Security Awareness and Education

Security awareness and education are critical to the success of a security effort. Security awareness and education include explaining policies, standards, procedures, and guidelines to both users and management. A security awareness effort is usually performed as a continuous program.

A security awareness and education program can do much to assist in your efforts to improve and maintain security. Security awareness includes informing users and management of current threats, Security awareness efforts need to be ongoing, and they need to be part of the normal communications of the organization to be effective.

The following sections discuss some of the things that you can do as a security professional to address the business issues associated with training the people in your organization to operate in a manner that is consistent with organizational security goals.

Communications and Awareness

Communications and awareness help ensure that information is conveyed to the appropriate people in a timely manner. Most users are not following current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct problems, you will probably find acceptance of your efforts to be much higher. Communication methods that have proven to be effective for disseminating information include an internal security website, news servers, and e-mails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you communicate about this in a routine manner, the more likely people will be to internalize the fact that security is everybody's responsibility.

Education

Your efforts in education must help users clearly understand prevention, enforcement, and threats. The security department will also probably be responsible for a security awareness program. Your training and educational programs need to be tailored for at least three different audiences:

• Organization-wide

• Management

• Technical staff

These three organizational roles have different considerations and concerns. Organization-wide training will make sure that everyone understands the policies, procedures, and resources available to deal with security problems. It helps make sure that everyone is on the same page. The following points identify the types of exposure that members of the organization should know and understand:

Everyone Ideally, a security awareness program would cover the following areas:

• Importance of security

• Responsibilities of people in the organization

• Policies and procedures

• Usage policies

• Account and password-selection criteria

• Social engineering prevention

This training can be accomplished either by using internal staff or by hiring outside trainers. Much of this training can be done during new employee orientation and during staff meetings.

Management Managers are concerned with larger issues in the organization, including enforcing security policies and procedures. Managers will want to know the whys of a security program, as well as how it works. Managers should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be very concerned about productivity impacts, enforcement, and how the various departments are affected by the security policies.

Technical Staff The technical staff needs special knowledge on the methods, implementations, and capabilities of the systems that are used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers will want to evaluate the impact these measures have on existing systems and new development projects. The training that both administrators and developers need will be very vendor specific. Vendors have their own methods of implementing security.