Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn
Contents Learning Objectives What is SETA? What are its purposes? Security Education Security Training Security Awareness
Learning Objectives Define security education, training and awareness List situations where each strategy is appropriate Identify how organizations can use each strategy to mitigate threats to information security
SETA SETA is an acronym, for Security Education, Training, and Awareness It targets all users in an organization with specific programs for their jobs and level of technical expertise The SETA program is generally the responsibility of the Chief Information Security Officer
Purposes of SETA SETA holds employees accountable for their actions by communicating policy to all users Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems Develops skills and knowledge so that users can perform their jobs using IT systems more securely Improves awareness of the need to protect system resources
Security Awareness Most basic level of SETA Used for employees who are new or unskilled Gets employees to focus on security Least common, but extremely effective
Security Awareness Programs Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, and bulletin boards to reach employees An example of a Security Awareness Topic: ‘Virus Protection’ What would the session cover? How does this benefit all users?
Things to keep in mind… Focus on people both as a part of the problem and as part of the solution. Refrain from using technical jargon; speak the language the users understand. Use every available venue to access all users. Define at least one key learning objective, state it clearly, and provide sufficient detail and coverage to reinforce the learning of it. Keep things light; refrain from "preaching" to users.
In addition… Don't overload the users with too much detail or too great a volume of information. Help users understand their roles in information security and how a breach in that security can affect their jobs. Take advantage of in-house communications media to deliver messages. Make the awareness program formal; plan and document all actions. Provide good information early, rather than perfect information late.
Security Training Intermediate level of SETA According to the NIST SP : Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.
Security Training Programs Provides detailed information and hands-on instruction Teach users what to do and how to do it Employees are divided into general users, technical users, and managerial users at beginner, intermediate, and advanced levels
Things to keep in mind… General users are trained in the policies of the organization such as security practices, password management, violation reporting, and access controls. It is best to do this when they are first hired. Managerial users should be trained in smaller groups to facilitate discussion. Technical users are trained more in-depth than general and managerial users. This is often outsourced because of the high level of expertise required. Technical users are often separated according to job category, job function, and technology product.
Training Techniques Effective training programs are crucial to the success of an organization Wrong training methods can lead to unnecessary expense and frustrated and poorly trained employee’s Good training methods, regardless of delivery method, take advantage of the latest learning technologies and best practices.
Delivery Methods One-on-One Method Formal Class Computer-Based Training Distance learning / Web Seminars User Support Groups On The Job Training Self-Study
Dedicated Training Staff Depending on the training deliver method chosen, A dedicated training staff may be required. They should continually provide specific, effective training programs for an organization’s employee’s. Staff must assess organizational needs, plan effective programs, implement these programs, and evaluate their effectiveness.
Seven Step Methodology For Implementing Security Training Step One: Identify the Programs Scope, Goals, and Objectives Step Two: Identify the training staff Step Three: Identify the Audience Step Four: Motivation Step Five: Administer The Security Training Step Six and Seven: Listen to Employee feedback, evolve the program to increase its effectiveness.
Security Education Highest level of SETA Used for employees in highly technical or skilled positions that demand greater information security
Conclusion Having a good Information Security Program is not enough. SETA is crucial to a successful information security program in an organization. Helps minimize loss of information assets and hold employee’s accountable for breaking policies.
Questions?