Environmental Protection Agency Design Document

Business Purpose

Cybersecurity is a critical concern for any organization or individual using digital technology. Cyber threats are increasing in sophistication and frequency, and it's crucial to adopt basic cybersecurity protocols to mitigate potential risks. There has been a 30% increase in employees clicking on malicious links. Additionally, there has been an observed number of unattended computers that have not been locked down while the employee is away from his or her desk. Over time, employees have been negligent of cybersecurity which caused loss of data (PII, SPII, CUI). This training will provide a mid-year refresher course on basic cybersecurity protocols and the importance of being vigilant. The goal would be to identify, respond to, and report security incidents within the Computer Security Incident Response Capability (CSIRC).

Target Audience

The audience is all EPA employees, contractors, and all other users of EPA information and information systems that support the operations and assets of the EPA.

Training Time

45 Minutes

Training Recommendation

Based on federal requirements and mandates, the EPA is responsible for ensuring all offices within the Agency meet the minimum-security requirements. Overall, e-learning provides an effective and efficient way to deliver cybersecurity training that is accessible, cost-effective, and scalable. It allows users to learn at their own pace and provides a consistent, interactive, and measurable training experience.

Deliverables

  • 1 storyboard outlining Incident Response & Reporting training course.
  • 1 eLearning module, developed in Articulate Storyline with voiceover narration

Learning Objectives

By the end of the training, the learners will be able to…

  • Recognize Controlled Unclassified Information (CUI), PII, and Sensitive Personally Identifiable Information (SPII).
  • Recognize types of security incidents,
  • Identify the process to report and respond to security incidents, and
  • Identify your security contacts.

Training Outline

Introduction

  • Welcome
  • Navigation
  • Objectives

Topic: Privacy Basics

  • Security acronyms and abbreviations
  • PII- Personally Identifiable Information
  • Name, Social Security, ID, Citizenship, Gender, Birth date, Place of Birth
  • SPII- Sensitive Personally Identifiable Information
  • 3 categories of SPII
  • CUI- Controlled Unclassified Information
  • We provide protection by safeguarding information and information systems from unauthorized access, use, disclosure, modification, or destruction.
  • These safeguards are partly defined by privacy practices that govern how information about individuals must be handled by the federal government.
  • This is particularly important for CUI since misuse or unauthorized change or access can compromise national interests.
  • List examples
  • CSIRC- Computer Security Incident Response Capability
  • Government agencies and other organizations have begun to augment their computer security efforts because of increased threats to computer security.
  • These increased computer security efforts, described here as Computer Security Incident Response Capabilities (CSIRCs), have as a primary focus the goal of reacting quickly and efficiently to computer security incidents.
  • CSIRC efforts provide agencies with a centralized and cost-effective approach to handling computer security incidents so that future problems can be efficiently resolved and prevented.
  • ISO- Information Security Officer
  • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. 
  • Knowledge Check
  • Types of Security Incidents

  • Confidential/Unencrypted
  • Accidentally sending a report containing confidential PII, SPII, and other CUI to a person not authorized to view the report, or sending it unencrypted.
  • Virus, Phishing & Attacks

Any security situation that could compromise X information or information systems (e.g., virus, phishing emails, social engineering attack).

  • Loss, Damage & Theft
  • Loss, damage, or theft, of equipment, media, or documents containing PII, SPII, and other CUI.
  • Unauthorized Person Use
  • Allowing an unauthorized person to use your computer or credentials to access CUI.

Topic: Response & Reporting

  • 5 steps to respond and report a security incident.
  • Stop
  • Call (Security contacts will be shown here)
  • Email
  • Document
  • Follow-Up
  • Scenario: Responding to a Security Incident

The scene will show an employee panicking due to a computer being hacked. A coworker comes in to guide her through the appropriate steps to responding and reporting the system hack.

Summary

  • Recognize Controlled Unclassified Information (CUI), PII, and Sensitive Personally Identifiable Information (SPII).
  • Recognize types of security incidents,
  • Identify the process to report and respond to security incidents, and
  • Identify your security contacts.

Assessment

The assessment may include a variety of question types, such as multiple-choice, true/false, and scenario-based questions. The questions will cover a range of topics referencing the learning objectives.

The eLearning cybersecurity assessment may also provide feedback on areas where the individual may need to improve their cybersecurity knowledge. This can help organizations identify knowledge gaps and develop targeted training programs to improve the cybersecurity awareness of their employees.

Congratulations

Assessment Plan

80% passing on e-learning module assessment of Incident Response & Reporting via 5 multiple-choice questions.

        Information Security —Design Document - Page  of