Part B: 5.12 Security Awareness Training Flashcards
Can risk that is inherent in using computer systems be addressed through technical security mechanisms?
No but an active security and awareness program can greatly reduce the risk.
What are 2 critical success factors for information security mgt?
1) Security and awareness program
2) A professional risk-based approach must be used to identify sensitive and critical information resources to understand threats and risks and mitigate them.
What should security and awareness programs focus on?
Common user security concerns - password selection, appropriate use of computing resources, email and web browsing safety and social engineering.
Programs should be tailored to speechified groups and particular attention must be paid to job functions that require virtually unlimited data access.
When should employee awareness programs start?
From the point of joining the organisation (induction training) and continue regularly.
What should security awareness programs consist of?
Training
Quizzes
Reminders
Regular schedule of refresher training
Describe the methodical approach that should be taken to develop and implement the education and awareness program.
Who is intended audience? Senior mgt, business mgrs, IT staff, end users
2) What is intended message? Policies, procedures, recent events
3) What is intended result? Improved policy compliance, behavioural change, better practises.
4) What communication method will be used? Computer based training, all-hands meeting, intranet, newsletters
5) What is organisational structure and culture?
What are the mechanisms for raising information security awareness?
Computer-based training
Email reminders and tips
Written security policies and procedures
Non disclosure statements
Use of different media (newsletter, videos, posters, login reminders)
Visible enforcement
Simulated security incidents
Reward employees who report suspicious events
Periodic reviews
Job descriptions
Performance reviews
Name job functions where critical data is processed or critical assets handled.
OS configuration
Programmers
Network engineers
Job schedulers
How does an auditor evaluate effectiveness of security program?
Interaction and interviews with employees will help IS auditor to evaluate state of awareness of information security requirements.
Also an increase in valid incident reporting indicates that employees are aware of the importance of security and proactively following incident reporting procedure.