Security Basics mailing list archives
Re: RE: Annual Security Awareness program
From: Meenal Mukadam <meenal.mukadam () gmail com>
Date: Sun, 22 Mar 2009 10:56:13 +0530
Hello Nick, Your main concern was: How do companies with hundred/thousands of employees perform this (InfoSec awareness and training) to meet PCI-DSS requirements? First and foremost, it seems from your statement that you want to do it just for complying (I maybe wrong though). "Information Security Awareness and training" should not be taken just as a norm, but see to it as a control. A very very important control to secure the weakest link of Information security chain of your organization, and that being "people". Employees have more information than the machines. Controls can be easily configured on machines/systems, but same cannot be assured and ensured when it comes to people. To prevent severe risk exposure to your "Critical Business Information" you need to impart effective InfoSec awareness. Just to safeguard your "Information" against theft, accidental/intentional loss and to ensure that: 1) CIA objectives are met 2) Organization's policies and procedures are followed 3) You comply with various legal/mandatory norms 4) InfoSec is aligned to your organization's business objectives 5) Provide assurance to your stakeholders 6) Ensure your organization is prepared to face any risk that it might be exposed to Now, for imparting InfoSec training: 1) Ensure it is a continuous program (and not just a annual event) 2) It starts from induction of an employee: -making him/her aware about organization's goals, policies & procedures -assigning roles and responsibilities -signing various documents like Confidentiality agreement, etc 3) Impart baseline awareness to all initially (In your case it would be like how to protect the sensitive information, encryption need & knowhow, etc) 4) Then you have to take into consideration their "work specific" awareness program, and impart the same (i.e. you can't impart hardcore technical InfoSec awareness training to a manager, & vice-versa) 5) Measure the effectiveness of the training imparted (by conducting timely interviews, tests, etc) 6) Measurement will help you know the level of your staffs awareness, to identify the loopholes and design a new awareness plan or a safeguard to overcome the weakness 7) You can also have group discussions to discuss various cases/problems faced by the staff, so that the mistakes/threats are identified. This way others are made aware to safeguard against similar mistakes Ways of imparting awareness: 1) Seminars 2) Group discussions 3) Trainings 4) Online games, tests 5) Wallpapers, posters, flyers 6) Awareness games like cards (having InfoSec awareness message, in cafeteria or place where staff rests during breaks) 7) Asking employee to come up with their own case-studies (to ensure full participation) These are a few ways. The key is to impart the apt level of InfoSec awareness that will act as a safeguard for you business. So you will have to first identify how and where the information is at risk from people (employee & third-part). Design and plan as per your organization's objectives and risk appetite. And deliver the training which will ensure CIA of your "Critical Information assets". Hope this was of help to you :) Regards, Meenal A. Mukadam On Fri, Mar 20, 2009 at 2:09 AM, Jason Hurst <Jason.Hurst () pandarg com> wrote:
Hi everyone, It's important not to confuse an Awareness Program with a Training Program. Quote from the NIST Special Publication 800-16: "Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance." An effective awareness program would focus on flyers, posters, brief messages, and other activities where the general idea is simply to promote the idea that security is important. It MAY be specific, such as a poster on virus protection or not writing down credit card numbers. The first step to creating such a program would be to download the NIST SP800-50: Building an Information Technology Security Awareness and Training Program. Jason Hurst Sr. Network Security Administrator Panda Restaurant Group jason.hurst () pandarg com Please consider the environment before printing this email -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of viveksilla () gmail com Sent: Tuesday, March 17, 2009 10:06 PM To: security-basics () securityfocus com Subject: Re: RE: Annual Security Awareness program User awareness is an essential component of security and all orgaizations should take steps to reduce the risk from People element. To my knowledge, security awarnesss is a part of induction program in most of the organizations. Many organizations do conduct periodic awareness programs, but when it is an essential point for regulatory compliance, all organizations have to. Though classroom kind of sessions could be most effective, the practicality of conducting such sessions atleast once in a year should also be seen considering the headcounts. Though probably less effective, but more practical method could be the use of Computer Based Trainings, which many organizations do adopt to ensure compliance. Though there might not be any silver bullet, but a mix of Periodic broadcasts, Eye Catching posters at key locations, Security wall papers on all machines, periodic floor sessions as well as CBTs might result in effective user awareness while ensuring regulatory compliance. Regards Vivek Silla a.k.a V1cky 8@8@ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
-- Meenal A. Mukadam ----------------------------------------------------------------- http://www.linkedin.com/in/meenalmukadam ----------------------------------------------------------------- Far away there in the sunshine are my highest aspirations. I may/maynot reach them, but I can look up and see their beauty, believe in them and try to follow where they lead ------------------------------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Annual Security Awareness program Nick Duda (Mar 17)
- RE: Annual Security Awareness program Corey Bobb (Mar 17)
- RE: Annual Security Awareness program G Michael Runnels (Mar 19)
- <Possible follow-ups>
- Re: Annual Security Awareness program vupadhyaya (Mar 19)
- Re: RE: Annual Security Awareness program viveksilla (Mar 19)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)
- Re: RE: Annual Security Awareness program Meenal Mukadam (Mar 24)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)