Presentation is loading. Please wait.

Presentation is loading. Please wait.

Build an Enterprise IT Security Training Program

Published byKatherine Moore Modified over 7 years ago

Similar presentations

Presentation on theme: "Build an Enterprise IT Security Training Program"— Presentation transcript:

1 Build an Enterprise IT Security Training Program

2 IT Security Training Those who should read this:
Over 50% of security breaches are caused by end-user error and ignorance; these can be costly and embarrassing. Most end-user breaches are preventable with proper IT security training. Companies tend to neglect the importance of constant reinforcement of the training and testing. Annual training that is supplemented by “microtraining,” or training that is done on a regular basis, is far more effective. Those who should read this: Clients looking to put an IT security training program in place. Clients that want to improve their current IT security training program. Clients that want to learn how other companies are performing their IT security training. Clients who have experienced security breaches caused by end-user negligence or ignorance. At the end, you will have: A better understanding of end users and their IT security training needs. An outline of the organization’s IT security training goals. Specific IT security topics to cover and the delivery method(s) to use. End-user testing best practices.

3 Executive Summary IT security training is necessary in all organizations, regardless of size, industry or complexity. Evaluating the organization and its end users is a key step to determining what training the organization needs. There are four main classes of end users; determine which classes are present in your organization in order to tailor the training to best meet their needs. Keep IT security training simple. Adjust training to the level of the end users. Create training programs geared toward the least knowledgeable end users in your organization. Informal and computer-based training are the most successful at improving end-user security performance. Build these methods into your training program. Formal training coupled with microtraining and testing is the best way to keep security training fresh in the minds of end users. Testing end users results in significant improvements in training retention. 45% of companies that performed some degree of IT security training saw significant improvements in their end users’ IT security knowledge.

4 Create an Employee Training Program
Establish Needs Assess, Interview and Analyze Classify End Users Set Goals and Needs Create an Employee Training Program Delivering and Maintaining Training Case Study Appendix

5 Most security breaches are a result of end-user error: IT security training programs can help
Over 50% of all security breaches are a direct result of end-user error. Improve organizational IT security by providing adequate IT training to employees. Companies that perform end-user security training see significant improvements in their end-user knowledge. Regardless of company size and industry, all companies can benefit from improving their current IT security training methods. All companies require some degree of IT security training. Companies with no training practices should follow the guidelines in this report to create training programs. If training programs are already in place, consider adopting microtraining and testing practices to see improvements.

6 When developing training, be sure to assess needs before creating the program
PHASE 1: Establish Training Parameters Determine needs and training goals Determine the organization’s training needs; to do this, find the problem areas in your organization. Bring all of the groups in the organization together to create a list of desired training goals. PHASE 2: Create the Program Assign a champion to the initiative Get a C-level executive on board with the training program; a high-level champion will make it easier to get needed resources. Determine which department will lead the training program. Determine what topics to address Choose the topics on which the organization will perform the training. Training topics will be different for each organization depending on a number of variables. Choose a training delivery method Choose training delivery methods that suit the topics to be covered. Consider how end-user IT security knowledge will affect different training delivery methods.

7 Assess, interview & analyze to determine security problems & needs
Perform an assessment to determine users’ level of security knowledge or experience: Online quizzes: comprehensive tests or a series of mini-tests. Guerilla testing: tests that are performed without end-user knowledge in order to see how employees respond to threats and attacks. This form of testing includes s that look like phishing attempts or other forms of e- mail attacks and suspicious phone calls requesting confidential information. INTERVIEW Collect anecdotal and qualitative evidence from managers and staff; sometimes what people know is quite different from what they actually do. This information might not get captured in a quiz or test. It will give insight into how employees feel about known rules. If employees think the rules are impractical and have no value, then the organization needs to gain employee acceptance. ANALYZE Review recent changes in the organization by performing a PEST (Political, Economic, Social, and Technological) analysis. The PEST analysis will provide you with a snapshot of the organization’s current environment. Ensure that the following topics are also addressed in your analysis: Review recent organizational threats and security breach attempts. The impact of recent organizational mergers and acquisitions. The security impact that any recent downsizing has on the organization. The security impact that any recent hiring has on the organization.

8 Classify end users to provide training that best meets their needs
High Acceptance Determine into what class your end users fall. This will help set training goals and requirements. Classify users by analyzing the information gathered in the needs and goal setting step. There are four classes of end users: Champions Laggards Objectors NIMBYs (Not In My Back Yard) It is possible to have more than one type of end user within an organization. Focus on educating these end users. Since they have a high acceptance level, not much focus is required to encourage them to participate. Laggards Focus on modifying their current IT security knowledge to meet the needs of the organization’s IT security policy. Champions Create a training program that focuses on education and the importance of abiding by the organization’s security policy. NIMBYs Focus on increasing end-user acceptance of the organization’s security policy. Objectors Low Knowledge Base High Knowledge Base Low Acceptance

9 Define clear goals to ensure a focused training program
Use the information gathered from the organizational security assessment to set realistic goals and objectives for your training project. Don’t be shortsighted, these goals should cover all aspects of the IT security training program. Decide on the following goals and objectives: End-user behaviors that should be exhibited after training. Expected level of improvement in end-user knowledge. Security requirements and expectations for each department. Date by which training must be complete. Milestones to ensure that training stays on track. The results, beyond testing, that the organization will use to track success. Goal Setting Phase

10 Use Info-Tech’s Establishing Training Parameters Template to record information gathered in this section The Establishing Training Parameters Template will consolidate all of the information that is gathered in this section. Use this tool when creating and structuring the actual training program. The information contained will help determine the following: The training topics that should be covered. The best method(s) of delivering the training. The tool will walk you through three main areas: Identifying security issues in the organization Classifying end users Organizational goals and needs

11 Info-Tech Helps Professionals To:
Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP

Download ppt "Build an Enterprise IT Security Training Program"

Similar presentations

MGT-555 PERFORMANCE AND CAREER MANAGEMENT

MGT-555 PERFORMANCE AND CAREER MANAGEMENT
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
S/W Project Management

S/W Project Management
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved. Reaching Goals: Plans and Controls Today’s smart supervisor.

McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved. Reaching Goals: Plans and Controls Today’s smart supervisor.
Lawrence R. Fine, M.Ed. Special Education Program Director Bi-County Collaborative.

Lawrence R. Fine, M.Ed. Special Education Program Director Bi-County Collaborative.
Planning in Organizations Why supervisors and managers plan: Knowing what the organization is trying to accomplish helps them set priorities and make decisions.

Planning in Organizations Why supervisors and managers plan: Knowing what the organization is trying to accomplish helps them set priorities and make decisions.
Practical IT Research that Drives Measurable Results Manage Help Desk Staffing 1Info-Tech Research Group.

Practical IT Research that Drives Measurable Results Manage Help Desk Staffing 1Info-Tech Research Group.
Practical IT Research that Drives Measurable Results Leverage Server Virtualization for DR Affordability and Agility 1Info-Tech Research Group.

Practical IT Research that Drives Measurable Results Leverage Server Virtualization for DR Affordability and Agility 1Info-Tech Research Group.
Practical IT Research that Drives Measurable Results Get Started Bringing Order to Help Desk Request Chaos.

Practical IT Research that Drives Measurable Results Get Started Bringing Order to Help Desk Request Chaos.
Practical IT Research that Drives Measurable Results Develop a Solid Understanding of Performance Appraisal.

Practical IT Research that Drives Measurable Results Develop a Solid Understanding of Performance Appraisal.
Practical IT Research that Drives Measurable Results Maximize Vendor Performance.

Practical IT Research that Drives Measurable Results Maximize Vendor Performance.
Make the Decision to Upgrade to Microsoft Office 2010.

Make the Decision to Upgrade to Microsoft Office 2010.
Info-Tech Research Group Practical IT Research that Drives Measurable Results Reduce Telecom Expenses.

Info-Tech Research Group Practical IT Research that Drives Measurable Results Reduce Telecom Expenses.
Practical IT Research that Drives Measurable Results 1Info-Tech Research Group Get Moving with Server Virtualization.

Practical IT Research that Drives Measurable Results 1Info-Tech Research Group Get Moving with Server Virtualization.
Cynthia Cherry Welcome to MT 140 Unit 6 - Control.

Cynthia Cherry Welcome to MT 140 Unit 6 - Control.
Plan for Application Consolidation. Successful application consolidation relies on assessment of the application portfolio to determine the best candidates.

Plan for Application Consolidation. Successful application consolidation relies on assessment of the application portfolio to determine the best candidates.
Practical IT Research that Drives Measurable Results Develop Successful Strategies for Budget Planning, Proposal, and Negotiation.

Practical IT Research that Drives Measurable Results Develop Successful Strategies for Budget Planning, Proposal, and Negotiation.
Practical IT Research that Drives Measurable Results Make the Case for IP Telephony 1Info-Tech Research Group.

Practical IT Research that Drives Measurable Results Make the Case for IP Telephony 1Info-Tech Research Group.
Avoid Project Management Pitfalls. Introduction Info-Tech research shows that, in the last two years, fewer than 15% of organizations have experienced.

Avoid Project Management Pitfalls. Introduction Info-Tech research shows that, in the last two years, fewer than 15% of organizations have experienced.

Similar presentations

Ads by Google