Privacy & Data Security
|Apr 29, 2003 11:48 pm
||Security Awareness & Training
| . .
NIST has posted the second draft of a security awareness and training
guide (74 pages). It's quite comprehensive.
In my opinion, security awareness program begins with:
* Senior management (letter of support, repeated annually)
* Clear policies and procedures (signed by employees)
* Security included in job descriptions and performance reviews
* Awareness handbooks
* Awareness briefing for new employees
* Educate users with INFOSEC tidbits, luncheons, security web site, posters, etc.
* Formal security training for system administrators (budgeted annually)
* Basic security training and tests for the user community (depends on culture)
* Security representatives at each site (large organizations should consider each section too)
* Information security day
* Audits: office space reviews, attempts to gain access, annual self assessment surveys, etc.
The key is to make security a part of everyone's day without being obnoxious or repetitive. An awareness program requires creativity and constant care and feeding.
Tips should advise of best practices and reinforce policy. An awareness program cannot be conducted in a vacuum. Consider the current security culture and choose your battles. It takes time to make a change.
Lead by example. If you believe in security and explain why, it is much easier to bring others around to your way of thinking. Finally, ensure that security does not negatively impact productivity.
Well, that's a start at least...
Private Reply to . . (new win)