ISSeG logo

 Training and Dissemination web site

 FP6 logo

Integrated Site Security for Grids

 A project co-funded by EU FP6 programme
Home page

Top Recommendations
Top Threats
Security Checklists
Risk assessment

my Role
my Site
my Community
All Recommendations
All Threats
Training
Downloads

Security terms


Contact
ISS & ISSeG

Recommendation

Integrate security training and best practices into organisational structures

ID: R57
What:

Security awareness, basic technical knowledge as well as knowledge of topics such as data protection and rights and duties, is needed at all levels of an organization. It is necessary that training materials, e.g. slides, IT quiz, video material perhaps from third party, reach a wide target audience.

Why: Untrained or unaware users hold a risk for site security, because failures of a single user may affect the whole site. For many years organizations have disseminated all kinds of administrative information, but recently the need for security related information has increased dramatically. Therefore it is important to integrate this into already available structures.
How : Method 1: Prepare and implement a training plan for improving knowledge of computer security within the organization
Incident analysis and known risks are helpful to identify training needs. The definition of target audiences allows the organization to disseminate their training material specifically, based on their knowledge levels of their employees. Security awareness of the employees is a factor that should not to be underestimated.

Hints:
  • When creating a training plan, it is important to consider the resources available to work on both the planning and the implementing of the training. This dictates the scope and level of detail of the training and awareness materials.
  • It is not possible to tailor training to the specific needs of every computer user. The training plan should consider the sizes of the different populations to work out where to focus available resources.
  • Once a focus has been made, the next issue is deducing what each group needs to know and how they can be reached. Questions to consider include: is it necessary to have a basic/advanced distinction within these groups? How does the physical location of the person affect the means of contact?

    Method 2: Provide user/administrator training for security strategies and best practices
    If the site has existing training materials, these need to be kept up-to-date.

    Hints:
  • Training material has to be kept up-to-date and in step with the evolution of newer security threats.
  • Experience has shown that users seem to be more interested in IT security than had been expected.
  • Identify training needs based on security incident analysis and known risks
  • Develop security training material, either for presentation to computer users or for them to follow online.
  • When new computer accounts are created, ensure that users are fully informed of the security rules of your organization and pass on key security messages to them, including relevant security web addresses.
  • Integrate awareness-raising into incident response so that users failing to comply with security policies are given best practice and policy information to help prevent future incidents.

    Links:
  • ISSeG Training http://www.isseg.eu/Training/Training.htm

    Method 3: Use existing information to integrate security related questions
    Sometimes the sites have special information sources like web portals, message of the day, games or online quiz. These sources represent a way to improve security in an appealing way. It has to be checked if security related subjects can be integrated into these sources. Special events, e.g. anniversary of the company, are a good platform for the dissemination of these special training materials.

    Hints:
  • Collaboration with the public relation department is needed
  • If material is developed by an external company, existing licence agreements about the information material have to be checked
  • Have security web pages within your organization’s online repository that are linked from relevant entry points (e.g. the main IT pages of your Intranet, introductory pages for newcomers, etc).
  • Promote security awareness campaigns within your organization, e.g. via presentations to targeted audiences, posters, quizzes, leaflets etc.
  • Create security related articles for your organization’s internal newsletter to ensure users are made aware of any security measures that will affect them and are also informed of security policies, best practises, and web addresses of more information.
  • Develop a set of Frequently Asked Questions with clear, concise answers.
  • Target security information to different audiences in your organization, e.g. managers, system administrators, software developers and general users.

     
    		•
    Relevant recommendations

    R45, R56, R58, R62
    Relevant threats:

    T15, T25, T27
    Relevant ISS audit questions:

    Q37, Q36, Q51, Q81, Q82, Q95, Q105

    Keywords User, Training, Incident, Developer, System, Administrator, Policy
    Recommendation Category:
    Technical - X Administrative -  Education -
    Copyright (c) Members of the
    ISSeG Collaboration
    2008    		 Top of page Home page Information Society and media logo

    This is version 5.2 of the website - view release notes
     -view visitor statistics