• Choose a category
• All
• Classic-Fiction

Communication and awareness help ensure that information is conveyed to the appropriate people in a timely manner. Most users aren’t aware of current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you’ll probably find acceptance of your efforts to be much higher.

Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and e-mails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you communicate about this in a routine manner, the more likely people will internalize the fact that security is everybody’s responsibility.

Providing Education

Your efforts in education must help users clearly understand prevention, enforcement, and threats. The security department will also probably be responsible for a security-awareness program. Your training and educational programs need to be tailored for at least three different audiences:

■ The organization as a whole

■ Management

■ Technical staff

These three organizational roles have different considerations and concerns. For example, with organization-wide training, everyone understands the policies, procedures, and resources available to deal with security problems; it helps ensure that all employees are on the same page. The following list identifies the types of issues that members of an organization should be aware of and understand.

Organization Ideally, a security-awareness training program should cover the following areas:

■ Importance of security

■ Responsibilities of people in the organization

■ Policies and procedures

■ Usage policies

■ Account and password-selection criteria

■ Social engineering prevention

You can accomplish this training either by using internal staff or by hiring outside trainers. I recommend doing much of this training during new-employee orientation and staff meetings.

Management Managers are concerned with larger issues in the organization, including enforcing security policies and procedures. Managers will want to know the whys of a security program, as well as how it works. They should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts, enforcement, and how the various departments are affected by security policies.

Technical staff The technical staff needs special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers will want to evaluate the impact these measures have on existing systems and new development projects. The training that both administrators and developers need will be vendor specific; vendors have their own methods of implementing security.

Microsoft, Novell, and Cisco each offer certification programs to train administrators on their environments. All of these manufacturers have specific courseware on security implementations, and some offer security certification. You should implement security systems consistent with the manufacturer’s suggestions and guidance. Implementing security in a non-standard way may leave your system unsecure.

One of the most important aspects of education is that it needs to reach an appropriate audience. Spending an hour preaching on back-end database security will likely be an hour wasted if the only members of the audience are data-entry personnel who get paid by the keystroke to make weekly changes as quickly as possible.

Real World Scenario

Applying Education Appropriately

As a security administrator, you need to know the level of knowledge that is appropriate for the audience you’re addressing and be able