Information Security Training Program Research Paper

Download this Research Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Research Paper:

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks"

Reasons for training and awareness program:

Information security awareness and training is one of the most critical aspects of an organization's information security strategy and supporting security operations (Maconachy, n.d. This is due to the fact that people are in many cases the last line of defense against threats, such as malevolent code, discontented employees, and malicious third parties, which introduce costly tangible and intangible losses to organizations. Therefore, people need to be educated on what an organization considers is appropriate security-conscious behavior, and also what security best practices the staff needs to incorporate in their daily business activities. Information security awareness and training can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is organizations' inability to hold their personnel accountable for their actions due to not executing information security awareness and training programs (ISATP) to address what they do not know or understand.

IT security policy - Goals and Objectives:

The goal of the organization is to impart sufficient knowledge and skills to its organizational staff regarding the impact of information warfare, importance of information security, use information security systems, security threats and knowledge audits.

In order to achieve this goal the organization has developed this training and awareness program to provide chief training officer prescriptive guidance outlining how to successfully and effectively address all components of the information security.

Information security learning process begins with establishing awareness. The primary objective of establishing information security awareness is to change workforce behavior by reinforcing acceptable security business practices. This objective is achieved by imparting an understanding of information security considerations and enabling individuals to apply them accordingly in all settings. A security awareness presentation guide for delivering effective security awareness presentations to organizations' entire workforces has thus been prepared.

A role-based information security training process follows the completion of the information security awareness process since the skills that are acquired during information security training are built upon the information security awareness foundation. The primary objective of role-based information security training is to impart relevant and necessary information security skills and competencies to practitioners, regardless of whether their professional responsibilities may involve information security (Orientation Into Practical Reality, 1989).

Roles and Responsibility:

IT professionals are responsible for facilitating the entire information security awareness and training program including the management, design, development, execution, and ongoing maintenance. However IT professionals are not the only resources required to successfully develop, deliver, and maintain information security awareness and training program. In order for information security awareness and training program to be successful, there must be sufficient representation from all vital departmental / business unit personnel including human resources, help desk, finance, IT, facilities, audit, training, and legal counsel.

Awareness program:

Many of the prevalent types of security incidents that cost organizations substantial amounts of money and loss of reputation result from inadvertent acts performed by insufficiently informed practitioners. Among the most effective mechanisms the organization can apply to reduce several types of security incidents is establishing and executing an information security awareness program. Information security awareness initiatives are vital in combating the security incidents and many others due to their effectiveness in changing practitioner's behavior by having them become more security-conscious in all business activities they conduct.

Target Audience:

Every employee, temporary employee, contractor, business partner, vendor excreta has information security roles and responsibilities to fulfill in order to increase assurance that organizations' information and other critical assets are sufficiently protected against theft, harm, and inappropriate disclosure. It is therefore imperative that the entire workforce receive sufficient information security awareness and training.

Activities and target dates:

Instructor-led delivery through a presentation: The optimal delivery mechanism for information security awareness and training content would be instructor-led delivery. Instructor-led delivery of content would enable the instructor and other observing personnel monitor the body language to determine whether the content is being understood and consumed by the managerial staff. Since the content would be delivered in real-time in an interactive fashion, the instructor would be capable of adjusting delivery tactics to ensure necessary knowledge-transfer is occurring.

In order to create awareness within an organization information security awareness presentation would be prepared covering topics such as the impact of information warfare, importance of information security, how to effectively use information security systems and recognize security threats and perform knowledge audits. This presentation would provide prescriptive guidance to deliver an effective security awareness presentation to the entire workforce (Isaacson, 1990).

Information security awareness material:

The information security involves the preservation of Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individual;

Integrity: Ensuring the accuracy and completeness of information and processing method and;

Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals.

Inability to take appropriate measures regarding information security can results in a number of harmful consequences such as loss of competitive advantage, identity theft, equipment theft, service interruption (e.g., e-mail), embarrassing media coverage, compromised customer confidence, loss of business and other legal penalties.

The term Information Warfare (IW) would also be highlighted which is primarily an American concept involving the use and management of information technology in pursuit of a competitive advantage over an opponent (Flanders, n.d.). All organizations personnel needs to have an understanding that lack of management of information would expose us to threats from competitors and this could be fatal for the organization. Maintaining a competitive edge is essential and all steps need to be taken to ensure that the information security is at its maximum.

Information security is achieved by implementing a suitable set of controls - policies, practices, procedures, organizational structures and software functions. Information security is not just about IT measures but also about the human interface to the information (Suchinsky, n.d). Each individual can help in reducing security threat faced by the organization by considering that all acts done within the organization as vital. A self-assessment would be useful at this stage whereby employees should ask themselves certain questions before performing an activity such as

Could the actions I am about to perform in any way either harm myself or the company?

Is the information I am currently handling of vital importance either to myself or company?

Is the information I am about to review legitimate / authentic?

Have I contacted appropriate company personnel with questions regarding my uncertainty of how to handle this sensitive situation?

By imparting this form of awareness end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that the organization is protecting its assets in the best possible manner.

Emphasis would be placed on the fact that instituting security in the company is not discretionary; it is essential for sustaining the company, and ensuring the protection of all personnel. All end-users need to be informed that they should contact the head of the information security department of authorized personnel in the event they suspect either a breach in security has occurred, or that they have witnessed any form of suspicious activity.

Security threats & their countermeasures would also be highlighted such as:

Malicious software viruses: Malicious code embedded in e-mail messages is capable of inflicting a great deal of damage and causing extensive frustration. They can steal files containing personal information, Sending emails from personal accounts; render the computer unusable or removing files from the computer. If the staff feels that the virus has been inflicted then they should not open attachments to e-mails received from unknown individuals or those that in any way appear suspicious. If the employee is uncertain all suspicious e-mails should be reported to the head of information security.

Malicious software spyware: Any technology that aids in gathering information about the company without its knowledge and consent. Programming is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. If a Web site stores information about the company in a cookie of which the employee is unaware, the cookie is considered a form of spyware (National Aeronautics and Space Administration, n.d). Spyware exposure can be caused by a software virus or in result of installing a new program. Employees should not click on options in deceptive / suspicious pop-up windows nor install any software without receiving prior approval from information and security department.

The key objective that needs to be achieved is to ensure that the end-user audiences understand that their desktop / laptop computers…[continue]

Cite This Research Paper:

"Information Security Training Program" (2011, September 08) Retrieved December 9, 2016, from http://www.paperdue.com/essay/information-security-training-program-117418

"Information Security Training Program" 08 September 2011. Web.9 December. 2016. <http://www.paperdue.com/essay/information-security-training-program-117418>

"Information Security Training Program", 08 September 2011, Accessed.9 December. 2016, http://www.paperdue.com/essay/information-security-training-program-117418

Other Documents Pertaining To This Topic

  • Information Security

    Security A broad definition of information security is given in ISO/IEC 17799 (2000) standard as: "The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii). Prior to the computer and internet security emerged as we

  • Information Security Management

    Security Management During the span of one's college career, a select number of courses become something more than a simple requirement to be satisfied to assure graduation; these are moments in a student's educational process which make the most lasting impacts. In my personal case, the lessons I have learned as part of my studies in ISSC680 will likely be remembered in those terms, as my eventual career will find

  • Security Programs Implementation of Information Security Programs

    Security Programs Implementation of Information Security Programs Information Security Programs are significantly growing with the present reforms in the United States agencies, due to the insecurity involved in the handling of data in most corporate infrastructure systems. Cases such as independent hackers accessing company databases and computerized systems, computer service attacks, malicious software such as viruses that attack the operating systems and many other issues are among the many issues experienced

  • Training Program for Eye Movement Desensitization and

    training program for eye movement desensitization and reprocessing (EMDR) used by the Department of Veterans Affairs because it had been found that there were few personnel who could deal with the high number of cases of post-traumatic stress disorder (PTSD). One main point of the article is that PTSD is common among veterans who seek help with the Department of Veterans Affairs. Another main point is that Department of

  • Security Awareness the Weakest Link

    To offer an information security awareness training curriculum framework to promote consistency across government (15). Security awareness is needed to ensure the overall security of the information infrastructure. Security awareness programs is the can help organizations communicate their security information policies, as well as tips for users, to help keep systems secure, and the practices the entire organization should be utilizing. However, as Kolb and Abdullah reiterate, "security awareness is not

  • Information Security Evaluation for OSI Systems a Case Study

    OSIIT An analysis of IT policy transformation The aim of this project is to evaluate the effectiveness of information security policy in the context of an organization, OSI Systems, Inc. With presence in Africa, Australia, Canada, England, Malaysia and the United States, OSI Systems, Inc. is a worldwide company based in California that develops and markets security and inspection systems such as airport security X-ray machines and metal detectors, medical monitoring anesthesia

  • Security Plan Target Environment Amron International Inc

    Security Plan Target Environment Amron International Inc. Amron International Inc. is a division of Amtec and manufactures ammunition for the U.S. military. Amron is located in Antigo, Wisconsin. Amron also manufacturer's mechanical subsystems including fuses for rockets and other military ammunitions as well as producing TNT, a highly explosive substance used in bombs. Floor Plan Target Environment The target environment in this security plan is the manufacturing operation located in Antigo, Wisconsin, a


Read Full Research Paper
Copyright 2016 . All Rights Reserved