User Security Training and Awareness
One of the most important aspects of hardening any computer is how the computers are used. Although malicious attackers are a threat to computer security, so are authorized users. Many security incidents result from poorly trained, forgetful, or stubborn authorized users. In some environments, users view security as a barrier and stubbornly refuse to abide by the security policy. Security awareness training is crucial from a person’s first exposure to your environment.
Each new employee, contractor, or visitor should go through security awareness training that corresponds to his or her level of system access. Employees generally have the greatest privileges in any organization’s information systems and should be required to undergo the most comprehensive security training. Contractors or other temporary personnel have less access than employees. Visitors often have less access. You should design security training for each group of users, based on their access and responsibilities. Part of internal personnel training should include procedures for granting access to visitors. Security awareness programs are always good ideas and they also may be mandatory. If your organization must comply with The European Union General Data Protection Regulation (GDPR), Sarbanes-Oxley, Payment Card Industry-Digital Signature Standard, Health Insurance Portability and Accountability Act (PCI-DSS, HIPAA), or the Federal Information Security Management Act (FISMA), you must implement a security awareness program. TABLE 11-5 lists different groups of users and suggested security training requirements.
TABLE 11-5 User Types and Suggested Security Training |
||
|---|---|---|
| USER TYPE | DESCRIPTION | SECURITY TRAINING |
| Employee | Person employed by an organization with permanent responsibilities and access to certain information system resources | Employees receive mandatory security policy training with signed acceptance of acceptable use policies (AUPs), completion of information system access security training prior to receipt of access credentials, and mandatory recurrent security awareness and policy update training. Properly trained employees should be able to recognize security breaches and know what to do about them. |
| Contractor | Temporary worker with limited temporary access to information resources related to assigned responsibilities | Contractors receive mandatory pre-engagement security policy training with signed acceptance of AUPs, completion of information system access security training that relates to assigned responsibilities prior to receipt of access credentials, and mandatory recurrent security awareness and policy update training. Properly trained contractors should be able to recognize security breaches and know whom to notify if a breach occurs. |
| Visitor/guest | Transient user with very limited access to information system resources | Visitors/guests agree to comply with AUPs. |
© Jones & Bartlett Learning. |
||
Regardless of the type of user, anyone who connects to your computer systems should encounter frequent reminders of the importance of security. Use any of these formats to remind users of the importance of security:
Physical posters and banners in conspicuous locations, such as in break rooms and cafeterias, and around printers, fax machines, or shredders
Email newsletters, social media contact, and security policy updates
Periodic website reminders
Social media messages
Daily or weekly tip programs
Contests with security themes
Security events on specific dates, such as November 30, International Computer Security Awareness Day
Lunch-and-learn meetings about topics of interest to employees personally—such as identity theft or cyberbullying—as well as topics of interest to your organization
Visible modeling of good security behaviors by your organization’s leaders