SY0-501 Section 2.6 Explain the importance of security related awareness and training

Security Policy Training and Procedures

Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.

A security awareness and training program can do much to assist in your efforts to improve and maintain security. Such efforts need to be ongoing, and they should be part of the organization’s normal communications to be effective.

Communicating with Users to Raise Awareness

Communication and awareness help ensure that security information is conveyed to the appropriate people in a timely manner. Most users aren’t aware of current security threats. If you set a process in place to explain concisely and clearly what is happening and what is being done to correct current threats, you’ll probably find the acceptance of your efforts to be much higher.

Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and emails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you communicate in a routine manner, the more likely people will internalize the fact that security is everybody’s responsibility.

Providing Education and Training

Your efforts in education and training must help users clearly understand prevention, enforcement, and threats. In addition to the efforts of the IT staff, the security department will probably be responsible for a security awareness program. Your organization’s training and educational programs need to be tailored for at least three different audiences:

The organization as a whole (the so-called rank and file employees)

Management

Technical staff

These three organizational roles have different considerations and concerns. For example, with organization-wide training everyone understands the policies, procedures, and resources available to deal with security problems, so it helps to ensure that all employees are on the same page.

Role-Based Training

Ideally, a security awareness-training program for the entire organization should cover the following areas:

Importance of security

Responsibilities of people in the organization

Policies and procedures

Usage policies

Account and password-selection criteria

Social engineering prevention

You can accomplish this training either by using internal staff or by hiring outside trainers. We recommend doing much of this training during new-employee orientation and staff meetings. To stay at their forefront of employees’ minds, though, the training needs to be repeated periodically (once a year often works well). Also, don’t forget to have employees sign that they received the training and are aware of the policies.

Management

Managers are concerned with more global issues in the organization, including enforcing security policies and procedures. Managers will want to know the how’s and whys of a security program: how it works and why it is necessary. They should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts and enforcement and how the various departments are affected by security policies.

Technical Staff

The technical staff needs special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators should evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers must evaluate the impact that these measures have on existing systems and new development projects. The training that both administrators and developers need will be vendor specific; vendors have their own methods of implementing security.

Personally Identifiable Information

Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card number, or patient record. The term became mainstream when the NIST (National Institute of Standards and Technology) began issuing guides and recommendations regarding it.

Information Classification

Information classification is a key aspect of a secure network. Again, the process of developing a classification scheme is both a technical and a human issue. The technologies you use must be able to support your organization’s privacy requirements. People and processes must be in place and working effectively to prevent unauthorized disclosure of sensitive information.

Information can be generally classified by confidentiality as simply high, medium, or low. However, this is rather vague and not quite as helpful.

If you think about all the information your organization keeps, you’ll probably find that it breaks down into three primary categories:

– Public use

– Internal use

– Restricted use

The following figure shows the typical ratios of how this information is broken down. Notice that 80 percent of the information in your organization is primarily for internal or private use. This information would include memos, working papers, financial data, and information records, among other things.

Data Labeling

and Handling A great many users don’t consider that there are different types of data and various values associated with it. They don’t realize that a misplaced backup copy of the mission statement is not as great a loss from a financial standpoint as a misplaced backup copy of customer contacts. As a security administrator, you should help users to realize that different types of data unique to your organization have different values and need to be labeled accordingly. Once it has been established and understood that there are significant differences, you can address handling these different types of data. The importance of protecting the data in all forms— online,backups, hard copies, and so on—should be covered as well as reasons why different groups should not access data outside of their permission category.

Compliance with Laws, Best Practices, and Standards

Users need to realize that working with data is the same as driving a car, owning a home, or almost anything else in that there are laws, practices, and standards to which they must adhere. Just as negligence fails tobe an admissible excuse in other areas of the law, the same holds true when working with data. New regulations are passed regularly, and it is your job as an administrator to educate users on those that are applicable in your environment.

User Habits

Password behaviors

Users need to understand that the stronger they make their pass- word, the more difficult they make anyone’s attempt to crack it. They should be educated to use long passwords consisting of letters, numbers, and characters and to change them frequently. They must also be educated that they cannot write their password down on a sticky note right after a change and post it under the keyboard, on the monitor, or anywhere else. The reasons for regularly changing passwords should be explained along with the requirement that you will make them do so at least every three months.

Data Handling

Only those users needing to work with it should access data. It is your job to implement safeguards to keep the data from being seen by those who should not, but the users need to understand why those safeguards are there and abide by them. There are plenty of examples of companies that have suffered great financial loss when their information, trade secrets, and client information was leaked.

Policy on Personally Owned Devices

Empathize with the users who want to bring their gad- gets from home, but make them understand why they cannot. You do not want them plugging in a flash drive, let alone a camera, smartphone, tablet computer, or other device, on which company files could get intermingled with personal files. Allowing this to happen can create situations where data can leave the building that shouldn’t as well as introduce malware to the system. There has been a rash of incidents in which data has been smuggled out of an organization through personal devices.

Employees should not sync unauthorized smartphones to their work systems. Some smartphones use multiple wireless spectrums and unwittingly open up the possibility foran attacker in the parking lot to gain access through the phone to the internal network. Ban—and make sure the users know that you have done so—all social peer-to-peer (P2P) networking. These are common for sharing files such as movies and music, but you must not allow users to bring in devices and create their own little networks to share files, print- ers, songs, and so on. All networking must be done through administrators and not on a P2P basis. The P2P ports should be listed on the company servers (either whitelisted or blacklisted), and an alert should be sent to you any time someone attempts any P2P activity. Vigilantly look for all such activity, and put a stop to it immediately.

Prevent Tailgating

Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. Many social engineering intruders needing physical access to a site will use this method of gaining entry. Educate users to beware of this and other social engineering ploys and prevent them from happening.

Clean Desk Policy

Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like— can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.

New Threats and New security trends/alerts

Many users work on data away from the office as well as in the office. They need to understand that the data is only as strong as the weakest place in which it is used, and they must have security measures on their home computers that protect your company’s data as well. Although the home systems will never be as secure (most likely) as the business systems, at a minimum the home systems need to be running firewalls and updated virus scanners.