Module 4 - Procedural and People Security Controls
The course is part of this learning path
This course looks at ways in which the threats and vulnerabilities associated with the people who use IT systems can be mitigated. It highlights the important people security implications and how a security culture can be developed, then it investigates how user access controls can be effectively integrated with IT systems. Finally, it looks at the role of security training and awareness.
The objectives of this course are to provide you with and understanding of:
- The people threats facing organizations and the importance of a security culture
- Practical people controls, including employment contracts, service contracts, codes of conduct and acceptable use policies
- Access controls, including authentication and authorization, passwords, tokens and biometrics
- The importance of data ownership, privacy; access points, identification and authentication mechanisms, and information classification
- How organizations can raise security awareness and the different approaches to deliver security-related training
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this short video on training and awareness.
Training and awareness are critical elements of a security culture – starting when the individual joins an organization and running throughout their career to ensure compliance with regulations and vigilance against changing threats.
This video will identify how organizations can raise security awareness and the different approaches they can take to deliver security-related training.
The aim of an information assurance training programme is to reduce the likelihood of assurance-related incidents occurring in an organization. Appropriate and targeted training for different groups helps individuals understand their responsibilities know how the organization’s information assets can be put at risk through mishandling and understand the actions they can take to avoid incidents occurring.
If they understand the risks they’re exposed to, users are more likely to remember what to do in a situation that could potentially lead to a data breach or security incident. We all know not to leave our phone or handbag on the front seat of the car, and we would never go out for the day and leave the windows and doors of our house open. Information assurance training needs to embed similar behaviours.
Training includes formal security awareness events, which can be augmented by communication campaigns to reinforcing messages through emails, leaflets, newsletters and briefings. For example, a security awareness course might warn computer administrators of the danger of people tailgating into the computer room. This can be augmented with posters and further reinforced in the monthly information assurance newsletter.
Users can also be required to read a guidance notes when they log into a system and confirm that they’ve read and understood the information before they can progress any further.
Every individual in an organization requires training, regardless of how senior they are. However, the training does need to be tailored to the needs of each group in the organization:
· There’s a general level of security awareness that everyone needs, including an understanding of the security policies and the principles of acceptable use;
· There will also be threats that senior managers are exclusively subject to; and
· Some of the threats the IT department could face are very specific and of a more technical nature.
To ensure security training is relevant to each group of users, the following questions should be answered during the design phase:
· What’s the purpose of the training?
· What does the training need to cover?
· Who are the learners?
· Which training methods are available and appropriate?
Staff training doesn’t necessarily require a formal classroom event which is often expensive to run and difficult for staff to attend. Modularised online training or e-learning can be a quick and effective way to share knowledge and illustrate best practice. The more interactive the better, so individuals can engage with the learning and think about what they’re doing. Quizzes and assessments can be included to check progress and prove competence.
General awareness information can also be distributed by security guards at the building entrance, or electronically via email or login scripts. And some organizations put up posters to warn of relevant issues like tailgating and social engineering threats.
Measurement of training is important to illustrate that it’s been completed, and individuals have reached the desired competency level. Assessments or quizzes are useful ways to prove competence and scores can be retained in a learning management system. Individuals who repeatedly fail an assessment can be identified for remedial action.
Be careful with the pass mark on assessments. 100% is generally too high and can demotivate learners – it should be a more realistic level with guidance provided for questions answered incorrectly.
There’s a vast amount of publicly available security awareness information. Organizations such as CPNI and NIST provide useful information assurance resources relating to areas like cyber, personal and physical security. They also publish posters and educational films that can be used within an organization.
When sourcing information, vendor-neutral websites are less likely to be biased towards a product or service, and likely to be up to date. They’re also often free to use.
The budget for awareness training should be agreed with senior management before the training is designed. Depending on the approach to the training, costs could include:
· Any hardware or software required to deliver it;
· Printing costs;
· Courseware costs;
· Training administrative costs; and
· The time required for staff to complete the training.
If the training is being outsourced to an external training provider, checks should confirm they can meet the required quality requirements.
Training will help to develop positive behaviour, but it shouldn’t be the only approach. Organizations that actively encourage staff to report security issues on the understanding that reported breaches or incidents are seen as positive progress, will develop a security culture in a shorter period of time.
Spot-checks by security guards or information assurance staff to check if individuals remember key messages can also be helpful.
An improvement plan can be created when the security awareness training is being evaluated to take advantage of ideas raised during the training and feed these into the overall security management process.
That’s the end of this video on training and awareness.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.