9.3 Launching an in-house training program on cybersecurity

One of the most important steps in implementing homeland security initiatives is the training of all employees on computer security policies and procedures. Simply stated: What good are great policies and procedures when no one knows what they are? Training of new employees should be done as appropriate for their level and area of responsibility.

There should be a generalized training session that addresses computer security policies and procedures in general, as well as how they apply to the specific technology architecture in the organization. This training should address at least the following areas:

• Password administration, protection, and usage

• Antivirus measures and how to report suspicious e-mail

• How to report a suspected intrusion

• How to work with IT security staff during a computer incident

• Physical security of workstations and computer and telecommunications facilities

In addition to technology-related training, the training of current employees should start at the executive level, and all executive staff should be required to attend the training. The computer security issues on which executive level staff should be trained include the following:

• The work of IT staff to develop the policies and procedures

• An explanation of the major laws impacting the security requirements of the organization

• How policies and procedures are being implemented to protect the organization

Recognize that executive-level staff often have short attention spans because they are so busy with such a wide variety of tasks and responsibilities; they will always feel like they should be doing something other than going to a briefing session on the computer security policies and procedures. This briefing should be limited to no more than two hours.

A second training effort should be directed at middle-level managers and supervisors, who need to understand the computer security policies and procedures thoroughly to assure that the decisions they make during the course of business negotiation and operations management are consistent with the computer security policies and procedures. The range of recommended computer security policies and procedures issues in which management- and supervisory-level staff should be trained is broader than that for the executive-level staff. Middle managers and supervisor have more hands-on responsibility for the day-to-day operation of the enterprise and need a far more detailed understanding of the computer security policies and procedures than executive-level staff. This training will require eight hours to accomplish, allowing time for discussion and questions and answers. Training topics include the following:

• The work that the IT staff has done to develop the policies and procedures

• An explanation of the major laws impacting the security requirements of the organization

• How policies and procedures are being implemented to protect the organization

• Specific data for which the organization must maintain security

• The roles each department plays in maintaining enterprise information and protecting that information

• What policies will be communicated to all employees in the organization

• Any consequence employees will face for violating computer security policies and procedures

• How to contact the IT department if there is a computer security incident

• How to work with the IT department if there is a computer security incident

A third type of training should be directed toward employees who manage-workgroups or projects that specifically involve data for which information security must be maintained. It is important that they have a good understanding of the computer security policies and procedures, as well as a detailed understanding of the specific data, applications, or business processes in which they are involved. This training will take as many as four hours to accomplish, with time allowed for discussion and questions and answers.

Training topics include the following:

• The work that the IT staff has done to develop the policies and procedures

• An explanation of the major laws impacting the security requirements of the organization

• How policies and procedures are being implemented to protect the organization

• Specific data for which the organization must maintain security

• The roles each department plays in protecting security

• Project-specific computer security policy and procedure requirements for the areas in which they are involved

In addition, employees who do not fit into these categories should be given at least some level of training so that they understand the overall enterprise policies and philosophy toward computer security. A generalized privacy training program should be developed that covers the importance of security, the laws covering security of information in the organization, and what they should do to help maintain security. This training should be brief and can be accomplished in about one hour.

Each employee who attends training should be required to sign a statement that he or she has received the training, and that signed statement should be kept on file. As employees move into different task-specific jobs or are promoted to a supervisory or management position, they should go through the training that has been designated as appropriate for that position. The signed statement should be dated and include a description of the training and the course outline for the training session the employee attended.