A security awareness and training program is a critical element of any organization. It is how we can distribute security information in the workforce. By establishing and maintaining a robust security awareness and training program we can provide the workforce with the information and tools, they need to protect the organization's vital information. In this aspect, all users have information security responsibilities.
It is not unusual for organizations to treat awareness and training as two separate functions, each with different goals, objectives, and approaches. Suitable implementation of each of these components promotes professional development. It is recommended that a security awareness and training program be documented and include:
• Definition of security roles and responsibilities.
• Development of program strategy and a program plan.
• Implementation of the program plan.
• Maintenance of the security awareness and training program [1].
A security awareness program seeks to continually direct a user's attention to an issue in information security. Introducing a message in a variety of formats using not only tools, but also communication and outreach. Here, awareness tools are used to promote information security and inform users of threats or vulnerabilities. Affecting both the company and their workforce. The Security Awareness Program should also be used to explain expected behavior in using the organization's information systems. A few examples of tools include, but are not limited to:
• Events such as security awareness day;
• Promotional materials; and
• Briefings [1].
A major part of any awareness effort is communication. A communication plan is needed to identify the people involved and the types of information to be prepared and disseminated. As well as the channels and frequency of dissemination of the information exchanges. The plan should also specify if this communication is unidirectional or bidirectional between the organization’s users, managers, executives, and system owners. A few examples of activities which support communication include:
• Assessment;
• Strategic plan; and
• Program implementation [1].
It is important to not that there are two elements to intra-agency and inter-agency awareness. The intra-agency element promotes internal awareness of information security. A portal that provides security information can be a single service, effective outreach tool. Making policy, frequently asked questions, security e-newsletters, resource links, and other useful information easily accessible to all employees. The inter-agency element promotes sharing among agencies. Primarily used to leverage awareness and training resources [1].
A security training program seeks to produce relevant and needed security knowledge and skills within the workforce. Training should not only support competency but also help personnel understand and learn how to perform their security role. The most important difference between training and awareness is that training seeks to teach skills that allow a person to perform a specific function. In recent years, there has been a shift toward professional standards for federal and contracted security personnel. These professional standards integrate training, education, and experience with an assessment mechanism to validate knowledge and skills, resulting in a certificate of a predetermined level of competence [1].
There are clear differences between the certifications offered by organizations today. These include but, are not limited to certificates of completion, certifications awarded by an industry and/or vendors, and graduate-level certificates awarded by academic institutions. In the design step of the Awareness and Training Program, the organization's needs are identified and priorities established.
“Awareness and training programs must be designed with the mission of the agency in mind. The awareness and training program must support the business needs of the organization and be relevant to the organization’s culture and information technology architecture. The most successful programs are those that users feel are relevant to the subject matter and issues presented” [1].
The development of the Awareness and Training Program involves three major steps:
• Designing the program.
• Developing the awareness and training material; and
• Implementing the program [1].
Even a small amount of information security awareness and training can go a long way toward improving the security posture of an organization. “Once the awareness and training program has been designed, supporting material can be developed. The focus should be on specific material that the users will integrate into their jobs. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them” [1]. Your workforce will include, but is not limited to employees, contractors, foreign or domestic guest researchers, another agency personnel, visitors, guests, and other collaborators or associates requiring access.
“An information security awareness and training program should be implemented only after a needs assessment has been conducted, a strategy has been developed, an awareness and training program plan for implementing that strategy has been completed, and awareness and training material has been developed” [1]. Once the plan has been explained to management, the implementation of the Awareness and Training Program can begin. Organizations should tailor their implementation to the size and complexity of their enterprise.
People are arguably the weakest element in securing both systems and networks. As such, an organization’s security awareness and training program can quickly become obsolete if insufficient attention is paid. Senior management needs to understand this issue and ensure continuous improvement to their security awareness and training initiatives. Processes must also be put in place to monitor compliance. This can be accomplished though an automated tracking system. This system should ideally capture data at an agency level, so it can be used to provide enterprise-wide analysis regarding awareness, training, and education initiatives.
Proper evaluation and feedback are critical components of any program. Continuous improvement cannot occur without a good sense of how the existing program is working.
It is essential to ensure that the security awareness and training program continues to evolve as technology and security issues emerge. Training needs will naturally shift as new skills and competencies become necessary to respond to new architectural and technological changes. In general, organizations that continuously train their workforce on policy and role-based responsibilities have a higher rate of success in protecting their vital information.
[1] Wilson, Mark. Building an Information Technology Security Awareness and Training Program. [electronic resource] NIST.
Comments