After an organization's workforce is familiar with why information security is important as well as management's commitment to information asset assurance, actual security training can begin. In this post, the third in a series exploring information security awareness training, we examine the steps leading to a security training program ready for media development.
Training vs. Awareness
In my last post, I described the differences between employee awareness activities and those related to training. Briefly, security awareness efforts prepare employees for more detailed assurance training. Awareness, a general understanding about the importance of information security, makes them more receptive to the targeted training that helps remove vulnerabilities associated with employee behavior.
Information security training is concerned with ensuring employees in a variety of roles, handling various types of data, are trained in organizational policies, standards, and guidelines. But a specific employee doesn't necessarily have to know and understand everything in the organization's security program. Rather, he or she only needs to know enough to be compliant with management's expectations related to his or her role within the organization.
The other major difference between training and awareness activities concerns delivery methods. Where awareness efforts are easily accomplished via non-instructor, Intranet delivery, training often requires classroom time to ensure complex concepts are effectively conveyed.
Let's look at role-based training and selecting delivery methods in more detail.
There are three high-level training target groups within any organization: technical workers, managers, and business users. Each of these groups is unique in both what information security is important and the required level of technical detail. There are also differences in how these groups perceive security.
For example, where technical workers might need to be focused on proper network design—ensuring security packet delivery and data storage—business users should be concerned with the proper handling of information on end-user devices, including smartphones, MP3 players, and USB drives.
Within each of these groups, there are additional sub-groups with special training requirements. For instance, developers need familiarity with guidelines like the OWASP Top 10, while security and business analysts have to understand how to balance information asset assurance and acceptable operational efficiency.
If you've never looked at training this way, you probably don't have your various target groups defined. One way to get started is use of the questionnaire included in NIST SP 800-50, Appendix A. Asking one or two users within each organizational role to complete the questionnaire provides insight into training requirements, including
- Data accessed
- How it's accessed
- The level of technical expertise required
Training program designers can also use the document to gather information about preferred delivery methods and the level of understanding employees think they need. Figure 1 is an extract from the details portion of the questionnaire.
Choosing Topics and Delivery Methods
Although the questionnaire can also help identify many training topics, there are others you need to ensure are included in any Information System Awareness Training Program (ISATP). These include,
- Regulatory issues. Regulations governing information assurance are many and growing. Included in the commonly quoted list are the HIPAA, SOX, PCI DSS, GLB, and the new "Red Flag" rules. Employee training is an important part of achieving compliance.
- Legal environment. Added to regulatory issues is the judicial climate, how judges and juries view data leakage issues and other security incidents.
- Enterprise configuration. How your organization's network is designed and how employees access and use information affects training content. Topics might include,
- Mobile workforce issues (e.g., remote access policies, and processing or storing data on handheld devices)
- Safe use of wireless technology in the office, on the road, or at home
- Use of USB storage devices
- Data handling and encryption requirements. All data in your environment should be classified. Classification helps apply the right controls to information in transit, at rest, or being processed. Employees should understand your organization's approach and the types of data that fall into each classification. Further, each employee should understand what data classes require encryption and when. For more information on when to encrypt data, see Data Storage Security.
Topics identified will drive training delivery methods. For example, complex topics like HIPAA compliance relative to system design and implementation is probably a candidate for classroom, instructor-led sessions. On the other hand, a discussion about USB storage acceptable use might only require an Intranet delivered self-paced presentation.
Once again, employees will make recommendations in the questionnaire above about how they prefer to have certain topics conveyed.The final word
Other aspects of training are similar to awareness efforts. For example, an evaluation process for both how employees viewed training value as well as measures of post-training acceptable behavior are necessary to demonstrate effectiveness. See Security begins with employee understanding and acceptance for additional information.
Training is the path to ensuring your biggest potential vulnerability, uninformed users, is addressed. In my next and final article in this series, I discuss training delivery and continuous awareness methods in more detail.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.