Appropriate levels of awareness, training and education required within organization
Security awareness is an often-overlooked factor in an information security program. Although security is the focus of security practitioners in their day-to-day functions, it's often taken for granted that common users possess this same level of security awareness. As a result, users can unwittingly become the weakest link in an information security program. Several key factors are critical to the success of a security awareness program:- Senior-level management support: Under ideal circumstances, senior management is seen attending and actively participating in training efforts.
- Clear demonstration of how security supports the organization's business objectives: Employees need to understand why security is important to the organization and how it benefits the organization as a whole.
- Clear demonstration of how security affects all individuals and their job functions: The awareness program needs to be relevant for everyone, so that everyone understands that "security is everyone's responsibility."
- Taking into account the audience's current level of training and understanding of security principles: Training that's too basic will be ignored; training that's too technical will not be understood.
- Action and follow-up: A glitzy presentation that's forgotten as soon as the audience leaves the room is useless. Find ways to incorporate the security information you present with day-to-day activities and follow-up plans.
Awareness
A general security awareness program provides basic security information and ensures that everyone understands the importance of security. Awareness programs may include the following elements:- Indoctrination and orientation: New employees and contractors should receive basic indoctrination and orientation. During the indoctrination, they may receive a copy of the corporate information security policy, be required to acknowledge and sign acceptable-use statements and non-disclosure agreements, and meet immediate supervisors and pertinent members of the security and IT staff.
- Presentations: Lectures, video presentations, and interactive computer-based training (CBTs) are excellent tools for disseminating security training and information. Employee bonuses and performance reviews are sometimes tied to participation in these types of security awareness programs.
- Printed materials: Security posters, corporate newsletters, and periodic bulletins are useful for disseminating basic information such as security tips and promoting awareness of security.
Training
Formal training programs provide more in-depth information than an awareness program and may focus on specific security-related skills or tasks. Such training programs may include- Classroom training: Instructor-led or other formally facilitated training, possibly at corporate headquarters or a company training facility
- Self-paced training: Usually web-based training where students can proceed at their own pace
- On-the-job training: May include one-on-one mentoring with a peer or immediate supervisor
- Technical or vendor training: Training on a specific product or technology provided by a third party
- Apprenticeship or qualification programs: Formal probationary status or qualification standards that must be satisfactorily completed within a specified time period
Education
An education program provides the deepest level of security training, focusing on underlying principles, methodologies, and concepts.An education program may include
- Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP or Cisco Certified Internetworking Expert (CCIE).
- Certificate programs: Many colleges and universities offer adult education programs that have classes about current and relevant subjects for working professionals.
- Formal education or degree requirements: Many companies offer tuition assistance or scholarships for employees enrolled in classes that are relevant to their profession.