Q3 2017 Cybersurance Newsletter
Building the Foundation of an Effective ‘Security Awareness & Training’ Program
People can be the greatest asset to an organization’s Cyber Security program. Unfortunately though, an untrained, malicious, or careless employee can also be the greatest security liability. That’s why ‘Security Awareness Training’ is such an integral part of the overall IS (Information Systems) Security management program within an organization.
An important factor that is often overlooked in ensuring an effective ‘Security Awareness & Training’ program is a well-developed and documented set of “SECURITY POLICIES”! “Like the tedious prep work before painting a room, organizations need a good, detailed, and well written security policy”. (Vacca, 2009. P. 45).
Security Policies form the foundation upon which all other IS Security Controls stand. Security Policies are the goals and objectives of the organization with respect to IS Security. Every security measure taken within an organization should first start with a Policy.
People that enforce the organizations Security Policies are called “Human Shields”, because they add another layer of protection to the overall security management program. Conversely, people who are not supporting the organization’s security program are often referred to as “Human Obstacles” because they undermine the ability of other security safeguards to perform their function effectively.
Security Awareness Training
Security Awareness Training changes behaviors and reduces risk to the organization. “An effective IS security awareness and training program explains proper rules of behavior for the use of IT systems and information. The program communicates security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce”. (NIST, 2003, p.7).