Information Security Training Program

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks"

Reasons for training and awareness program:

Information security awareness and training is one of the most critical aspects of an organization's information security strategy and supporting security operations (Maconachy, n.d. This is due to the fact that people are in many cases the last line of defense against threats, such as malevolent code, discontented employees, and malicious third parties, which introduce costly tangible and intangible losses to organizations. Therefore, people need to be educated on what an organization considers is appropriate security-conscious behavior, and also what security best practices the staff needs to incorporate in their daily business activities. Information security awareness and training can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is organizations' inability to hold their personnel accountable for their actions due to not executing information security awareness and training programs (ISATP) to address what they do not know or understand.

IT security policy - Goals and Objectives:

The goal of the organization is to impart sufficient knowledge and skills to its organizational staff regarding the impact of information warfare, importance of information security, use information security systems, security threats and knowledge audits.

In order to achieve this goal the organization has developed this training and awareness program to provide chief training officer prescriptive guidance outlining how to successfully and effectively address all components of the information security.

Information security learning process begins with establishing awareness. The primary objective of establishing information security awareness is to change workforce behavior by reinforcing acceptable security business practices. This objective is achieved by imparting an understanding of information security considerations and enabling individuals to apply them accordingly in all settings. A security awareness presentation guide for delivering effective security awareness presentations to organizations' entire workforces has thus been prepared.

A role-based information security training process follows the completion of the information security awareness process since the skills that are acquired during information security training are built upon the information security awareness foundation. The primary objective of role-based information security training is to impart relevant and necessary information security skills and competencies to practitioners, regardless of whether their professional responsibilities may involve information security (Orientation Into Practical Reality, 1989).

Roles and Responsibility:

IT professionals are responsible for facilitating the entire information security awareness and training program including the management, design, development, execution, and ongoing maintenance. However IT professionals are not the only resources required to successfully develop, deliver, and maintain information security awareness and training program. In order for information security awareness and training program to be successful, there must be sufficient representation from all vital departmental / business unit personnel including human resources, help desk, finance, IT, facilities, audit, training, and legal counsel.

Awareness program:

Many of the prevalent types of security incidents that cost organizations substantial amounts of money and loss of reputation result from inadvertent acts performed by insufficiently informed practitioners. Among the most effective mechanisms the organization can apply to reduce several types of security incidents is establishing and executing an information security awareness program. Information security awareness initiatives are vital in combating the security incidents and many others due to their effectiveness in changing practitioner's behavior by having them become more security-conscious in all business activities they conduct.

Target Audience:

Every employee, temporary employee, contractor, business partner, vendor excreta has information security roles and responsibilities to fulfill in order to increase assurance that organizations' information and other critical assets are sufficiently protected against theft, harm, and inappropriate disclosure. It is therefore imperative that the entire workforce receive sufficient information security awareness and training.

Activities and target dates:

Instructor-led delivery through a presentation: The optimal delivery mechanism for information security awareness and training content would be instructor-led delivery. Instructor-led delivery of content would enable the instructor and other observing personnel monitor the body language to determine whether the content is being understood and consumed by the managerial staff. Since the content would be delivered in real-time in an interactive fashion, the instructor would be capable of adjusting delivery tactics to ensure necessary knowledge-transfer is occurring.

In order to create awareness within an organization information security awareness presentation would be prepared covering topics such as the impact of information warfare, importance of information security, how to effectively use information security systems and recognize security threats and perform knowledge audits. This presentation would provide prescriptive guidance to deliver an effective security awareness presentation to the entire workforce (Isaacson, 1990).

Information security awareness material:

The information security involves the preservation of Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individual;

Integrity: Ensuring the accuracy and completeness of information and processing method and;

Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals.

Inability to take appropriate measures regarding information security can results in a number of harmful consequences such as loss of competitive advantage, identity theft, equipment theft, service interruption (e.g., e-mail), embarrassing media coverage, compromised customer confidence, loss of business and other legal penalties.

The term Information Warfare (IW) would also be highlighted which is primarily an American concept involving the use and management of information technology in pursuit of a competitive advantage over an opponent (Flanders, n.d.). All organizations personnel needs to have an understanding that lack of management of information would expose us to threats from competitors and this could be fatal for the organization. Maintaining a competitive edge is essential and all steps need to be taken to ensure that the information security is at its maximum.

Information security is achieved by implementing a suitable set of controls - policies, practices, procedures, organizational structures and software functions. Information security is not just about IT measures but also about the human interface to the information (Suchinsky, n.d). Each individual can help in reducing security threat faced by the organization by considering that all acts done within the organization as vital. A self-assessment would be useful at this stage whereby employees should ask themselves certain questions before performing an activity such as

Could the actions I am about to perform in any way either harm myself or the company?

Is the information I am currently handling of vital importance either to myself or company?

Is the information I am about to review legitimate / authentic?

Have I contacted appropriate company personnel with questions regarding my uncertainty of how to handle this sensitive situation?

By imparting this form of awareness end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that the organization is protecting its assets in the best possible manner.

Emphasis would be placed on the fact that instituting security in the company is not discretionary; it is essential for sustaining the company, and ensuring the protection of all personnel. All end-users need to be informed that they should contact the head of the information security department of authorized personnel in the event they suspect either a breach in security has occurred, or that they have witnessed any form of suspicious activity.

Security threats & their countermeasures would also be highlighted such as:

Malicious software viruses: Malicious code embedded in e-mail messages is capable of inflicting a great deal of damage and causing extensive frustration. They can steal files containing personal information, Sending emails from personal accounts; render the computer unusable or removing files from the computer. If the staff feels that the virus has been inflicted then they should not open attachments to e-mails received from unknown individuals or those that in any way appear suspicious. If the employee is uncertain all suspicious e-mails should be reported to the head of information security.

Malicious software spyware: Any technology that aids in gathering information about the company without its knowledge and consent. Programming is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. If a Web site stores information about the company in a cookie of which the employee is unaware, the cookie is considered a form of spyware (National Aeronautics and Space Administration, n.d). Spyware exposure can be caused by a software virus or in result of installing a new program. Employees should not click on options in deceptive / suspicious pop-up windows nor install any software without receiving prior approval from information and security department.

The key objective that needs to be achieved is to ensure that the end-user audiences understand that their desktop / laptop computers contain vital company information. Once this understanding and awareness is created, the damage that could be inflicted to the company if a criminal were able to access company information through an unprotected end-user's desktop / laptop computer would be explained such as unauthorized systems access can result in theft and damage of vital information assets. The employees should thus use strong passwords for all accounts and commit passwords to memory. If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard). The computer should be protected with a password-protected screen saver and the password should not be told under to anyone under any circumstances.

Session comprehension and evaluation questionnaire:

Immediately after delivering ISATP security awareness content, organizations would evaluate whether the personnel comprehended the addressed topics. Additionally, personnel primarily responsible for the daily ISATP development activities should enable personnel to evaluate the effectiveness and other considerations regarding the ISATP security awareness session. These two objectives would be addressed by developing a session comprehension and evaluation questionnaire. Topics addressed in the evaluation portion of the questionnaire would include effectiveness of the instructor, effectiveness of the content, perceived value of the session and learning material.

Training program:

Perspectives on information security vary greatly depending upon the roles and responsibilities being fulfilled by each IT and business unit. Therefore, unlike the ISATP security awareness content, which commonly consists of content that is to be consumed by the entire workforce, several distinct ISATP security training sessions will need to be developed for each target ISATP audience.

Target Audience: IT security staff

Focus Area: The basis for each organization's Information Security Management Framework is business and security drivers, regulatory security requirements the organization is subject to, and best practice security standards; all of which will drive the security controls to be implemented by the organization. Ultimately, the implementation of these Security Controls as part of the Information Security Management Framework will lead the organization toward regulatory compliance.

Learning Objective: To derive an understanding of the Business drivers for information security,

Performance of knowledge audit,

The security systems that need to be in place,

The conduct of security audit to ensure all security systems are working effectively.

Learning Material:

There are several business drivers for information security, including:

The ability to securely facilitate new business initiatives.

Protecting the brand or image of the organization.

Protecting customer confidence in the security of your product or the ability to conduct business securely.

Reducing costs and improving productivity by implementing and maintaining security following a robust security plan or program.

Enhancing service levels by ensuring secure operations.

The direction of new or growing security technologies or technologies that require secure operation and implementation.

Regulatory compliance has emerged as the biggest and most important driver of information security initiatives and spending.

The Information Security Management Framework is comprised of:

Information Security policies, procedures, and processes to support the organization's entire security environment, including people, process, and technology.

A security organization and a formal governance program for information security.

The implementation of Security Controls.

The implementation of appropriate and sufficient security tools such as performance of knowledge and security audit and technologies supporting these Security Controls.

The Information Security Management Framework is a continuous and on-going effort. As business requirements and direction changes; regulatory security objectives are added or changed; and technology improves and changes -- the framework must be reviewed, checked, and updated to accommodate the changing security environment.

The knowledge audit would be useful in this case. Knowledge audit is a systematic examination and evaluation of organizational knowledge health, which examines organization's knowledge needs, existing knowledge assets/resources, knowledge flows, future knowledge needs, knowledge gap analysis as well as the behavior of people in sharing and creating knowledge. In one way, a knowledge audit can reveal an organization's knowledge strengths, weaknesses, opportunities, threats and risks. In order to transform an organization into a learning organization and ensure an effective knowledge management strategy, a knowledge audit should be conducted, which will provide a current state of knowledge capability of the organization and a direction of where and how to improve that capability in order to be competitive in this fast changing knowledge era.

By conducting a knowledge audit an organization can find out where it stands in terms of information security and can assess the level of learning within an organization. The organization can then identify security needs and implement security control accordingly.

The following security systems need to be implemented within an organization. An explanation of their purpose and usage is also made (Todd, M.A. And Guitian C, 1989).

Security Policy: This is a set of security objectives for the organization. This policy must be agreed upon and approved by upper management.

Security Organization and Governance: Involves assigning security responsibilities and accountability including a management forum for setting and approving security objectives.

Asset Management: Asset management, including identification, classification, and control, of information, hardware, and software assets needs to be done so as to easily identify frauds and thefts.

Data Protection: Data protection is concerned with use of effective controls such as password protection and use by authorized personnel only for protecting the confidentiality, integrity, and availability of information and information resources.

Personnel Security: This would entail management of staff; terms of employment; hiring, disciplinary, and termination processes; security inclusion in job descriptions and performance reviews; and security training and awareness so that organization is prevented from security threats of personnel.

Physical and Environmental Security: This is security system for the human and system physical environment, including entry access controls, fire and power controls, and cable and rack security

Communications and Operations Management: This involves securing the key aspects of managing network and system components and includes: backups, anti-virus, patches, media and laptop security

Access Control: The objective of this security control system is effective control of logical, physical, and remote access to information and resources. This includes the implementation of: identification and authentication, authorization, and password and user management security controls on all applications, operating systems, and within the networks (U.S. Department of Energy, 1992)

Logging and Monitoring: This security system is meant for the collection, aggregation, normalization, correlation, mining, and tracking of security events.

Vulnerability Management: Performance of risk, threat, and vulnerability assessments is done through this security system.

Incident Management: Detection, reporting, recording, handling, response, review, and management of security incidents is done in order to take immediate action for any possible threats to management security.

Software and System Acquisition, Development, and Maintenance: Development and maintenance of software and systems for on-going secure operation is highlighted within this security system.

Business Continuity Management: This is concerned with planning and defining of response in the event of a disaster or disruption in business to ensure continuity of operations.

Compliance: This system is kept in place to ensure compliance with security and privacy legislative requirements (Burns, n.d).

The use of security audit:

A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions. When an employee performs a security audit it is important to look beyond the IT systems and consider also the human interface to IT. The IT system may be perfectly secure, but users may be involved in practices that compromise the security of the IT systems in place. As a result any audit must attempt to identify all the possible risks. The IT systems are at risk from compromise from number of sources, including poorly-managed or badly-configured systems, internal users, external users and external attackers (sometimes known as crackers or hackers).