Right or wrong, employees believe that it is up to employers to provide training. Without proper training, employees are generally unaware of how their actions or activities can affect the security of the organization. One of the weakest links in security is the people who work for the company. Social-engineering attacks prey on the fact that users are uneducated in good security practices; therefore, the greatest defense against these types of attacks is training, education, and security awareness (see Figure 3.5).
Figure 3.5. Training and education triad.
Besides security awareness, you might find that your employees need more in-depth training in matters of organizational security. This might consist of in-house training programs that teach new employees needed security skills or the decision to send the security staff offsite for a CISSP education program. Regardless of which program your company decides it needs, you can use seven steps to help determine what type of security training to sponsor:
1. |
Establish organizational technology objectives. |
2. |
Conduct a needs assessment. |
3. |
Find a training program that meets these needs. |
4. |
Select the training methods and mode. |
5. |
Choose a means of evaluating. |
6. |
Administer training. |
7. |
Evaluate the training. |
Types of training include the following:
Training and education are not the same. Training programs are of short duration and usually teach individuals a specific skill. Education is broader based and longer term. Degree programs are examples of education. |
Security Awareness
Awareness programs can be effective in increasing employee understanding of security. Security awareness training must be developed differently for the various groups of employees that make up the organization. Not only will the training vary, but the topics and types of questions you'll receive from the participants will also vary. Successful employee awareness programs tailor the message to fit the audience. These are three of the primary groups that security awareness training should be targeted to
Employee-awareness programs work best when they are run for short periods and changed frequently. |
The goal of security awareness is to increase management's ability to hold employees accountable for their actions and to modify employee behavior toward security. |
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
Self-Assessment
The CISSP Certification Exam
Physical Security
Security-Management Practices
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Operations Security
Business Continuity Planning
Law, Investigations, and Ethics
Cryptography
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2