Penetration Testing mailing list archives
Re: Enterprise Trainaing Programs
From: "Martin W. Freiss" <martin () atsec com>
Date: Wed, 7 Jun 2006 09:40:31 +0200
I'm the Securiy Director for a large bank. After having several pen-tests and audits performed for me I see that I need to do more training for my users.. THis is really apparent for phishing security knowledge...
You need a more holistic approach to security. Pentests are just one piece; awareness trainings for users are another.
My questions: What are aother large companies doing for training of the user base?
Different things, naturally. Everything from CBTs, large-scale awareness programs underpinned by internal media / intranet, mandatory courses, or nothing at all. Depends on your audience, really. If have a technically savvy target audience, like IT staff, this will need a different approach than a factory than a merchant bank.
How often should this training take place? ( Refresher courses??? New hire training??)
New hire, definitely (if you have a QMS, this should happen anyway, so throw in security training there). Refreshers annually; ideally, more often, realistically, less :-).
How effective is CBT training of the user population using a LMS package?
About zero, in my experience. This is not always the CBTs fault, but rather management expectation that staff can do CBTs "in between" their usual work, and this seldom leads to good quality learning.
Basically, I'm trying to figure out the best method for training my user population and enforcing my security policies I have created... I think an LMS system mught be the way to do it but it looks like LMS may be used mostly by colleges and NOT corporations???
Some do, some don't. You are approaching this too much from a toolbased view; instead, think about your policies, your people, and how you can best make people understand them. They will understand and follow the policies if they understand the relevance to their work. The successful awareness programs I have seen at large corporations so far were designed together with PR people, and the main difficulties were not LMS, but actually reaching the audience and making them use the (LMS, CBT, guides, whatever). The tools you need to use follow from that. Just my 2 cents, -Martin ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Enterprise Trainaing Programs mail (Jun 05)
- Re: Enterprise Trainaing Programs Dietrich Heusel (Jun 07)
- Re: Enterprise Trainaing Programs Martin W. Freiss (Jun 07)
- Re: Enterprise Trainaing Programs killy (Jun 07)
- <Possible follow-ups>
- Re: Enterprise Trainaing Programs mikejones (Jun 07)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 07)
- RE: Enterprise Trainaing Programs Christine Kronberg (Jun 08)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 12)