Having established the functional areas in which the training needs are focused, we now focus on the body of knowledge that must be incorporated within a suitable training course.
Information systems security training content can be organized into three major categories, namely:
• legal, regulatory, and ethical framework relevant to information systems security. This includes local, national, and international (e.g. European) pertinent legislation, national and international standards and guidelines, legal and liability issues and ethical issues and relevant codes of conduct;
• information systems security policies. These include the high-level security policy itself, as well as the means for developing it (e.g. risk analysis and management);
• information systems security controls. This includes system-specific security policies, all kinds of controls included in such policies (physical, procedural, technical, personnel), the implementation and operation of such policies, the management of security and the training and awareness activities required to support the policies.
The above contents constitute the complete body of knowledge that a complete training course in information systems security should cover. However, only a subset of this knowledge is necessary for managers. The association between functional areas of responsibilities and training content can be comprehensively described by a matrix, whose rows are training contents and columns are functional areas of responsibility.
Tuesday, October 26, 2010
Saturday, October 16, 2010
Security Awareness Program Content Database
A robust content list fed to the end user on a monthly or quarterly basis will avoid information overload and will allow flexibility in the program so immediate response to current information security risks can be dealt with. A monthly or quarterly approach also prevents the repetitious, boredom that often accompanies learning sessions that are not delivered in small manageable chunks.
Topics can be arranged according to a baseline examination that is recommended to understand the gaps in the existing end user knowledge base and immediately work on areas where the organization feels is most important. Baseline examinations can be derived from existing organization materials or resources or purchased from a security awareness vendor and delivered via a learning management system that is either existing within the organization or a purchased or hosted option can be chosen
Suggested topics for end user awareness training:
Information Security
• Introduction to Information Security
• Information Classification
• Information Management
• Managing Sensitive Information
• Marking and Labeling
• Intellectual Properties
• Physical Security
Information Protection
• Electronic Mail Message (Email)
• Unsolicited Mail Message (SPAM)
• Confidentiality on the Web
• External Communications
• Clean Desk Policy
• Privacy
• Using Passwords
IT Security
• Main Concepts of IT Security
• Threat and Risk Management
• Internet Usage
• Mobile Devices and Removable Media
• Secure Mobile workplace - Mobile Users
Physical Security
• Access Control
• Transport and Transmittal of Sensitive Information
• Destruction of Sensitive Information or Assets
• Storage
Awareness of External Threats
• Malicious code – Myths and Reality
• Malicious code – Protection Measures
• Spyware
• Identity Theft
• Social Engineering
Communicating the Message
Delivering key messages that relate to the organization’s policies or rules tied to the monthly or quarterly learning topics will help to solidify and reinforce those policies. Any regulations, or fundamental security issues or concepts that need to be communicated should be planned along with the delivery of the online training component.
Sources of Information
Relevant materials can be found within the organization, previously taught security awareness courses, security standards, directives or policies. External sources are abundant, SANS has a great library of materials as does Microsoft that is free for use. Awareness communication messages can be derived from these sources and delivered via posters, newsletters, reminder stickers, games, etc. Alternatively, many security awareness vendors also offer either free or for a small fee these types of resources. Where necessary creation of new materials internally may need to be created
Topics can be arranged according to a baseline examination that is recommended to understand the gaps in the existing end user knowledge base and immediately work on areas where the organization feels is most important. Baseline examinations can be derived from existing organization materials or resources or purchased from a security awareness vendor and delivered via a learning management system that is either existing within the organization or a purchased or hosted option can be chosen
Suggested topics for end user awareness training:
Information Security
• Introduction to Information Security
• Information Classification
• Information Management
• Managing Sensitive Information
• Marking and Labeling
• Intellectual Properties
• Physical Security
Information Protection
• Electronic Mail Message (Email)
• Unsolicited Mail Message (SPAM)
• Confidentiality on the Web
• External Communications
• Clean Desk Policy
• Privacy
• Using Passwords
IT Security
• Main Concepts of IT Security
• Threat and Risk Management
• Internet Usage
• Mobile Devices and Removable Media
• Secure Mobile workplace - Mobile Users
Physical Security
• Access Control
• Transport and Transmittal of Sensitive Information
• Destruction of Sensitive Information or Assets
• Storage
Awareness of External Threats
• Malicious code – Myths and Reality
• Malicious code – Protection Measures
• Spyware
• Identity Theft
• Social Engineering
Communicating the Message
Delivering key messages that relate to the organization’s policies or rules tied to the monthly or quarterly learning topics will help to solidify and reinforce those policies. Any regulations, or fundamental security issues or concepts that need to be communicated should be planned along with the delivery of the online training component.
Sources of Information
Relevant materials can be found within the organization, previously taught security awareness courses, security standards, directives or policies. External sources are abundant, SANS has a great library of materials as does Microsoft that is free for use. Awareness communication messages can be derived from these sources and delivered via posters, newsletters, reminder stickers, games, etc. Alternatively, many security awareness vendors also offer either free or for a small fee these types of resources. Where necessary creation of new materials internally may need to be created
Subscribe to:
Comments (Atom)