This paper examines long-term planning for information systems security, with a focus on two interconnected areas. Part 1 outlines a comprehensive IT security training plan for an organization, covering awareness programs, short-term vendor certifications such as CCNA and MCSE, and long-term credentials through GIAC programs offered by the SANS Institute. Part 2 addresses Information Systems Security Lifecycle Management (ISSLM), analyzing its key benefits—including consistency, inclusiveness, and flexibility—alongside common disadvantages stemming from inadequate Information Assurance planning during system development. Together, the two sections argue that a layered approach to security education and lifecycle management is essential for protecting organizational information assets.
Information security means defending information and information systems from unlawful access, use, disclosure, disruption, alteration, inspection, assessment, recording, or damage. In order to be successful, every organization needs to have a written network security plan in place. A thorough policy will cover topics such as:
An organization cannot safeguard the integrity, privacy, and accessibility of information in today's highly networked environment without ensuring that every person involved in the process understands their roles and responsibilities and is sufficiently trained to perform them. Going forward, training will be carried out for current employees; for new employees within sixty days of hire; whenever there is a major change in the IT security environment or procedures; when an employee enters a new position that deals with sensitive information; and periodically as refresher training, based on the sensitivity of the information the employee handles (Information Technology Security Training Requirements: A Role- and Performance-Based Model, n.d.).
Everyone needs basic training in IT security concepts and practices. Beyond the basics, this approach establishes three separate levels of IT security training: Beginning, Intermediate, and Advanced. Each level is then associated with specific roles and responsibilities. Because people often perform more than one role within an organization, they may need intermediate or advanced IT security training in their primary job role but only beginning-level training in a secondary or tertiary role. This model makes it possible to tailor training to individual employee needs and career mobility, as well as to an organization's evolving mission and changing mix of job functions. Ultimately, the concept of refresher training — traditionally viewed as repetitive learning — gives way to a just-in-time learning approach as an individual's or organization's IT security training needs evolve (Information Technology Security Training Requirements: A Role- and Performance-Based Model, n.d.).
This approach treats awareness programs as a prerequisite to IT security training. Awareness is not the same as training. The purpose of an awareness program is simply to focus attention on security. Awareness programs are designed to allow people to recognize IT security concerns and respond to them accordingly. In awareness activities, the learner is a receiver of information, whereas in a training situation the learner takes a more active role. Awareness relies on reaching wide audiences with engaging packaging techniques in order to capture and hold their attention (Information Technology Security Training Requirements: A Role- and Performance-Based Model, n.d.).
As part of the new IT security plan, it is recommended that all IT staff obtain vendor certifications. Securing the organization's infrastructure and keeping abreast of emerging technologies is vital. Vendor certifications — including Cisco's Certified Network Associate (CCNA), Microsoft's Certified Systems Engineer (MCSE) with a security focus, and Check Point's Certified Security Expert (CCSE) — are particularly in demand (Gupta, 2011). Demand for these certifications has grown steadily over the last several years, driven in part by their detailed technical focus. They help professionals understand the technical skills associated with what they are trying to protect and the inherent security capabilities of an infrastructure.
On a longer-term basis, it would be beneficial for IT department staff to pursue Global Information Assurance Certifications. The SANS Institute offers this suite of certifications under the GIAC (Global Information Assurance Certification) program. While GIAC certifications are intended primarily for practitioners such as system administrators and network engineers, several are appropriate for early-career managers. The GIAC Information Security Officer (GISO) is an entry-level certification that covers knowledge of threats, risks, and best practices. The GIAC Security Essentials Certification (GSEC) is an intermediate-level certification that demonstrates foundational information security knowledge for both practitioners and managers (Gregory, 2003).
"Introduces ISSLM and current management gaps"
"Evaluates strengths and weaknesses of lifecycle management"
Information Technology Security Training Requirements: A Role- and Performance-Based Model. (n.d.). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
Information Systems Security Lifecycle Management. (2009). Retrieved from
Security Network Checklist. (n.d.). Retrieved from http://www.cisco.com/cisco/web/solutions/smallbusiness/resourcecenter/articles/securemybusiness/networksecuritychecklist/index.html
You’re 57% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.