communications Security material, personnel assigned and department IP personnel.

The INTEK SATE manager will help you educate and help your organization’s personnel to:

	1. Understand the inherent weaknesses in information systems and the potential harm to national security due to the improper use of information systems.
	2. Keep informed of the threats (including human intelligence) to, and vulnerabilities of, information systems.
	3. Take necessary measures to protect information generated, stored, processed, transferred, or communicated by information systems.
	4. Recognize practices and conditions that create vulnerabilities in information systems, and use established security procedures to address them.
	5. Recognize the potential damage to company security if secure material is compromised and understand the security measures required to protect this material.
	6. Protect information systems against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of information systems and data.
	7. Understand how COMPUSEC, COMSEC relate to the overall protection of information generated, processed, stored, or transferred by information systems.

Return to List

File Owner: Jim Tracy
Organization: INTEK
Phone: (314) 596-8750
E-mail: jimt@intek.net
Date Last Reviewed: NOV 2002