Task 1.3: Establishing a User-Awareness Program

Policies are not enough to protect an organization. Employees must develop user-awareness programs so that other employees know about specific policies and are trained to carry out actions specified in security policies. The overall process to accomplish this task is usually referred to as security education, training, and awareness (SETA).

Take, for example, a policy dictating that employees should access the Internet for business use only. Management can dictate this as a policy, but how are end users going to know? That’s where employee awareness comes in. Employee awareness could include asking employees to sign an acceptable-use statement when they are hired; it might also include periodic training and could even include warning banners that are displayed each time an employee accesses the Internet. Awareness is about making sure that employees know security policies exist, what they are, and what their purpose is.

Scenario

Your company has established basic security policies based on BS 7799 standards. Management has now turned to you for help in developing an awareness program.

Scope of Task

Duration

This task should take about 10 minutes.

Setup

For this task you will need to have performed a risk assessment and developed policies. Once policies are in place, you can start the training process.

Caveat

A study conducted by Ernst & Young found that more than 70 percent of companies polled failed to list security awareness and training as top company initiatives. These same companies reported that 72 percent of them had been affected by infected emails and computer viruses. Good training and awareness would have reduced these numbers.

Procedure

In this task, you will be required to categorize and design a basic user-awareness program.

Equipment Used

For this task, you must have:

  • A pen or pencil

Details

This task will provide you with details on how a security awareness program is developed and give you the opportunity to develop key portions of the procedure.

User Awareness

It is sad but true that one of the least implemented and yet most useful parts of a security policy is user awareness. Security must be kept at the forefront of employees’ minds for a security program to work. This overall program is typically referred to as SETA.

SETA is the responsibility of the chief security officer and consists of three elements: education, training, and awareness. While these items can be categorized in many ways, the National Institute of Standards and Technology (NIST) has developed some benchmark procedures that perform such services. One such document is NIST 800-12. Chapter 13 of that document contains relevant information. Table 1.8 contains information found in that document.

TABLE 1.8 Security-Awareness Framework

image

Based on the information provided in Table 1.8, choose the correct category—education, training, or awareness—for each item in Table 1.9.

TABLE 1.9 Security Awareness, Training, and Education

image

image

Which of the items in Table 1.9 do you feel would be most useful to keep security awareness at the forefront of users’ minds as they work day to day?

image

Answers to Table 1.9 can be found in Table 1.10. Answers to the follow-up question may vary but can include anything that keeps people focused on security, such as mouse pads, coffee cups, T-shirts, pens, or other objects that are used during the workday and printed with security slogans.

TABLE 1.10 Security Awareness, Training, and Education—Answers

image

Criteria for Completion

You have completed this task when you have analyzed the items needed for a SETA program and determined which are most useful for a user-awareness program.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.75.43