1 Pertemuan 19 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1

2 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menunjukkan Organisational back up

3 Outline Materi Information Security Training –Why Is Security Training Important? –Security Training and Security Awareness – What Is The Difference? –Who Should Be Trained, How, and What Should They Be Trained In? Who Needs To Be Trained? How Should The Training Be Conducted? What Training Is Required?

4 –What Training Structure Would Be The Most Effective in The Long Term? Principle 1 – Awareness Principle 2 – Responsibility Principle 3 – Response Principle 4 – Ethics Principle 5 – Democracy Principle 6 – Risk Assessment Principle 7 –Security Design and Implementation Principle 8 – Security Management Principle 9 – Reassessment –Conclusion

5 Information Security Training Why Is Security Training Important? Security Training and Security Awareness – What Is The Difference? –Who Should Be Trained, How, and What Should They Be Trained In? –Who Needs To Be Trained? –How Should The Training Be Conducted? –What Training Is Required?

6 What Training Structure Would Be The Most Effective in The Long Term? –Principle 1 – Awareness –Principle 2 – Responsibility –Principle 3 – Response –Principle 4 – Ethics –Principle 5 – Democracy –Principle 6 – Risk Assessment –Principle 7 –Security Design and Implementation –Principle 8 – Security Management –Principle 9 – Reassessment Conclusion

7 Why Is Security training Important? This may sound like an obvious question, but it is important to look at what problems security training is likely to address effectively. Training is a ‘people’ issue – again, an obvious statement, but so often we overlook the obvious.

8 Security Training and security Awareness – What Is The Difference? Information security is, above all, a business issue, which involves people, processes and technology. Security awareness can be thought of as creating the aspiration, whilst security training can be seen as one important means of achieving this aspiration. They are complementary and both are necessary for creating a security-aware culture by helping people move round the security learning cycle.

9 Who Should Be Trained, How, and What Should They Be Trained In? The answer to the ‘who’, ‘how’ and ‘what’ question will depend on the individual and on the needs of your business, but the following points are relevant.

10 Who Needs To Be Trained? It is glib to say that everyone in an organisation at some time or another should receive some sort of information security training. In some organisations it is not unusual for every employee to have a security-related item in their job description and, where appropriate, to have specific relevant personal objectives.

11 How Should The Training Be Conducted? One example of how to conduct the training has already been given where distance learning was used effectively. Training courses are also very effective, both external and in-house, and on some of the more technical training it is important to provide hands-on training facilities. There are many vendor-specific technical training courses, and counsulting firms can be employed to run courses on almost any aspect of information securities.

12 What Training Is Required? This question is perhaps the most complex to deal with, as what training is required depends on the individual, their role within an organisation and the aspirations of both the individual and the organisation. A good starting point, however, is to look at possible structures for determining what training is needed. A logical place to start would be to organise training around the ‘information security policy’ of the organisation, where, for example, all desktop users could be trained on the Internet usage policy.

13 What Training Structure Whould Be The Most Effective in The Long Term? This section proposes that an effective structure for security training should be one that is bases on the nine principles described in the OECD guidelines. The guidelines state that: ‘All participants will be aided by awareness, education, information sharing and training that can lead to adoption of better security understanding and practices.’

14 Principle 1 - Awareness The guidelines expand on the importance of risk awareness as the first line of defence and of people understanding the consequences arising from the abuse of information systems and networks. Training should therefore ensure that people in all roles clearly understand these risks, and what they need to do to mitigate them.

15 Principle 2 - Responsibility The guidelines promote good management practices in terms of ensuring that individuals are aware of their responsibility and are accountable. Training should therefore be provided to help ensure people have the necessary skills and knowledge for themto discharge this responsibility.

16 Principle 3 - Response This recognises that security incidents will occur and that it is important to respond to them in a co-operative and timely manner. This raises an important point in terms of co-operation, because ideally training would need to inform on other people’s misfortunes – that is, learning from other people’s mistakes. However, information sharing is recognised as being difficult due to the potential loss of reputation arising from the risk of unsympathetic media reporting.

17 Training should therefore attempt to include content from shared information on sensitive issues such as incidents.

18 Principle 4 - Ethics This is fundamental to changing the culture in terms of making people recognise that their action or inaction may harm others. Training should therefore be provided on codes such as these and delivered to all people in an organisation. A good place to start is induction training.

19 Principle 5 - Democracy This can often be taken for granted in the UK, but it addresses the need for information security to be compatible with the essential value of a democratic society. Training should therefore be provided to help people understand the relevant legislation, both in terms of their rights and what is illegal.

20 Principle 6 – Risk Assessment Participants are encourage to conduct risk assessments in this section of the guidelines. Risk is a term used by many but, arguably, understood by few. Training should be given on risk and how it relates to the individual’s role within the organisation.

21 Principle 7 – Security Design and Implementation I would argue that this is one of the most fundamental principles of the OECD guidelines where it states that systems, networks and policies need to be properly designed, implemented and co-ordinated to optimise security. Training should be provided on how security can be designed into IT systems and networks, as well as on implementing and maintaining them in a secure manner. Suppliers and users should teach their staff how to do it, and clients should teach their staff how to procure systems and services that will be secure.

22 Principle 8 – Security Management The guidelines state that participants should adopt a comprehensive approach to security management.

23 Principle 9 - Reassessment Security training should, therefore, not be a single event for any individual, but should be provided continuously to meet to needs of the changing environment. This also applies to security awareness, as important to continuously re-enforce the need for good security practice. Otherwise there is a risk of complacency, especially if no significant incidents occur.

24 Conclusion It is recognised that not all the points of advice provided above will apply to everyone,b ut it is hoped that with the right prioritisation the reader can go away and act on at least one price of advice or comment in this chapter.

25 The End