Sequential Label and Supply has suffered several critical IT security breaches. Some were prevented, some were not.In light of these problems, SLS has had to overhaul its entire IT training program. This paper is not an essay,but rather a list or template of the necessary activities the company must undertake to ensure that its usual high standards are maintained in the future.
Sequential Label and Supply
nist sp 800-50, "Building an Information Technology Security Awareness and Training Program"
Sequential Label and Supply
After a recent failure of the computer systems at Sequential Label and Supply, it has become clear that current security provisions are inadequate
The IT security team is under-funded and understaffed
There is a lack of respect for the IT team
Problems are dealt with as they present themselves rather than are anticipated and prevented
Agency IT security policy
At present, there is no formal security policy and problems tend to be addressed on an ad hoc basis. For example, when a disc brought in by an employee infected all of the computers with a virus, the ability to use such software was disabled: no fundamental reforms were made
Awareness
There is a need to create a consistent, coherent security policy for the entire company, in all roles
Objectives include employee education and the development of a comprehensive security program to insure all employees act responsibly in regards to IT
Recent attacks to the company have placed it on high alert, although there remains a demonstrated reluctance to invest in IT security
Review and updating of materials and methods is required ASAP, as is a company-wide meeting on the topic of security; however training and education of all employees must be integrated into the regular schedule and standard operating processes of the company
Training-education
Role 1: Executives and managers
Learning Objectives
Both executives and managers must understand that IT security is not something that can be confined to the IT staff alone, but must be a pervasive, company-wide effort
Focus Areas
Evaluating priority areas using cost-benefit analysis
Methods/Activities
Education about best practices for IT security can be disseminated through meetings, but also through online and software-based training
Education in both formal and informal capacities (through disseminated articles and personal briefings when necessary) must be a continual effort, particularly given the fact that this group of employees seems to give low priority to security and view it as the IT staff's problem
Schedule
In addition to meeting with the group as a whole, regular briefings should be given on a formal basis about changes in IT security policy. Also, informally through emails and company bulletins, the importance of good IT best practices and precautions should reinforced
Evaluation Criteria
Performance can be regularly monitored in regards to IT use to ensure employees are following protocols as well as are meeting the criteria for their job performance (such as a receptionist 'closing' a call swiftly)
Regular questionnaires to evaluate knowledge of staff on IT security
Role 2: IT security staff
Learning Objectives
To create a holistic security plan for the organization which still allows the organization to function effectively
Focus Areas
Instead of 'fixing' problems after they occur, preventative maintenance must be better integrated into the company's standard operating procedures
Methods/Activities
IT staff must monitor and track 'regular' computer activities to compare them against suspicious patterns of use (such as late-night logging in)
Regular simulations of possible attack strategies are required to ensure that defensive strategies stay ahead of the hackers
Schedule
System-wide evaluations should be conducted on a regular basis (for example, every fortnight)
Company-wide meetings to educate all employees on IT-related matters are needed, as well as meetings with individual departments to deal with specific concerns
Evaluation Criteria
A reduction in critical security incidents overall
Employee feedback indicating that knowledge of IT best practices has improved
Role 3: System/Network Administrators
Learning Objectives
Prioritizing areas in need of security controls
Focus Areas
'Back door' attacks
Internal and external threats
Methods/Activities
Reviewing past security attacks
Addressing potential worst-case scenarios through simulation
Schedule
After the initial, comprehensive review of the system and the creation of an overall security policy, training of all staff and re-education of critical IT personnel is demanded on a scheduled, regular basis
Evaluation Criteria
A reduction in critical security incidents overall
Remaining roles with significant IT / security responsibilities
Even non-technical staff must become aware of how to prevent security breaches (such as persons 'sliding through' without showing proper identification
Professional Certification
Role 1: IT security staff
Learning Objectives
IT staff must have the necessary professional qualifications to implement a security strategy
Focus Areas
Specific technical knowledge and educational requirements should be stated in the company manual regarding who fulfills specific positions
Methods/Activities
Computer-based training in new methodologies
Education for staff in department-wide events (if necessary, suspending some company activities to allow for intensive, in-depth education).
IT staff should have to keep certifications current and obtain regular retraining (ideally through web-based methods to minimize disruption to company activities)
Formal promotional certification given on a company-wide basis for fulfilling specific requirements
You’re 80% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.