Security Education, Training, and Awareness Programs


The CISSP candidate should be familiar with the tools and objectives of awareness, training, and education programs that compose security awareness.

 Remember   Security awareness is an often-overlooked factor in an information security program. Although security is the focus of security practitioners in their day-to-day functions, it’s often taken for granted that common users possess this same level of security awareness. As a result, users can unwittingly become the weakest link in an information security program. Several key factors are critical to the success of a security awareness program:

  • Senior-level management support. Under ideal circumstances, senior management is seen attending and actively participating in training efforts.

  • Clear demonstration of how security supports the organization’s business objectives.

  • Clear demonstration of how security is important to all individuals and their job functions.

  • Current levels of training and understanding of the intended audience taken into account. Training that’s too basic will be ignored; training that’s too technical will not be understood.

  • Action and follow-up. A glitzy presentation that’s forgotten as soon as the audience leaves the room is useless. Find ways to incorporate the lessons with day-to-day activities and follow-up plans.

 Instant Answer   The three main components of an effective security awareness program are a general awareness program, formal training, and education.

Awareness

A general awareness program provides basic security information and ensures that everyone understands the importance of security. Awareness programs may include the following elements:

  • Indoctrination and orientation: New employees and contractors should receive a basic indoctrination and orientation. During the indoctrination, they may receive a copy of the corporate information security policy, be required to acknowledge and sign acceptable use statements and non-disclosure agreements, and meet immediate supervisors and pertinent members of the security and IT staff.

  • Presentations: Lectures, video presentations, and interactive computer-based training (CBTs) are excellent tools for disseminating security training and information. Employee bonuses and performance reviews are sometimes tied to participation in these types of security awareness programs.

  • Printed materials: Security posters, corporate newsletters, and periodic bulletins are useful for disseminating basic information such as security tips and promoting awareness of security.

Training

Formal training programs provide more in-depth information than an awareness program and may focus on specific security-related skills or tasks. Such training programs may include

  • Classroom training: Instructor-led or other formally facilitated training, possibly at corporate headquarters or a company training facility.

  • On-the-job training: May include one-on-one mentoring with a peer or immediate supervisor.

  • Technical or vendor training: Training on a specific product or technology provided by a third party.

  • Apprenticeship or qualification programs: Formal probationary status or qualification standards that must be satisfactorily completed within a specified time period.

Education

An education program provides the deepest level of security training focusing on underlying principles, methodologies, and concepts.

An education program may include

  • Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP or Cisco Certified Internetworking Expert (CCIE).

  • Certificate programs: Many colleges and universities offer adult education programs with classes on current and relevant subjects for working professionals.

  • Formal education or degree requirements: Many companies offer tuition assistance or scholarships for employees enrolled in classes that are relevant to their profession.




CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net