Definitions for Awareness, Training and Education

Information Security Awareness Program
An Awareness program mixes Awareness training sessions with periodic reminders and promotional materials to bring the attention of information resource users to information security issues, and to increase their understanding of vulnerabilities and threats affecting the security of USAP information. An Awareness program is typically geared towards the non-technical user community, or technical users outside an organization’s Information Technology group. The Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-130 require all users of federal information resources to receive periodic Awareness training as part of an Awareness program.

Information Security Training
Information Security training is typically considered technical training, and it focuses on improving the security skills and competencies of personnel managing, designing, developing, acquiring, and administering information resources. Technical training is intended for information security staff, and for information technology staff in positions with security related responsibilities, such as system administrators or network engineers. Technical training typically includes short courses, seminars, professional development workshops, conferences, and certificate programs. Technical training is provided to staff by the parent organization, to ensure the staff member is able to accomplish their duties.

Information Security Education
Information Security education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles, and strives to produce information security specialists and professionals capable of vision and pro-active response. Typically, education involves a long-term course of study at the university level, and is provided to staff at the discretion of the parent organization.