9.3. Understanding Security Awareness and Education

Security awareness and education are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.

A security-awareness and education program can do much to assist in your efforts to improve and maintain security. Such efforts need to be ongoing, and they should be part of the organization's normal communications to be effective. The following sections discuss some of the things you can do as a security professional to address the business issues associated with training the people in your organization to operate in a manner that is consistent with organizational security goals.

9.3.1. Using Communication and Awareness

Communication and awareness help ensure that information is conveyed to the appropriate people in a timely manner. Most users aren't aware of current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you'll probably find acceptance of your efforts to be much higher.

Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and e-mails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you communicate about this in a routine manner, the more likely people will internalize the fact that security is everybody's responsibility.

9.3.2. Providing Education

Your efforts in education must help users clearly understand prevention, enforcement, and threats. The security department will also probably be responsible for a security-awareness program. Your training and educational programs need to be tailored for at least three different audiences:

  • The organization as a whole

  • Management

  • Technical staff

These three organizational roles have different considerations and concerns. For example, with organization-wide training, everyone understands the policies, procedures, and resources available to deal with security problems; it helps ensure that all employees are on the same page. The following list identifies the types of issues that members of an organization should be aware of and understand.


Organization

Ideally, a security-awareness training program should cover the following areas:

  • Importance of security

  • Responsibilities of people in the organization

  • Policies and procedures

  • Usage policies

  • Account and password-selection criteria

  • Social engineering prevention

You can accomplish this training either by using internal staff or by hiring outside trainers. I recommend doing much of this training during new-employee orientation and staff meetings.


Management

Managers are concerned with larger issues in the organization, including enforcing security policies and procedures. Managers will want to know the whys of a security program, as well as how it works. They should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts, enforcement, and how the various departments are affected by security policies.


Technical staff

The technical staff needs special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers will want to evaluate the impact these measures have on existing systems and new development projects. The training that both administrators and developers need will be vendor specific; vendors have their own methods of implementing security.

NOTE

Microsoft, Novell, and Cisco each offer certification programs to train administrators on their environments. All of these manufacturers have specific courseware on security implementations, and some offer security certification. You should implement security systems consistent with the manufacturer's suggestions and guidance. Implementing security in a nonstandard way may leave your system unsecure.

One of the most important aspects of education is that it needs to reach an appropriate audience. Spending an hour preaching on back-end database security will likely be an hour wasted if the only members of the audience are data-entry personnel who get paid by the keystroke to make weekly changes as quickly as possible.

Applying Education Appropriately

As a security administrator, you need to know the level of knowledge that is appropriate for the audience you're addressing and be able to understand the importance of speaking to them at that level. Imagine that you find yourself in each of the following situations, and think through your response.


Scenario 1

You've been assigned the task of giving a one-hour briefing on the topic of security to management during their weekly luncheon (no other subtopics or specifics were given). Most of those in attendance will be upper management who know little about computers and tend to focus on financial sheets. What topics will you discuss and at what depth?


Scenario 2

You've been told to meet with the developers of a new application that will soon be rolled out to all branch offices. The application will hold all human resource records as well as a small amount of patient information. Your boss tells you that after the meeting, you're to sign off on the application as being okay to deploy. What type of security questions will you focus on?


Scenario 3

The annual company meeting is next month. Representatives, including those in IT, from all remote offices will arrive at headquarters for a three-day visit. You've been asked to speak about the importance of strong passwords throughout the organization. What will you say, and how will you make your one-hour presentation stay with them after they return to their offices?

It's important to give the right message to the right people. When giving any presentation, you should always tailor it for the audience and be able to make your discussion relevant to them.

A recommendation for scenario 1 would be to keep the talk at the overview level and focus only on the basics of security: why it's needed, how valuable data is, how to use good passwords, and so on.

For scenario 2, you should push to test the application in a test environment first (nonproduction). You want to make certain that no back doors have been left in by the developers and that no negative interactions will occur between the new application and what is already running on your systems.

In scenario 3, you must bear in mind that you're talking to an IT audience: The level of the presentation should be appropriate for them. To make the presentation stay with them, make it relevant. Talk about why this subject is important and how it affects their job.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.21.115