Security awareness and education are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.
A security-awareness and education program can do much to assist in your efforts to improve and maintain security. Such efforts need to be ongoing, and they should be part of the organization's normal communications to be effective. The following sections discuss some of the things you can do as a security professional to address the business issues associated with training the people in your organization to operate in a manner that is consistent with organizational security goals.
Communication and awareness help ensure that information is conveyed to the appropriate people in a timely manner. Most users aren't aware of current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you'll probably find acceptance of your efforts to be much higher.
Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and e-mails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you communicate about this in a routine manner, the more likely people will internalize the fact that security is everybody's responsibility.
Your efforts in education must help users clearly understand prevention, enforcement, and threats. The security department will also probably be responsible for a security-awareness program. Your training and educational programs need to be tailored for at least three different audiences:
The organization as a whole
Management
Technical staff
These three organizational roles have different considerations and concerns. For example, with organization-wide training, everyone understands the policies, procedures, and resources available to deal with security problems; it helps ensure that all employees are on the same page. The following list identifies the types of issues that members of an organization should be aware of and understand.
Organization
Ideally, a security-awareness training program should cover the following areas:
Importance of security
Responsibilities of people in the organization
Policies and procedures
Usage policies
Account and password-selection criteria
Social engineering prevention
You can accomplish this training either by using internal staff or by hiring outside trainers. I recommend doing much of this training during new-employee orientation and staff meetings.
Management
Managers are concerned with larger issues in the organization, including enforcing security policies and procedures. Managers will want to know the whys of a security program, as well as how it works. They should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts, enforcement, and how the various departments are affected by security policies.
Technical staff
The technical staff needs special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers will want to evaluate the impact these measures have on existing systems and new development projects. The training that both administrators and developers need will be vendor specific; vendors have their own methods of implementing security.
NOTE
Microsoft, Novell, and Cisco each offer certification programs to train administrators on their environments. All of these manufacturers have specific courseware on security implementations, and some offer security certification. You should implement security systems consistent with the manufacturer's suggestions and guidance. Implementing security in a nonstandard way may leave your system unsecure.
One of the most important aspects of education is that it needs to reach an appropriate audience. Spending an hour preaching on back-end database security will likely be an hour wasted if the only members of the audience are data-entry personnel who get paid by the keystroke to make weekly changes as quickly as possible.
3.141.21.115