Security Standards  «Prev  Next»

Lesson 8 Security Organizational Training
Objective Increase Security and establish Organizational Training

Increase Security and establish Organizational Training

Increase security effectiveness by establishing organizational training.
The best way to achieve effective security is to teach the members of an organization about the key security principles. If your system users know how to choose good passwords, for instance, it is significantly more difficult for a hacker to bypass your password authentication system. This type of training is central to site security.

Training requirements

Administrators need to understand how to set proper security on the systems they administer.
Programmers must write their software so it does not provide back doors for hackers to exploit the network. By defining what security information you want various groups to know (as shown in the table below), you can create and implement mechanisms to train them.
Back door: An intentional hole in a firewall or security apparatus that allows access around security measures.

Users Training Requirements
End Users
  1. New viruses
  2. Use of secure passwords
  3. Security policy
Administrators
  1. Latest threats and countermeasures
  2. Methods for secure administration
  3. Implementation of security policy
Executives
  1. Latest Security Tools
  2. Maintenance of corporate security policy

Security planning

Ensures that agreed-upon security controls, planned or in place, are fully documented. The security plan also provides a complete characterization or description of the information system as well as attachments or references to key documents supporting the agency's information security program (for example, configuration management plan, contingency plan, incident response plan, security awareness and training plan, rules of behavior, risk assessment, security test and evaluation results, system interconnection agreements, security authorizations and accreditations, and plan of action and milestones).

Management controls comprise the following:

  1. Preventive controls.Preventive management controls include assigning responsibility for security, and developing and maintaining security plans, personnel security controls, and security awareness and technical training.
  2. Detection controls.Detection controls involve background checks, personnel clearance, periodic review of security controls, periodic system audits, risk management, and authorization of IT systems to address and accept residual risk.
  3. Recovery controls.These controls provide continuity of support to develop, test, and maintain the continuity of the operations plan and establish an incident response capability.