Security Basics mailing list archives
Re: Security Training for Company's Employee
From: "Topi Ylinen" <topi.ylinen () hushmail com>
Date: Thu, 22 Sep 2005 01:15:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First off, congratulations on your new job!
But I never had to make something like this before. Have some of you any experience about the topic?
Yes, I do. Quite a lot, actually.
Any help/ideas/suggestions on information security training is welcome.
Now, herefs the deal: _you_ are the professional. _You_ should be the one to determine the answer to your questions. _You_ are the insider who knows how your organisation operates and what your information security needs are. Without this knowledge, any one of us could list a number of "hot issues" -- some or all of which could turn out to be already well known by the employees of your company or irrelevant to your operations model. The key question is: *What* do you want to train the staff in? What do they need to know? You have already recognised that the different personnel groups are likely to have different needs - that is an astute (and often true) observation. However, training is generally not where you start an information security project. Training greatly depends on other parts of the infosec project. Letfs have a look at some examples: - -Classification and handling of business information? You would need a classification system first. Does your company have guidelines for information classification already? If they do, do these guidelines need to be updated? - -Information Security Policy - does your company have one already? - -Visitor policy - does your company have one already? - -Major infosec risks and how to avoid them? First you will need an inventory of critical assets and a risk analysis. Training *is* a crucial part of information security development. After all, technology can take you only so far; in the end, it is always people who either make it (information security) work or not. Which is why training should not be taken lightly -- you will need a clear idea of what your employees need to know, and, to get to that point, you will need to develop the other areas first. I would recommend using a standard such as BS7799 as a reference, see how it can be applied to your business model & working environment. Good luck! -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkMyaAkACgkQiokir2ZPLvXSOgCgox6YfSAORC42qKuRT7+yrqcQD98A oL5IQ/YcJGjUSUrbiPWyURSjlL+N =4UAb -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- Security Training for Company's Employee Syn Ack (Sep 19)
- Re: Security Training for Company's Employee Saqib Ali (Sep 20)
- Re: Security Training for Company's Employee Stacey Blanc (Sep 26)
- Re: Security Training for Company's Employee Henrik Becker (Sep 20)
- Re: Security Training for Company's Employee Saqib Ali (Sep 26)
- RE: Security Training for Company's Employee Boubacar Fadiga (Sep 26)
- RE: Security Training for Company's Employee Kenton Smith (Sep 26)
- <Possible follow-ups>
- Re: Security Training for Company's Employee sf_mail_sbm (Sep 20)
- RE: Security Training for Company's Employee Burton Strauss (Sep 22)
- Re: Security Training for Company's Employee sburns (Sep 22)
- Re: Security Training for Company's Employee Topi Ylinen (Sep 22)
- Re: Security Training for Company's Employee Saqib Ali (Sep 20)