Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks"
Reasons for training and awareness program:
Information security awareness and training is one of the most critical aspects of an organization's information security strategy and supporting security operations (Maconachy, n.d. This is due to the fact that people are in many cases the last line of defense against threats, such as malevolent code, discontented employees, and malicious third parties, which introduce costly tangible and intangible losses to organizations. Therefore, people need to be educated on what an organization considers is appropriate security-conscious behavior, and also what security best practices the staff needs to incorporate in their daily business activities. Information security awareness and training can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is organizations' inability to hold their personnel accountable for their actions due to not executing information security awareness and training programs (ISATP) to address what they do not know or understand.
IT security policy - Goals and Objectives:
The goal of the organization is to impart sufficient knowledge and skills to its organizational staff regarding the impact of information warfare, importance of information security, use information security systems, security threats and knowledge audits.
In order to achieve this goal the organization has developed this training and awareness program to provide chief training officer prescriptive guidance outlining how to successfully and effectively address all components of the information security.
Information security learning process begins with establishing awareness. The primary objective of establishing information security awareness is to change workforce behavior by reinforcing acceptable security business practices. This objective is achieved by imparting an understanding of information security considerations and enabling individuals to apply them accordingly in all settings. A security awareness presentation guide for delivering effective security awareness presentations to organizations' entire workforces has thus been prepared.
A role-based information security training process follows the completion of the information security awareness process since the skills that are acquired during information security training are built upon the information security awareness foundation. The primary objective of role-based information security training is to impart relevant and necessary information security skills and competencies to practitioners, regardless of whether their professional responsibilities may involve information security (Orientation Into Practical Reality, 1989).
Roles and Responsibility:
IT professionals are responsible for facilitating the entire information security awareness and training program including the management, design, development, execution, and ongoing maintenance. However IT professionals are not the only resources required to successfully develop, deliver, and maintain information security awareness and training program. In order for information security awareness and training program to be successful, there must be sufficient representation from all vital departmental / business unit personnel including human resources, help desk, finance, IT, facilities, audit, training, and legal counsel.
Many of the prevalent types of security incidents that cost organizations substantial amounts of money and loss of reputation result from inadvertent acts performed by insufficiently informed practitioners. Among the most effective mechanisms the organization can apply to reduce several types of security incidents is establishing and executing an information security awareness program. Information security awareness initiatives are vital in combating the security incidents and many others due to their effectiveness in changing practitioner's behavior by having them become more security-conscious in all business activities they conduct.
Every employee, temporary employee, contractor, business partner, vendor excreta has information security roles and responsibilities to fulfill in order to increase assurance that organizations' information and other critical assets are sufficiently protected against theft, harm, and inappropriate disclosure. It is therefore imperative that the entire workforce receive sufficient information security awareness and training.
Activities and target dates:
Instructor-led delivery through a presentation: The optimal delivery mechanism for information security awareness and training content would be instructor-led delivery. Instructor-led delivery of content would enable the instructor and other observing personnel monitor the body language to determine whether the content is being understood and consumed by the managerial staff. Since the content would be delivered in real-time in an interactive fashion, the instructor would be capable of adjusting delivery tactics to ensure necessary knowledge-transfer is occurring.
In order to create awareness within an organization information security awareness presentation would be prepared covering topics such as the impact of information warfare, importance of information security, how to effectively use information security systems and recognize security threats and perform knowledge audits. This presentation would provide prescriptive guidance to deliver an effective security awareness presentation to the entire workforce (Isaacson, 1990).
Information security awareness material:
The information security involves the preservation of Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individual;
Integrity: Ensuring the accuracy and completeness of information and processing method and;
Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals.
Inability to take appropriate measures regarding information security can results in a number of harmful consequences such as loss of competitive advantage, identity theft, equipment theft, service interruption (e.g., e-mail), embarrassing media coverage, compromised customer confidence, loss of business and other legal penalties.
The term Information Warfare (IW) would also be highlighted which is primarily an American concept involving the use and management of information technology in pursuit of a competitive advantage over an opponent (Flanders, n.d.). All organizations personnel needs to have an understanding that lack of management of information would expose us to threats from competitors and this could be fatal for the organization. Maintaining a competitive edge is essential and all steps need to be taken to ensure that the information security is at its maximum.
Information security is achieved by implementing a suitable set of controls - policies, practices, procedures, organizational structures and software functions. Information security is not just about IT measures but also about the human interface to the information (Suchinsky, n.d). Each individual can help in reducing security threat faced by the organization by considering that all acts done within the organization as vital. A self-assessment would be useful at this stage whereby employees should ask themselves certain questions before performing an activity such as
Could the actions I am about to perform in any way either harm myself or the company?
Is the information I am currently handling of vital importance either to myself or company?
Is the information I am about to review legitimate / authentic?
Have I contacted appropriate company personnel with questions regarding my uncertainty of how to handle this sensitive situation?
By imparting this form of awareness end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that the organization is protecting its assets in the best possible manner.
Emphasis would be placed on the fact that instituting security in the company is not discretionary; it is essential for sustaining the company, and ensuring the protection of all personnel. All end-users need to be informed that they should contact the head of the information security department of authorized personnel in the event they suspect either a breach in security has occurred, or that they have witnessed any form of suspicious activity.
Security threats & their countermeasures would also be highlighted such as:
Malicious software viruses: Malicious code embedded in e-mail messages is capable of inflicting a great deal of damage and causing extensive frustration. They can steal files containing personal information, Sending emails from personal accounts; render the computer unusable or removing files from the computer. If the staff feels that the virus has been inflicted then they should not open attachments to e-mails received from unknown individuals or those that in any way appear suspicious. If the employee is uncertain all suspicious e-mails should be reported to the head of information security.
Malicious software spyware: Any technology that aids in gathering information about the company without its knowledge and consent. Programming is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. If a Web site stores information about the company in a cookie of which the employee is unaware, the cookie is considered a form of spyware (National Aeronautics and Space Administration, n.d). Spyware exposure can be caused by a software virus or in result of installing a new program. Employees should not click on options in deceptive / suspicious pop-up windows nor install any software without receiving prior approval from information and security department.
The key objective that needs to be achieved is to ensure that the end-user audiences understand that their desktop / laptop computers…