Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition.

Published byLuke Preston Modified over 7 years ago

Similar presentations

Presentation on theme: "MANAGEMENT of INFORMATION SECURITY, Fifth Edition."— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY, Fifth Edition

2 Security Education, Training, and Awareness Programs 2 Management of Information Security, 5th Edition © Cengage Learning

3 Implementing Security Education, Training, and Awareness Programs The SETA program is designed to reduce accidental security breaches by members of the organization SETA programs offer three major benefits: – They can improve employee behavior – They can inform members of the organization about where to report violations of policy – They enable the organization to hold employees accountable for their actions The purpose of SETA is to enhance security: – By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems – By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely – By improving awareness of the need to protect system resources 3 Management of Information Security, 5th Edition © Cengage Learning

4 Framework of SETA 4 Management of Information Security, 5th Edition © Cengage Learning Source: NIST SP 800-12

5 Security Education Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method Local and regional resources might also provide information and services in educational areas 5 Management of Information Security, 5th Edition © Cengage Learning

6 Security Training Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely Management can either develop customized training or outsource all or part of the training program There are two methods for customizing training for users by functional background or skill level – Functional background: General user Managerial user Technical user – Skill level: Novice Intermediate Advanced 6 Management of Information Security, 5th Edition © Cengage Learning

7 Training Techniques According to Trepper: – Using the wrong method can hinder training and lead to unnecessary expense and frustrated, poorly trained employees – Good training programs take advantage of the latest learning technologies and best practices – Recent developments include less use of centralized public courses and more on-site training – Training is often for one or a few individuals, rather than waiting for large groups, which can cost companies lost productivity – Other best practices include the increased use of short, task-oriented modules and training sessions, available during the normal work week, that are immediate and consistent 7 Management of Information Security, 5th Edition © Cengage Learning

8 Delivery Methods Selection of the training delivery method is not always based on the best outcome for the trainee Often other factors — budget, scheduling, and needs of the organization — come first – One-on-One – Formal Class – Computer-Based Training (CBT) – Distance Learning/Web Seminars – User Support Group – On-the-Job Training – Self-Study (Noncomputerized) 8 Management of Information Security, 5th Edition © Cengage Learning

9 Selecting the Training Staff To provide employee training, an organization can use a local training program, a continuing education department, or another external training agency Alternatively, it can hire a professional trainer, a consultant, or someone from an accredited institution to conduct on-site training It can also organize and conduct training in- house using its own employees 9 Management of Information Security, 5th Edition © Cengage Learning

10 Implementing Training While each organization develops its own strategy based on the techniques discussed above, the following seven-step methodology generally applies: Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program 10 Management of Information Security, 5th Edition © Cengage Learning

11 Security Awareness One of the least frequently implemented, but most effective security methods is the security awareness program Security awareness programs: – set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure – remind users of the procedures to be followed 11 Management of Information Security, 5th Edition © Cengage Learning

12 Security Awareness When developing an awareness program: – Focus on people – Refrain from using technical jargon – Use every available venue – Define learning objectives, state them clearly, and provide sufficient detail and coverage – Keep things light – Don’t overload the users – Help users understand their roles in InfoSec – Take advantage of in-house communications media – Make the awareness program formal; plan and document all actions. – Provide good information early, rather than perfect information late. 12 Management of Information Security, 5th Edition © Cengage Learning

13 Advice for InfoSec Awareness Training Programs Information security is about people and only incidentally related to technology If you want others to understand, learn how to speak a language they can understand If they don’t understand what they are being told, they will not be able to learn it Make your points so that you can identify them clearly and so can they Keep a sense of humor with your students at all times First tell students what you plan to tell them, then tell it to them, then remind them what you told them Unambiguously tell students how the behavior you request will affect them as well as how failure to conform to that behavior will affect them Ride the tame horses—that is, continue to train with information about problems and solutions for those issues that have already been resolved, to keep them fresh in peoples’ minds Formalize your training methodology until it is a repeatable process Always be timely, even if it means slipping schedules to include urgent information 13 Management of Information Security, 5th Edition © Cengage Learning

14 Employee Behavior and Awareness Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization’s information Security training and awareness activities can be undermined, however, if management does not set a good example 14 Management of Information Security, 5th Edition © Cengage Learning

15 Employee Accountability Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due diligence can help indemnify the institution against lawsuits 15 Management of Information Security, 5th Edition © Cengage Learning

16 Awareness Techniques Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process (acclimation) and for this reason, awareness techniques should be creative and frequently changed 16 Management of Information Security, 5th Edition © Cengage Learning

17 Developing Security Awareness Components Many security awareness components are available at little or no cost - others can be very expensive if purchased externally Security awareness components include the following items: – Videos – Posters and banners – Lectures and conferences – Computer-based training – Newsletters – Brochures and flyers – Trinkets (coffee cups, pens, pencils, T-shirts) – Bulletin boards 17 Management of Information Security, 5th Edition © Cengage Learning

18 The Security Newsletter A security newsletter is a cost-effective way to disseminate security information Newsletters can be in the form of hard copy, e-mail, or intranet Topics can include threats to the organization’s information assets, schedules for upcoming security classes, and the addition of new security personnel The goal is to keep the idea of information security uppermost in users’ minds and to stimulate them to care about security Newsletters might include: – Summaries of key policies – Summaries of key news articles – A calendar of security events, including training sessions, presentations, and other activities – Announcements relevant to information security – How-to’s 18 Management of Information Security, 5th Edition © Cengage Learning

19 The Security Poster A security poster series can be a simple and inexpensive way to keep security on people’s minds Professional posters can be quite expensive, so in-house development may be the best solution Keys to a good poster series: – Varying the content and keeping posters updated – Keeping them simple, but visually interesting – Making the message clear – Providing information on reporting violations 19 Management of Information Security, 5th Edition © Cengage Learning

20 The Trinket Program Trinkets may not cost much on a per-unit basis, but they can be expensive to distribute throughout an organization Several types of trinkets are commonly used: – Pens and pencils – Mouse pads – Coffee mugs – Plastic cups – Hats – T-shirts The messages trinket programs impart will be lost unless reinforced by other means 20 Management of Information Security, 5th Edition © Cengage Learning

21 Information Security Awareness Web Site Organizations can establish Web pages or sites dedicated to promoting information security awareness As with other SETA awareness methods, the challenge lies in updating the messages frequently enough to keep them fresh Some tips on creating and maintaining an educational Web site are provided here: – See what’s already out there – Plan ahead – Keep page loading time to a minimum – Seek feedback – Assume nothing and check everything – Spend time promoting your site 21 Management of Information Security, 5th Edition © Cengage Learning

22 Security Awareness Conference/Presentations Another means of renewing the information security message is to have a guest speaker or even a mini-conference dedicated to the topic—perhaps in association with the formal computer security days: – International Computer Security Day – November 30 – National Computer Security Days – October 31 and April 4 22 Management of Information Security, 5th Edition © Cengage Learning

Download ppt "MANAGEMENT of INFORMATION SECURITY, Fifth Edition."

Similar presentations

Chapter 11 Training. Learning Objectives Describe the need for training Discuss how to assess training needs Demonstrate how to provide training Explain.

Chapter 11 Training. Learning Objectives Describe the need for training Discuss how to assess training needs Demonstrate how to provide training Explain.
Orientation and Training

Orientation and Training
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
Developing the Security Program

Developing the Security Program
3 Chapter Needs Assessment.

3 Chapter Needs Assessment.
Chapter 5 Developing the Security Program

Chapter 5 Developing the Security Program
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Developing the Security Program

Developing the Security Program
Developing the Security Program

Developing the Security Program
Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.

Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.
Training of Adults Useful tips to know to conduct a good training Presentation 22.

Training of Adults Useful tips to know to conduct a good training Presentation 22.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
Matt Maher & Sreeja Nomula 1.  Define ◦ Education ◦ Training ◦ Learning 2.

Matt Maher & Sreeja Nomula 1.  Define ◦ Education ◦ Training ◦ Learning 2.
Implementing Security Education, Training, and Awareness Programs

Implementing Security Education, Training, and Awareness Programs
Developing the Security Program. Objectives Upon completion of this material you should be able to: –Explain the organizational approaches to information.

Developing the Security Program. Objectives Upon completion of this material you should be able to: –Explain the organizational approaches to information.
Actions Set a clear aim for the performance of your eligibility system Define why your key audiences (governor, legislature, public) should support it.

Actions Set a clear aim for the performance of your eligibility system Define why your key audiences (governor, legislature, public) should support it.
1 © 2004 Cisco Systems, Inc. All rights reserved. Case Study Cisco Unity Voice Messaging Deployment: Communications Strategy November.

1 © 2004 Cisco Systems, Inc. All rights reserved. Case Study Cisco Unity Voice Messaging Deployment: Communications Strategy November.
TRAINING FOR RESULTS EFFECTIVE TRAINING AS A PROFIT CENTER.

TRAINING FOR RESULTS EFFECTIVE TRAINING AS A PROFIT CENTER.
Orientation,Training & Development

Orientation,Training & Development
1 Communication in Administration Higher Administration 2015-2016.

1 Communication in Administration Higher Administration

Similar presentations

Ads by Google