Login Signup
Verified Document

Information Security Training Program Research Paper

Related Topics:
Information Assurance Aeronautics Security Management Security Breach
Open Document Cite Document

Federal Information Security Management Act (FISMA) The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks"

Reasons for training and awareness program:

Information security awareness and training is one of the most critical aspects of an organization's information security strategy and supporting security operations (Maconachy, n.d. This is due to the fact that people are in many cases the last line of defense against threats, such as malevolent code, discontented employees, and malicious third parties, which introduce costly tangible and intangible losses to organizations. Therefore, people need to be educated on what an organization considers is appropriate security-conscious behavior, and also what security best practices the staff needs to incorporate in their daily business activities. Information security awareness and training can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is organizations' inability to hold their personnel accountable for their actions due to not executing information security awareness and training programs (ISATP) to address what they do not know or understand.

IT security policy - Goals and Objectives:

The goal of the organization is to impart sufficient knowledge and skills to its organizational staff regarding the impact of information warfare, importance of information security, use information security systems, security threats and knowledge audits.

In order to achieve this goal the organization has developed this training and awareness program to provide chief training officer prescriptive guidance outlining how to successfully and effectively address all components of the information security.

Information security learning process begins with establishing awareness. The primary objective of establishing information security awareness is to change workforce behavior by reinforcing acceptable security business practices. This objective is achieved by imparting an understanding of information security considerations and enabling individuals to apply them accordingly in all settings. A security awareness presentation guide for delivering effective security awareness presentations to organizations' entire workforces has thus been prepared.

A role-based information security training process follows the completion of the information security awareness process since the skills that are acquired during information security training are built upon the information security awareness foundation. The primary objective of role-based information security training is to impart relevant and necessary information security skills and competencies to practitioners, regardless of whether their professional responsibilities may involve information security (Orientation Into Practical Reality, 1989).

Roles and Responsibility:

IT professionals are responsible for facilitating the entire information security awareness and training program including the management, design, development, execution, and ongoing maintenance. However IT professionals are not the only resources required to successfully develop, deliver, and maintain information security awareness and training program. In order for information security awareness and training program to be successful, there must be sufficient representation from all vital departmental / business unit personnel including human resources, help desk, finance, IT, facilities, audit, training, and legal counsel.

Awareness program:

Many of the prevalent types of security incidents that cost organizations substantial amounts of money and loss of reputation result from inadvertent acts performed by insufficiently informed practitioners. Among the most effective mechanisms the organization can apply to reduce several types of security incidents is establishing and executing an information security awareness program. Information security awareness initiatives are vital in combating the security incidents and many others due to their effectiveness in changing practitioner's behavior by having them become more security-conscious in all business activities they conduct.

Target Audience:

Every employee, temporary employee, contractor, business partner, vendor excreta has information security roles and responsibilities to fulfill in order to increase assurance that organizations' information and other critical assets are sufficiently protected against theft, harm, and inappropriate disclosure. It is therefore imperative that the entire workforce receive sufficient information security awareness and training.

Activities and target dates:

Instructor-led delivery through a presentation: The optimal delivery mechanism for information security awareness and training content would be instructor-led delivery. Instructor-led delivery of content would enable the instructor and other observing personnel monitor the body language to determine whether the content is being understood and consumed by the managerial staff. Since the...

Parts of this document are hidden

View Full Document
svg-one

This presentation would provide prescriptive guidance to deliver an effective security awareness presentation to the entire workforce (Isaacson, 1990).
Information security awareness material:

The information security involves the preservation of Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individual;

Integrity: Ensuring the accuracy and completeness of information and processing method and;

Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals.

Inability to take appropriate measures regarding information security can results in a number of harmful consequences such as loss of competitive advantage, identity theft, equipment theft, service interruption (e.g., e-mail), embarrassing media coverage, compromised customer confidence, loss of business and other legal penalties.

The term Information Warfare (IW) would also be highlighted which is primarily an American concept involving the use and management of information technology in pursuit of a competitive advantage over an opponent (Flanders, n.d.). All organizations personnel needs to have an understanding that lack of management of information would expose us to threats from competitors and this could be fatal for the organization. Maintaining a competitive edge is essential and all steps need to be taken to ensure that the information security is at its maximum.

Information security is achieved by implementing a suitable set of controls - policies, practices, procedures, organizational structures and software functions. Information security is not just about IT measures but also about the human interface to the information (Suchinsky, n.d). Each individual can help in reducing security threat faced by the organization by considering that all acts done within the organization as vital. A self-assessment would be useful at this stage whereby employees should ask themselves certain questions before performing an activity such as

Could the actions I am about to perform in any way either harm myself or the company?

Is the information I am currently handling of vital importance either to myself or company?

Is the information I am about to review legitimate / authentic?

Have I contacted appropriate company personnel with questions regarding my uncertainty of how to handle this sensitive situation?

By imparting this form of awareness end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that the organization is protecting its assets in the best possible manner.

Emphasis would be placed on the fact that instituting security in the company is not discretionary; it is essential for sustaining the company, and ensuring the protection of all personnel. All end-users need to be informed that they should contact the head of the information security department of authorized personnel in the event they suspect either a breach in security has occurred, or that they have witnessed any form of suspicious activity.

Security threats & their countermeasures would also be highlighted such as:

Malicious software viruses: Malicious code embedded in e-mail messages is capable of inflicting a great deal of damage and causing extensive frustration. They can steal files containing personal information, Sending emails from personal accounts; render the computer unusable or removing files from the computer. If the staff feels that the virus has been inflicted then they should not open attachments to e-mails received from unknown individuals or those that in any way appear suspicious. If the employee is uncertain all suspicious e-mails should be reported to the head of information security.

Malicious software spyware: Any technology that aids in gathering information about the company without its knowledge and consent. Programming is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. If a Web site stores information about the company in a cookie of which the employee is unaware, the cookie is considered a form of spyware (National Aeronautics and Space Administration, n.d). Spyware exposure can be caused by a software virus or in result of installing a new program. Employees should not click on options in deceptive / suspicious pop-up windows nor install any software without receiving prior approval from information and security department.

The key objective that needs to be achieved is to ensure that the end-user audiences understand that their desktop / laptop computers contain vital company information. Once this understanding and awareness is created, the damage that could be inflicted to the company if a criminal were able to access company information through an unprotected end-user's desktop…

Continue Reading...
Sources used in this document:
References:

Burns, G.M, n.d. A Recipe for a Decentralized Security Awareness Program. ISSA Access. Vol. 3,

Code of Federal Regulations. 5 CFR 930. Computer Security Training Regulation.

Flanders, D, n.d. Security Awareness - A 70% Solution. Fourth Workshop on Computer Security

Isaacson, G, 1990. Security Awareness: Making It Work. ISSA Access. 3(4). pp. 22-24.
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Security Information Security Is a Primary Concern
Words: 809 Length: 2 Document Type: Essay

Security Information security is a primary concern for consumers and businesses. In "IT security fails to keep pace with the rise of cloud computing," the author claims that in spite of the advancements in cloud technology, information security has not kept pace. This assessment is rooted firmly in fact and best practices in the information security industry. Although their analysis is thorough, the authors would do well to point out the

Read More
Essay
Information Security Management
Words: 549 Length: 2 Document Type: Essay

Security Management Information Security Management Managing the information security at a major university is never an easy task, and especially with a team of only ten the complexities and the resource demands can sometimes make the situation seem all but impossible even on the best of days. When the former head of information security management suddenly departs as the result of an FBI arrest -- and when that arrest stems from the

Read More
Essay
Security Information Security and Risk Management in
Words: 1322 Length: 5 Document Type: Term Paper

SECURITY Information Security and Risk Management in IT This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the

Read More
Essay
Security at Work Information Security Within the
Words: 576 Length: 2 Document Type: Essay

Security at Work Information Security within the nursing fraternity With the advent of consolidated information storage within the nursing fraternity, there has grown the need to have better security and controlled access to such information that may be considered confidential and for the use by the nurse and the patient alone. When anyone wants therefore to have access to the documents I will always need to verify several details just to be

Read More
Essay
Information Security and Employees
Words: 1440 Length: 4 Document Type: Term Paper

Information Security The discussion below provides answers to questions raised with regard to a case at Greenwood Company A forensic plan of readiness comes with several advantages. If there arises a situation that forces a company to be engaged in litigation, and there is need for digital evidence, e-discovery is of central importance. The laws and rules that govern the e-discovery, such as the Federal Rules of Civil Procedure or the Practice

Read More
Essay
Information Security
Words: 3704 Length: 10 Document Type: Research Proposal

Security A broad definition of information security is given in ISO/IEC 17799 (2000) standard as: "The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii). Prior to the computer and internet security emerged as we

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now