Week6 Blog
Blogging is fun, right?! This week you can talk about Security
Education, Training, and Awareness if you'd like
The security Training involves providing members of the
organization with detailed information and hands-on instruction to enable them
to perform their duties securely.
Management of information security can develop customized in-house
training or outsource all or part of the training program.
Alternatively, organizations can subsidize or underwrite industry training conferences and programs offered through professional agencies such as SANS (www.sans.org), ISC2(www.isc2.org), ISSA (www.issa.org), and CSI (www.gocsi.com). Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.
Alternatively, organizations can subsidize or underwrite industry training conferences and programs offered through professional agencies such as SANS (www.sans.org), ISC2(www.isc2.org), ISSA (www.issa.org), and CSI (www.gocsi.com). Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.
Number of resources can help organizations put together SETA
programs. The Computer Security Resource Center at NIST, for example, provides
several very useful documents free of charge in its special publications area (http://csrc.nist.gov).
Training for General Users: These general users also require training
on the technical details of how to do their job securely, including good
security practices, password management, specialized access controls, and
violation reporting.
Training for Managerial Users: This is another area in which a
champion can exert influence. Support at the executive level can convince
managers to attend training events, which in turn reinforces the entire
training program.
Training for Technical Users: The use consultants or outside training
organizations. There are three methods for selecting or developing advanced
technical training:
* By job category- for example, technical users versus managers.
* By job category- for example, technical users versus managers.
·
By job function- for example, accounting versus marketing versus
operations functional areas.
·
By technology product- for example, e-mail client, database.
Implementing Training.
Step1: Identify program scope, goals, and objectives.
Step1: Identify program scope, goals, and objectives.
Step2: Identify training staff.
Step3: Identify target audiences.
Step4: Motivate management and employees.
Step4: Motivate management and employees.
Step5: Administer the program.
Step6: Maintain the program.
Step7: Evaluate the program.
Identify Target Audiences.
·
By level of awareness: Separating individuals into groups
according to level of awareness may require research to determine how well employees
follow computer security procedures or understand how computer security fits
into their jobs.
·
By general job task or function: Individuals may be grouped as
data providers, data processors, or data users.
·
By specific job category: Many organizations assign individuals
to job categories.
·
By level of computer knowledge: Computer experts may find a
program containing highly technical information more valuable than one covering
management, technology management, applications development, and security.
·
By types of technology or systems used: Security techniques used
for each off-the-shelf product or application system usually vary.
Reference.
Michael E. Whitman, Herbert J.Mattord "Management of Information Security", (2010) Third Edition, Boston, Course Technology, Cengage Learning.
No comments:
Post a Comment