Tuesday, September 7, 2010

Security Awareness Training

I didn’t spend much time on-line this weekend, but I did run across an interesting Tweet last night. It came from GSNGovtSecNews with a link to their article on a recent DHS information collection request submission (that I discussed here last week) for a security awareness training program. The Tweet added this comment:
“DHS thinks that online training for 47% of all chemical workers makes sense. Critics might disagree. What do YOU [think]…”
The article at GSNMagazine.com provides a very brief description of the ICR renewal notice that was posted in the Federal Register last week. Unfortunately, the author makes two errors of omission; failing to note that the ICR is a renewal for a program that has been running since 2007 and failing to note that the training is ‘security awareness’ training as opposed to ‘security training’.

Those two omissions clearly lead to the silly statement in the tweet. If the authors (I’m assuming different authors for the article and the Tweet) had taken the time to take the on-line training they would have seen that it is a generic-chemical-facility security-awareness interactive training program. While some trainers (myself included) would argue that a facility-specific program would be much more effective, it is simply not cost effective for such training programs to be developed for the vast majority of the chemical facilities in the United States.

As I said in a blog two years ago:
“The scenarios are well crafted and represent some common techniques used in surveillance and information collection activities leading up to a potential attack. This is not an exhaustive coverage of those techniques, but it is well suited to the average employee.”
I certainly recommend that anyone concerned with security training at high-risk facilities review this training program and figure out how to best integrate it into their facilities security training. I would still like to see the Chemical Sector Specific Agency adopt a version of this for group training, but for many facilities an on-line individual-based instruction methodology makes eminent sense.


Don Greenwood said...

As we know, CFATS recommends three levels of training:

Training for the FSO or Site Security Officer (DHS uses both terms in different document sets).

Training for “Others with Security Responsibilities”.

Awareness training for all employees.

Our company has trained over 50 FSOs under both CFATS and the MTSA using online training.  We have learned that we must structure this training in such a way as to guarantee that the attendees really pay attention and participate.  So, we will only do distance learning or online training if the attendees are assembled in the client’s conference room with a supervisor acting as a monitor.  This ensures they are engaged and not doing email, other work, or even leaving their cubes for periods of time.  We will only certify the training and provide the Certificate  to the individual if the online session is monitored.

The real test of training quality will be done by an inspector on site, randomly picking a person and asking a fundamental security plan question.  We have seen this done to test the training during DHS inspections of our clients.  In the maritime context, the Coast Guard will stop an employee and ask them to explain the MARSEC Level definitions.  At CFATS facilities they may ask questions about CVI protections, and escorting in restricted areas.  They may ask an employee to explain how terrorists circumvent security.

Most of the online training we have looked out does not adequately cover the topics recommended in the RBPS Guidance Manual and I believe in the future we will see much more rigorous training requirements coming from DHS, including a process to certify the courses instructors.

I believe the house bill, HR2868, actually would require eight hours of annual training for the first two categories.

PJCoyle said...

See my response to Don Greenwood’s comments at: http://chemical-facility-security-news.blogspot.com/2010/09/reader-comment-09-08-10-security.html

/* Use this with templates/template-twocol.html */