Training & Awareness
Based on a strict interpretation of the Infomation Security taxonomy used on this site, training is an administrative control - it is used to reinforce the controls required by the laws, regulations and policies that apply to the business. For example, if your business' policy requires that employees select strong passwords, you will likely need to provide them with awareness materials and training addressing what "strong" means and how to effectively manage these passwords. The pitfall in this approach is that if training is treated strictly as an administrative control, the program will tend to focus on the existing legal and policy requirements and not on the changing environment within the business. If it turns out that employees take the training to heart and start selecting passwords that are so "strong" that they tend to forget them (leading to a flood of password reset requests, complaints from employees that the password policies are overly burdensome and evidence that employees are increasingly resorting to writing down their passwords), there is clear evidence that the control is not working efficiently and there is an increased risk that people will ignore it. In effect, the training program needs to be adjusted to guide employees in setting passwords that meet the minimum requirements for "strong" while providing suggestions for password structures that the employee can easily recall. For this reason, it's recommended that you treat training as part of the Response phase - the training curriculum is continually adjusted to respond to changes in the business environment.
There are many definitions for training and awareness. This Handbook uses the following approach to distinguishing the two activities:
Awareness: Management must create and support an environment where each employee understands the importance of controls for minimizing operational risk. Controls should not be an afterthought in the creation of new processes and applications; they should be a fundamental part the life cycle. Awareness activities help to re-enforce this message by familiarizing employees with the importance of a ”control culture”, describing each employee’s responsibilities and providing resources for further information. Typical awareness activities include the distribution of “flyers” through desk drops and emails, the delivery of PowerPoint presentations in face-to-face meetings or over the Web, videotape presentations, and Awareness Day events where promotional items, flyers and other materials are distributed to employees. Each BISO plays a critical role in this education process to ensure that management’s message is properly communicated.
Topics for information security awareness activities span such areas as password management, what is information security, securing the workplace, social engineering and know your BISO. While BISO’s should tailor these activities to meet the specific needs and environment of the business, do be aware of issues involving language, cultural concerns, legal and regulatory restrictions and enterprise initiatives when distributing awareness materials.
Each employee should receive some form of awareness material or information at least once each year. The reality is that as a BISO you should ensure that you have a continuing awareness program that distributes information on a regular basis throughout the year. Coordinate your program with your business COB Coordinator and Records Management Officer to re-enforce the message that operational risk controls are critical to the business. While you do not want to “over sell” information security and make employees feel like they are subject to a barrage of mind numbing flyers, you do want to make sure they do not lose sight of its importance.
Training: Many employees have specific responsibilities related to information security. This includes BISO’s, information security administrators, Web and other application developers, system administrators, data base administrators, and help desk and customer support personnel. These employees need specific and focused training to ensure they understand their responsibilities and are able to provide proper support.
Far too many senior managers believe that the information security function can be adequately performed by employees with limited or no prior experience. The view is that a BISO fulfills primarily an administrative and compliance function (just fill out the questionnaires, keep eTools up to date, attend the weekly calls, perform some secure workplace sweeps, send out a few flyers, and put a name in the empty BISO box on the org chart). We, as information security professionals, are mostly responsible for the low esteem that this position typically is given. If we are poorly trained and have minimal experience, then few will rely upon us for guidance and advice. If we have poor management and communication skills, people with problems will conveniently forget to invite us to the meetings where critical decisions are made. We become a self-fulfilling prophesy. Until we are willing to be and act like professionals, we will be treated like amateurs. As a BISO you should have a plan to continually improve your level of training through internal and outside courses, membership in professional organizations, monitoring of information security news sites and contact with other information security professionals.
©2009 ISRMC, LLC