RE: RE: Annual Security Awareness program

["Jason Hurst" <Jason.Hurst () PandaRG com>]

Hi everyone,

It's important not to confuse an Awareness Program with a Training Program.

Quote from the NIST Special Publication 800-16:
"Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness 
presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness 
activities, the learner is the recipient of information, whereas the learner in a training environment has a more 
active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more 
formal, having a goal of building knowledge and skills to facilitate the job performance."

An effective awareness program would focus on flyers, posters, brief messages, and other activities where the general 
idea is simply to promote the idea that security is important. It MAY be specific, such as a poster on virus protection 
or not writing down credit card numbers.

The first step to creating such a program would be to download the NIST SP800-50: Building an Information Technology 
Security Awareness and Training Program.
 
Jason Hurst
Sr. Network Security Administrator
Panda Restaurant Group
jason.hurst () pandarg com
Please consider the environment before printing this email


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of viveksilla () gmail com
Sent: Tuesday, March 17, 2009 10:06 PM
To: security-basics () securityfocus com
Subject: Re: RE: Annual Security Awareness program

User awareness is an essential component of security and all orgaizations should take steps to reduce the risk from 
People element.

To my knowledge, security awarnesss is a part of induction program in most of the organizations. 

Many organizations do conduct periodic awareness programs, but when it is an essential point for regulatory compliance, 
all organizations have to.

Though classroom kind of sessions could be most effective, the practicality of conducting such sessions atleast once in 
a year should also be seen considering the headcounts.

Though probably less effective, but more practical method could be the use of Computer Based Trainings, which many 
organizations do adopt to ensure compliance. 

Though there might not be any silver bullet, but a mix of Periodic broadcasts, Eye Catching posters at key locations, 
Security wall papers on all machines, periodic floor sessions as well as CBTs might result in effective user awareness 
while ensuring regulatory compliance.



Regards

Vivek Silla a.k.a V1cky 8@8@

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available. 

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------