"It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public."
Clay Shirky

  • WHERE IS YOUR ORGANIZATION?

  • Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below. Fear not, together we can take all necessary steps to a secure uninterrupted business operation. Awareness is the first step, and you have much to gain by just educating your personnel or just yourself.

  • NEEDED ON YOUR PART
    • - Educating Awareness
    • - Personal/Company
    • - Commitment
  • NEEDED ON YOUR PART
    • - Engagement
    • - Accountability
  • YOUR GAIN
    • - Integration
    • - Ownership
  • YOUR GAIN
    • - Expectations
    • - Pride

INFORMATION SECURITY IS NOT IMPORTANT FOR US

- Minimal compliance

INFORMATION SECURITY IS IMPORTANT AND WE TAKE MEASURES WHENEVER WE ARE FACED WITH A THREAT

All of the previous level, and:

- Foundation Building
- Development / Deployment of Policies and Systems

WE HAVE SYSTEMS IN PLACE TO MANAGE INFORMATION SECURITY

All of the previous level, and:

- Maturing Information Security Management System
- Active Leadership
- Risk Assessment
- Trained & Competent Employees
- Maturing Risk Assessment Process
- Recovery System aligned to business requirements

WE ADDRESS LEFT-OVER PROBLEMS

All of the previous level, and:

- Continue to refine Management System & Processes
- Personal Leadership at most levels
- Round-the-clock Security Objectives
- Demonstrate continuous improvement
- Certification to all relevant regulations and requirements related to your business
- Begin to develop full system integration

SECURITY IS HOW WE DO BUSINESS AROUND HERE - IT IS A PRECONDITION TO OUR WORK

All of the previous level, and:

- Security with performance culture seen as best in class
- Benchmark best practices against leading companies
- Frequent, credible & consistent leadership behavior
- Mature Security Management System
- Challenge improvement targets
- Clear aspiration to reach zero incidents
- Regard all systems as a living integrated environment

WHY IS AWARENESS & TRAINING IMPORTANT?

Enterprises and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

  1. Understand their roles and responsibilities related to the organizational mission,


  2. Understand the organization’s IT security policy, procedures, and practices,


  3. Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

As cited in audit reports, periodicals, conference presentations, and in various other media it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks.

The “people factor” - not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset”.

A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.

DETERMINING THE NEEDS A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs.

In conducting a needs assessment, it is important that key personnel be involved. As a minimum, the following roles should be addressed in terms of any special training needs:

EXECUTIVE MANAGEMENT – Organizational leaders need to fully understand directives and laws that form the basis for the security program. They also need to comprehend their leadership roles in ensuring full compliance by users within their units.

SECURITY PERSONNEL (security program managers and security officers) – These individuals act as expert consultants for their organization and therefore must be well educated on security policy and accepted best practices.

SYSTEM OWNERS – Owners must have a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage.

SYSTEM ADMINISTRATORS and IT SUPPORT PERSONNEL– Entrusted with a high degree of authority over support operations critical to a successful security program, these individuals need a higher degree of technical knowledge in effective security practices and implementation.

OPERATIONAL MANAGERS and SYSTEM USERS – These individuals need a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations.

A variety of sources of information in an agency can be used to determine IT security awareness and training needs, and there are different ways to collect that information. Below is a sample list that suggests techniques for gathering information as part of a needs assessment.

  • Interviews with all key groups and organizations identified
  • Organizational surveys
  • Review and assessment of available resource material, such as current awareness and training material, training schedules, and lists of attendees
  • Analysis of metrics related to awareness and training (e.g., percentage of users completing required awareness session or exposure, percentage of users with significant security responsibilities who have been trained in role-specific material)
  • Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives
  • Review of system inventory and application user ID databases to determine all who have access
  • Review of any findings and/or recommendations from oversight bodies (e.g., Congressional inquiry, inspector general, internal review/audit, and internal controls program) or program reviews regarding the IT security program
  • Conversations and interviews with management, owners of general support systems and major applications, and other organization staff whose business functions rely on IT
  • Analysis of events (such as denial of service attacks, website defacements, hijacking of systems used in subsequent attacks, successful virus attacks) might indicate the need for training (or additional training) of specific groups of people
  • Review when technical or infrastructure changes are made
  • The study of trends first identified in industry, academic, or government publications or by training/education organizations. The use of these “early warning systems” can provide insight into an issue within the organization that has yet to be seen as a problem.

THE INFORMATION SECURITY LEARNING CONTINUUM

Learning is a continuum; it starts with awareness, builds to training, and evolves into education. Security awareness efforts are designed to change behavior or reinforce good security practices. AWARENESS is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. TRAINING strives to produce relevant and needed security skills and competencies. EDUCATION integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge... and strives to produce IT security specialists and professionals capable of vision and response.