Re: RE: Annual Security Awareness program

[Meenal Mukadam <meenal.mukadam () gmail com>]

Hello Nick,

Your main concern was: How do companies with hundred/thousands of
employees perform this (InfoSec awareness and training) to meet
PCI-DSS requirements?

First and foremost, it seems from your statement that you want to do
it just for complying (I maybe wrong though). "Information Security
Awareness and training" should not be taken just as a norm, but see to
it as a control. A very very important control to secure the weakest
link of Information security chain of your organization, and that
being "people".

Employees have more information than the machines. Controls can be
easily configured on machines/systems, but same cannot be assured and
ensured when it comes to people. To prevent severe risk exposure to
your "Critical Business Information" you need to impart effective
InfoSec awareness. Just to safeguard your "Information" against theft,
accidental/intentional loss and to ensure that:
1) CIA objectives are met
2) Organization's policies and procedures are followed
3) You comply with various legal/mandatory norms
4) InfoSec is aligned to your organization's business objectives
5) Provide assurance to your stakeholders
6) Ensure your organization is prepared to face any risk that it might
be exposed to

Now, for imparting InfoSec training:
1) Ensure it is a continuous program (and not just a annual event)
2) It starts from induction of an employee:
     -making him/her aware about organization's goals, policies & procedures
     -assigning roles and responsibilities
     -signing various documents like Confidentiality agreement, etc
3) Impart baseline awareness to all initially (In your case it would
be like how to protect the sensitive information, encryption need &
knowhow, etc)
4) Then you have to take into consideration their "work specific"
awareness program, and impart the same (i.e. you can't impart hardcore
technical InfoSec awareness training to a manager, & vice-versa)
5) Measure the effectiveness of the training imparted (by conducting
timely interviews, tests, etc)
6) Measurement will help you know the level of your staffs awareness,
to identify the loopholes and design a new awareness plan or a
safeguard to overcome the weakness
7) You can also have group discussions to discuss various
cases/problems faced by the staff, so that the mistakes/threats are
identified. This way others are made aware to safeguard against
similar mistakes

Ways of imparting awareness:
1) Seminars
2) Group discussions
3) Trainings
4) Online games, tests
5) Wallpapers, posters, flyers
6) Awareness games like cards (having InfoSec awareness message, in
cafeteria or place where staff rests during breaks)
7) Asking employee to come up with their own case-studies (to ensure
full participation)

These are a few ways. The key is to impart the apt level of InfoSec
awareness that will act as a safeguard for you business. So you will
have to first identify how and where the information is at risk from
people (employee & third-part). Design and plan as per your
organization's objectives and risk appetite. And deliver the training
which will ensure CIA of your "Critical Information assets".

Hope this was of help to you :)


Regards,

Meenal A. Mukadam



On Fri, Mar 20, 2009 at 2:09 AM, Jason Hurst <Jason.Hurst () pandarg com> wrote:
> Hi everyone,
>
> It's important not to confuse an Awareness Program with a Training Program.
>
> Quote from the NIST Special Publication 800-16:
> "Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. 
> Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. 
> In awareness activities, the learner is the recipient of information, whereas the learner in a training environment 
> has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training 
> is more formal, having a goal of building knowledge and skills to facilitate the job performance."
>
> An effective awareness program would focus on flyers, posters, brief messages, and other activities where the general 
> idea is simply to promote the idea that security is important. It MAY be specific, such as a poster on virus 
> protection or not writing down credit card numbers.
>
> The first step to creating such a program would be to download the NIST SP800-50: Building an Information Technology 
> Security Awareness and Training Program.
>
> Jason Hurst
> Sr. Network Security Administrator
> Panda Restaurant Group
> jason.hurst () pandarg com
> Please consider the environment before printing this email
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of viveksilla () gmail com
> Sent: Tuesday, March 17, 2009 10:06 PM
> To: security-basics () securityfocus com
> Subject: Re: RE: Annual Security Awareness program
>
> User awareness is an essential component of security and all orgaizations should take steps to reduce the risk from 
> People element.
>
> To my knowledge, security awarnesss is a part of induction program in most of the organizations.
>
> Many organizations do conduct periodic awareness programs, but when it is an essential point for regulatory 
> compliance, all organizations have to.
>
> Though classroom kind of sessions could be most effective, the practicality of conducting such sessions atleast once 
> in a year should also be seen considering the headcounts.
>
> Though probably less effective, but more practical method could be the use of Computer Based Trainings, which many 
> organizations do adopt to ensure compliance.
>
> Though there might not be any silver bullet, but a mix of Periodic broadcasts, Eye Catching posters at key locations, 
> Security wall papers on all machines, periodic floor sessions as well as CBTs might result in effective user 
> awareness while ensuring regulatory compliance.
>
>
>
> Regards
>
> Vivek Silla a.k.a V1cky 8@8@
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
> Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry 
> recognized certs available, online computer forensics training available.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
> Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry 
> recognized certs available, online computer forensics training available.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ------------------------------------------------------------------------



--
Meenal A. Mukadam

-----------------------------------------------------------------
http://www.linkedin.com/in/meenalmukadam
-----------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------