Tuesday, March 18, 2014

Part V-2: Security Awareness Training

<- Previous Post | Main Post | Book review | Next Post ->

     Security awareness training needs to be customized to fit target groups. These groups include but not limited to managers, IT personnel, computer users, non-technical personnel, administrative assistants, receptionists, and security guards.

     Unfortunately, security awareness training is usually quite boring. So, you need to focus on most important things, which is to motivate employees to enforce security measure. You may assign a role play in the training to keep the class engaged. In the end, you might let the class help each other figure out security measures for a certain attack.

Contents of the Training

     Security awareness training should include but not limited to the following contents:
  • A summary of key security policies and an explanation of their meaning. 
  • The location of the company’s security policies and procedures, and their importance to the protection of information and corporate information systems.
  • A description of the methods used by attackers to deceive people. 
  • How to recognize a possible social engineering attack. 
  • The procedure for handling a suspicious request.
  • The fact that they should not implicitly trust others without proper verification, even though their impulse is to give others the benefit of the doubt.
  • The importance of verifying the identity and authority of any person making a request for information or action
  • Procedures for protecting sensitive information, including familiarity with any data classification system.
  • How to determine the classification of information, and the proper safeguards for protecting sensitive information.
  • The procedure for disclosing sensitive information or materials.
  • The obligation of every employee to comply with the policies, and the consequences for non-compliance.
  • Physical security requirements such as wearing a badge.
  • The responsibility to challenge people on the premises who aren’t wearing a badge.
  • Security policies related to computer and voice mail passwords. 
  • Best security practices of voice mail usage.
  • Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.
  • Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.

After the Training

     Security awareness training is not a one-time project. People may understand and remember what to do very well right after the training. But this knowledge fades over time. Also, attacks always adapts to defense. So the training must be continual. Here are some of the list of ongoing tasks you need to do to keep your company secure: 
  • Providing copies of this book to all employees. Including informational items in the company newsletter: articles, boxed reminders (preferably short, attention-getting items), or cartoons, for example.
  • Posting a picture of the Security Employee of the Month. Hanging posters in employee areas. Posting bulletin-board notices.
  • Provide printed enclosures in paycheck envelopes. Send email reminders.
  •  Using security-related screen savers.
  • Broadcasting security reminder announcements through the voice mail system.
  • Use an electronic message display board in the cafeteria, with a frequently changing security reminder.
  •  Distribute flyers or brochures.
  • Printing phone stickers with messages such as ‘Is your caller who he says he is?’!
  • Setting up reminder messages to appear on the computer when logging in, such as ‘If you are sending confidential information in an email, encrypt it.’
  • Include security awareness as a standard item on employee performance reports and annual reviews.
  • Provide security awareness reminders on the intranet, perhaps using cartoons or humor, or in some other way enticing employees to read them.
  • Think gimmicks, such as free fortune cookies in the cafeteria, each containing a security reminder instead of a fortune.
  • Run penetration test regularly. Use the result to identify the area of further training.
  • Set up a reward program for persons who catch a social engineer.

Source: The Art of Deception: Controlling the Human Element of Security

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into audible.com. You can keep downloading the over and over again.
    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training