The most important post-assessment activity is to train the IT staff on their new information security responsibilities and accountabilities and the end users on the importance of information security. Given the roles, tasks, responsibilities, and accountabilities defined in this chapter, many IT organizations are faced with two training initiatives: training their IT staff and training their end users. Training the IT staff requires a careful examination of the seven areas of information security responsibility. This training should include information security as well as professional certifications, such as the CISSP Professional Certification offered by the International Information Systems Security Certification Consortium known as (ISC)2 or through the Global Information Assurance Certification (GIAC), which offers in-depth training in all the key areas of security. Training the end users typically requires security awareness training for new employees during their employment orientation. Review of the organization's AUPs and security awareness training program are usually prerequisites for new employees, contractors, or third parties prior to granting them access to the IT infrastructure's resources, systems, and applications.
When conducting a risk and vulnerability assessment, one of the things that should be investigated is the qualifications, experience, and capabilities of the IT staff in regard to information security and being able to design, implement, and ensure the confidentiality, integrity, and availability of the IT infrastructure and its assets. Through interviews, examination of current practices, and review of the IT staff's experience in information security, specific recommendations can be made to enhance the knowledge and skill sets of the organization's IT staff. Given the roles, tasks, responsibilities, and accountabilities defined in this chapter, a gap analysis should be conducted on the seven areas of information security responsibility and the current human resources, IT, and IT security staff in an effort to identify any gaps or voids in roles, responsibilities, and accountabilities for the organization. This gap analysis is critical because without properly trained IT staff in information security practices and techniques, implementation of the IT security architecture and framework cannot be done with internal resources. The organization is forced to hire outside information security consultants or outsource portions of its information security responsibility to managed security service providers.
The methodology and approach for identifying the training needs of current IT staff is as follows:
Developing and delivering an organizational security awareness training program requires a strategy for how best to deploy the knowledge and awareness in concert with the organizations information security policies and standards. In most cases, security awareness training is best delivered via videotape or via an online, e-Learning platform if the organization's end user population is large and distributed in many remote locations. The security awareness training program should focus on the AUPs, policies, standards, procedures, and guidelines that the IT organization wants to deploy throughout the organization. In addition, the security awareness training should stress the importance of each employee's, contractor's, or third-party individual's responsibility and accountability for ensuring the confidentiality, integrity, and availability of the organization's IT infrastructure and its assets.
In concert with the organization's security awareness and training policy for all employees, contractors, and third-party individuals, an organization should define consistent goals and objectives throughout the enterprise. The security awareness and training policy goals and objectives should include the following:
Typically, security awareness training is targeted to the end users and the systems and applications that they access on a day-to-day basis, whereas security awareness training for IT staff is more technical and focused on the information technology goals and objectives. Common topics for information security awareness usually incorporate elements of the information security standards that are part of the organization's IT security architecture and framework definition. Security awareness training can be derived from the organization's IT security architecture and framework. By focusing on the policies and standards, an organization can address the security awareness and information security topics in its security awareness training program and campaign.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template