All the world 's a stage, and all the men and women merely players. They have their exits and their entrances; And one man in his time plays many parts.
— William Shakespeare
As You Like It
Act II, Scene VII
All the world 's a stage, and all the men and women merely players. They have their exits and their entrances; And one man in his time plays many parts.
— William Shakespeare
As You Like It
Act II, Scene VII
Native Intelligence offers specific role-based security awareness courses for:
Those who manage, operate, or use an information system need to understand the security responsibilities associated with their roles.
A security responsibility is a duty that, if not performed properly, has negative consequences for the person tasked with the duty -- and often for the organization as well. For example, if your job requires you to log off every time you leave your computer, logging off is a security responsibility. Not logging off could result in someone using your computer to steal or delete critical data, and you would have to answer for it.
An individual's specific security responsibilities determine the training needed.
A role1 is a job function or position. Roles can represent organization structure, responsibility, span of control, and authority. For example, if Jackie in the IT Department reports to the CIO, supports five different system owners, manages three staff members, and is a member of the peer code review team, Jackie has four different business roles. Jackie has one title, but she performs many roles. Roles are based on job functions, not job titles. While titles vary across organizations, the responsibilities for security do not.
NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, provides a matrix to match security responsibilities with 26 roles.
NIST 800-16 defines 26 roles that require some level of security basics and literacy or training:
| IT Security Officer/Manager* | User |
| System Owner | Chief Information Officer |
| Information Resources Manager | Information Resources Management Official, Senior |
| Program Manager | Source Selection Board Member |
| Auditor, Internal | Auditor, External |
| Certification Reviewer | Designated Approving Authority (DAA) |
| System Designer/Developer | Telecommunications Specialist |
| Programmer/Systems Analyst | Systems Operations Personnel |
| Data Center Manager | Technical Support Personnel |
| Network Administrator | System Administrator |
| Database Administrator | Records Management Official |
| Privacy Act Official | Freedom of Information Act Official |
| Contracting Officer | Contracting Officer's Technical Representative (COTR) |
| * Includes Information System Security Officer (ISSO), Network Security Officer (NSO), AIS Computer Security Officer (ACSO), Computer Security Officer (CSO), and other similar titles. | |
The Federal Information Security Management Act of 2002 (FISMA) requires government agencies to have an information security program that provides security awareness and training to inform personnel of three things: security risks, their responsibilities in complying with agency policies, and procedures designed to reduce risks.
1 Note: while IT organizations use the term "roles" to describe a group of access privileges, the roles referred to in the training area relate to job functions.
The Need for Role-Based Training