Security Education, Training, and Awareness Programs

The CISSP candidate should be familiar with the tools and objectives of security awareness, training, and education programs.

Security awareness is an often-overlooked factor in an information security program. Although security is the focus of security practitioners in their day-to-day functions, it’s often taken for granted that common users possess this same level of security awareness. As a result, users can unwittingly become the weakest link in an information security program. Several key factors are critical to the success of a security awareness program:

Senior-level management support: Under ideal circumstances, senior management is seen attending and actively participating in training efforts.

Clear demonstration of how security supports the organization’s business objectives: Employees need to understand why security is important to the organization and how it benefits the organization as a whole.

Clear demonstration of how security affects all individuals and their job functions: The awareness program needs to be relevant for everyone, so that everyone understands that “security is everyone’s responsibility.”

Taking into account the audience’s current level of training and understanding of security principles: Training that’s too basic will be ignored; training that’s too technical will not be understood.

Action and follow-up: A glitzy presentation that’s forgotten as soon as the audience leaves the room is useless. Find ways to incorporate the security information you present with day-to-day activities and follow-up plans.

The three main components of an effective security awareness program are a general awareness program, formal training, and education.

Awareness

A general security awareness program provides basic security information and ensures that everyone understands the importance of security. Awareness programs may include the following elements:

Indoctrination and orientation: New employees and contractors should receive basic indoctrination and orientation. During the indoctrination, they may receive a copy of the corporate information security policy, be required to acknowledge and sign acceptable-use statements and non-disclosure agreements, and meet immediate supervisors and pertinent members of the security and IT staff.

Presentations: Lectures, video presentations, and interactive computer-based training (CBTs) are excellent tools for disseminating security training and information. Employee bonuses and performance reviews are sometimes tied to participation in these types of security awareness programs.

Printed materials: Security posters, corporate newsletters, and periodic bulletins are useful for disseminating basic information such as security tips and promoting awareness of security.

Training

Formal training programs provide more in-depth information than an awareness program and may focus on specific security-related skills or tasks. Such training programs may include

Classroom training: Instructor-led or other formally facilitated training, possibly at corporate headquarters or a company training facility

On-the-job training: May include one-on-one mentoring with a peer or immediate supervisor

Technical or vendor training: Training on a specific product or technology provided by a third party

Apprenticeship or qualification programs: Formal probationary status or qualification standards that must be satisfactorily completed within a specified time period

Education

An education program provides the deepest level of security training, focusing on underlying principles, methodologies, and concepts.

An education program may include

Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP or Cisco Certified Internetworking Expert (CCIE).

Certificate programs: Many colleges and universities offer adult education programs that have classes about current and relevant subjects for working professionals.

Formal education or degree requirements: Many companies offer tuition assistance or scholarships for employees enrolled in classes that are relevant to their profession.

Prep Test

1 The three elements of the C-I-A triad include

A Confidentiality, integrity, authentication

B Confidentiality, integrity, availability

C Confidentiality, integrity, authorization

D Confidentiality, integrity, accountability

2 Which of the following government data classification levels describes information that, if compromised, could cause serious damage to national security?

A Top Secret

B Secret

C Confidential

D Sensitive but Unclassified

3 The practice of regularly transferring personnel into different positions or departments within an organization is known as

A Separation of duties

B Reassignment

C Lateral transfers

D Job rotations

4 The individual responsible for assigning information classification levels for assigned information assets is

A Management

B Owner

C Custodian

D User

5 Most security policies are categorized as

A Informative

B Regulatory

C Mandatory

D Advisory

6 A baseline is a type of

A Policy

B Guideline

C Procedure

D Standard

7 ALE is calculated by using the following formula:

A SLE × ARO × EF = ALE

B SLE × ARO = ALE

C SLE + ARO = ALE

D SLE – ARO = ALE

8 Which of the following is not considered a general remedy for risk management?

A Risk reduction

B Risk acceptance

C Risk assignment

D Risk avoidance

9 Failure to implement a safeguard may result in legal liability if

A The cost to implement the safeguard is less than the cost of the associated loss.

B The cost to implement the safeguard is more than the cost of the associated loss.

C An alternate but equally effective and less expensive safeguard is implemented.

D An alternate but equally effective and more expensive safeguard is implemented.

10 A cost-benefit analysis is useful in safeguard selection for determining

A Safeguard effectiveness

B Technical feasibility

C Cost-effectiveness

D Operational impact

Answers

1 B. Confidentiality, integrity, availability. Confidentiality, integrity, and availability are the three elements of the C-I-A triad. Authentication, authorization, and accountability are access control concepts. Review “Information Security Governance Concepts and Principles.”

2 B. Secret. Top Secret information leaks could cause grave damage. Confidential information breaches could cause damage. Sensitive but Unclassified information doesn’t have a direct impact on national security. Review “Government data classification.”

3 D. Job rotations. Separation of duties is related to job rotations, but is distinctly different. Reassignment and lateral transfers are functionally equivalent to job rotations but aren’t necessarily done for the same reasons and aren’t considered security employment practices. Review “Job rotations.”

4 B. Owner. Although an information owner may be in a management position and also considered a user, the information owner role has the responsibility for assigning information classification levels. An information custodian is responsible for day-to-day security tasks. Review “Security roles and responsibilities.”

5 D. Advisory. Although not mandatory, advisory policies are highly recommended and may provide penalties for failure to comply. Review “Policies.”

6 D. Standard. A baseline takes into account system-specific parameters to help an organization identify appropriate standards. Review “Standards (and baselines).”

7 B. SLE × ARO = ALE. SLE × ARO = ALE is the correct formula for calculating ALE, where SLE is the Single Loss Expectancy, ARO is the Annualized Rate of Occurrence, and ALE is the Annualized Loss Expectancy (expressed in dollars). Review “Risk analysis.”

8 D. Risk avoidance. Although risk avoidance is a valid concept, it’s impossible to achieve and therefore not considered a general remedy for risk management. Review “Risk control.”

9 A. The cost to implement the safeguard is less than the cost of the associated loss. This basic legal liability test determines whether the cost of the safeguard is less than the cost of the associated loss if a threat event occurs. Review “Legal liability.”

10 C. Cost-effectiveness. A cost-benefit analysis can’t help an organization determine the effectiveness of a safeguard, its technical feasibility, or its operational impact. Review “Cost-effectiveness.”