SlideShare a Scribd company logo

Security Awareness and Training

Download as PPTX, PDF
P
Priyank Hada

The security awareness and training program has several objectives: 1) ensure employees understand their role in protecting company information assets; 2) educate employees on the value of information security; and 3) teach employees how to recognize and report potential violations. The program covers topics such as security policies, user responsibilities, and incident reporting. It aims to provide ongoing training for existing employees and raise security awareness through less formal methods. The success of the program requires long-term commitment of resources and funding.

Related slideshows

internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
1 of 10
Security Awareness and Training Program
Objectives of the security awareness program • Employees recognize their responsibility for protecting the enterprise’s information assets • Employees understand the value of information security • Employees recognize potential violations and know who to contact • The level of security awareness among existing employees remains high
Protecting Enterprise’s Information Assets • Employees are told the who, what, where, when, why, and how of information security, they are only there to do their job. • Information security must be presented to them as a function of their job.
Employees Understand the Value of Information Security • The next step is making the employee understand how information has value and that personal, legal, and financial losses as well as damage to reputation can occur if the information is not properly protected. • The value of information is best conveyed through real-life examples that relate to how most employees operate.
• Instead of complaining about necessary security functions whose ultimate purpose is to protect the employee, the employee’s work, and the organization’s information and processing assets, it makes sense to find more efficient processes that will allow the employee both the opportunity to perform security functions as well as the time to perform the job.
Employees Recognize Potential Violations and Know Who to Contact • Key to educating a user is making that user aware of the warning signs to look for that indicate a potential security breach. • Human nature makes most of us trusting. • When someone unfamiliar is walking alone around the office, it is not typical that anyone would walk up to him, ask him who he is and if he needs help.
Training must include: • Security policy (e-mail, Internet) • Confidentiality, integrity, and availability • User ID and password requirements • Appropriate use of resources • Virus scanning and reporting • Social engineering • Use of encryption • Individual responsibility • Information classification and handling
• Threat by industry • Incident reporting • The information security organization • Internet access • Physical security • Chain mail • Information transmission, storage, and processing • Information security programs • Security monitoring programs • Verbal communication in public • Use of cellular phones
The Level of Security Awareness among Existing Employees Remains High • Training is more formalized, typically in a classroom or conference setting where the objective is to gain knowledge about a particular subject. • Awareness is a passive mechanism that occurs through less formal methods such as posters, themes, and objects such as key rings and cups.
PROGRAM CONSIDERATIONS • Effectiveness is based on long-term commitment of resources and funding • Benefits are difficult to measure in the short term • Scoping the target audience, both new and existing employees • How to effectively reach them

More Related Content

Security Awareness and Training

  • 2. Objectives of the security awareness program • Employees recognize their responsibility for protecting the enterprise’s information assets • Employees understand the value of information security • Employees recognize potential violations and know who to contact • The level of security awareness among existing employees remains high
  • 3. Protecting Enterprise’s Information Assets • Employees are told the who, what, where, when, why, and how of information security, they are only there to do their job. • Information security must be presented to them as a function of their job.
  • 4. Employees Understand the Value of Information Security • The next step is making the employee understand how information has value and that personal, legal, and financial losses as well as damage to reputation can occur if the information is not properly protected. • The value of information is best conveyed through real-life examples that relate to how most employees operate.
  • 5. • Instead of complaining about necessary security functions whose ultimate purpose is to protect the employee, the employee’s work, and the organization’s information and processing assets, it makes sense to find more efficient processes that will allow the employee both the opportunity to perform security functions as well as the time to perform the job.
  • 6. Employees Recognize Potential Violations and Know Who to Contact • Key to educating a user is making that user aware of the warning signs to look for that indicate a potential security breach. • Human nature makes most of us trusting. • When someone unfamiliar is walking alone around the office, it is not typical that anyone would walk up to him, ask him who he is and if he needs help.
  • 7. Training must include: • Security policy (e-mail, Internet) • Confidentiality, integrity, and availability • User ID and password requirements • Appropriate use of resources • Virus scanning and reporting • Social engineering • Use of encryption • Individual responsibility • Information classification and handling
  • 8. • Threat by industry • Incident reporting • The information security organization • Internet access • Physical security • Chain mail • Information transmission, storage, and processing • Information security programs • Security monitoring programs • Verbal communication in public • Use of cellular phones
  • 9. The Level of Security Awareness among Existing Employees Remains High • Training is more formalized, typically in a classroom or conference setting where the objective is to gain knowledge about a particular subject. • Awareness is a passive mechanism that occurs through less formal methods such as posters, themes, and objects such as key rings and cups.
  • 10. PROGRAM CONSIDERATIONS • Effectiveness is based on long-term commitment of resources and funding • Benefits are difficult to measure in the short term • Scoping the target audience, both new and existing employees • How to effectively reach them