Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.

Published byClinton Gregory Modified over 7 years ago

Similar presentations

Presentation on theme: "Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn."— Presentation transcript:

1 Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn

2 Contents Learning Objectives What is SETA? What are its purposes? Security Education Security Training Security Awareness

3 Learning Objectives Define security education, training and awareness List situations where each strategy is appropriate Identify how organizations can use each strategy to mitigate threats to information security

4 SETA SETA is an acronym, for Security Education, Training, and Awareness It targets all users in an organization with specific programs for their jobs and level of technical expertise The SETA program is generally the responsibility of the Chief Information Security Officer

5 Purposes of SETA SETA holds employees accountable for their actions by communicating policy to all users Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems Develops skills and knowledge so that users can perform their jobs using IT systems more securely Improves awareness of the need to protect system resources

6 Security Awareness Most basic level of SETA Used for employees who are new or unskilled Gets employees to focus on security Least common, but extremely effective

7 Security Awareness Programs Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, and bulletin boards to reach employees An example of a Security Awareness Topic: ‘Virus Protection’ What would the session cover? How does this benefit all users?

8 Things to keep in mind… Focus on people both as a part of the problem and as part of the solution. Refrain from using technical jargon; speak the language the users understand. Use every available venue to access all users. Define at least one key learning objective, state it clearly, and provide sufficient detail and coverage to reinforce the learning of it. Keep things light; refrain from "preaching" to users.

9 In addition… Don't overload the users with too much detail or too great a volume of information. Help users understand their roles in information security and how a breach in that security can affect their jobs. Take advantage of in-house communications media to deliver messages. Make the awareness program formal; plan and document all actions. Provide good information early, rather than perfect information late.

10 Security Training Intermediate level of SETA According to the NIST SP 800-16: Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

11 Security Training Programs Provides detailed information and hands-on instruction Teach users what to do and how to do it Employees are divided into general users, technical users, and managerial users at beginner, intermediate, and advanced levels

12 Things to keep in mind… General users are trained in the policies of the organization such as security practices, password management, violation reporting, and access controls. It is best to do this when they are first hired. Managerial users should be trained in smaller groups to facilitate discussion. Technical users are trained more in-depth than general and managerial users. This is often outsourced because of the high level of expertise required. Technical users are often separated according to job category, job function, and technology product.

13 Training Techniques Effective training programs are crucial to the success of an organization Wrong training methods can lead to unnecessary expense and frustrated and poorly trained employee’s Good training methods, regardless of delivery method, take advantage of the latest learning technologies and best practices.

14 Delivery Methods One-on-One Method Formal Class Computer-Based Training Distance learning / Web Seminars User Support Groups On The Job Training Self-Study

15 Dedicated Training Staff Depending on the training deliver method chosen, A dedicated training staff may be required. They should continually provide specific, effective training programs for an organization’s employee’s. Staff must assess organizational needs, plan effective programs, implement these programs, and evaluate their effectiveness.

16 Seven Step Methodology For Implementing Security Training Step One: Identify the Programs Scope, Goals, and Objectives Step Two: Identify the training staff Step Three: Identify the Audience Step Four: Motivation Step Five: Administer The Security Training Step Six and Seven: Listen to Employee feedback, evolve the program to increase its effectiveness.

17 Security Education Highest level of SETA Used for employees in highly technical or skilled positions that demand greater information security

18 Conclusion Having a good Information Security Program is not enough. SETA is crucial to a successful information security program in an organization. Helps minimize loss of information assets and hold employee’s accountable for breaking policies.

19 Questions?

Download ppt "Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn."

Similar presentations

Effective Supervision

Effective Supervision
A GUIDE TO CREATING QUALITY ONLINE LEARNING DOING DISTANCE EDUCATION WELL.

A GUIDE TO CREATING QUALITY ONLINE LEARNING DOING DISTANCE EDUCATION WELL.
Chapter 5. Analyzing Your Audience and Purpose © 2004 by Bedford/St. Martin's1 Categories of Readers by Function A primary audience of people who have.

Chapter 5. Analyzing Your Audience and Purpose © 2004 by Bedford/St. Martin's1 Categories of Readers by Function A primary audience of people who have.
MANAGEMENT BY OBJECTIVES MBO. What is MBO? Management by objectives (MBO) is a systematic and organized approach that allows management to focus on achievable.

MANAGEMENT BY OBJECTIVES MBO. What is MBO? Management by objectives (MBO) is a systematic and organized approach that allows management to focus on achievable.
NARA – Records Management Training Program October 5, 2004 1 NARA’s Records Management Training and Certification Program.

NARA – Records Management Training Program October 5, NARA’s Records Management Training and Certification Program.
Information Security Policies and Standards

Information Security Policies and Standards
Developing the Security Program

Developing the Security Program
3 Chapter Needs Assessment.

3 Chapter Needs Assessment.
Chapter 5 Developing the Security Program

Chapter 5 Developing the Security Program
Lecture 11 Information Systems Training (Chapter 11)

Lecture 11 Information Systems Training (Chapter 11)
CHAPTER 9: LEARNING OUTCOMES

CHAPTER 9: LEARNING OUTCOMES
Human Resource Management: Gaining a Competitive Advantage

Human Resource Management: Gaining a Competitive Advantage
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Developing the Security Program

Developing the Security Program
Developing the Security Program

Developing the Security Program
Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.

Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.
Chapter 8 communication skills Section 8.1 Defining Communication

Chapter 8 communication skills Section 8.1 Defining Communication
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Similar presentations

Ads by Google