Having established the functional areas in which the training needs are focused, we now focus on the body of knowledge that must be incorporated within a suitable training course.
Information systems security training content can be organized into three major categories, namely:
• legal, regulatory, and ethical framework relevant to information systems security. This includes local, national, and international (e.g. European) pertinent legislation, national and international standards and guidelines, legal and liability issues and ethical issues and relevant codes of conduct;
• information systems security policies. These include the high-level security policy itself, as well as the means for developing it (e.g. risk analysis and management);
• information systems security controls. This includes system-specific security policies, all kinds of controls included in such policies (physical, procedural, technical, personnel), the implementation and operation of such policies, the management of security and the training and awareness activities required to support the policies.
The above contents constitute the complete body of knowledge that a complete training course in information systems security should cover. However, only a subset of this knowledge is necessary for managers. The association between functional areas of responsibilities and training content can be comprehensively described by a matrix, whose rows are training contents and columns are functional areas of responsibility.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment