Network Vulnerability Assessment

Training IT Staff and End Users

The most important post-assessment activity is to train the IT staff on their new information security responsibilities and accountabilities and the end users on the importance of information security. Given the roles, tasks, responsibilities, and accountabilities defined in this chapter, many IT organizations are faced with two training initiatives: training their IT staff and training their end users. Training the IT staff requires a careful examination of the seven areas of information security responsibility. This training should include information security as well as professional certifications, such as the CISSP Professional Certification offered by the International Information Systems Security Certification Consortium known as (ISC)2 or through the Global Information Assurance Certification (GIAC), which offers in-depth training in all the key areas of security. Training the end users typically requires security awareness training for new employees during their employment orientation. Review of the organization's AUPs and security awareness training program are usually prerequisites for new employees, contractors, or third parties prior to granting them access to the IT infrastructure's resources, systems, and applications.

When conducting a risk and vulnerability assessment, one of the things that should be investigated is the qualifications, experience, and capabilities of the IT staff in regard to information security and being able to design, implement, and ensure the confidentiality, integrity, and availability of the IT infrastructure and its assets. Through interviews, examination of current practices, and review of the IT staff's experience in information security, specific recommendations can be made to enhance the knowledge and skill sets of the organization's IT staff. Given the roles, tasks, responsibilities, and accountabilities defined in this chapter, a gap analysis should be conducted on the seven areas of information security responsibility and the current human resources, IT, and IT security staff in an effort to identify any gaps or voids in roles, responsibilities, and accountabilities for the organization. This gap analysis is critical because without properly trained IT staff in information security practices and techniques, implementation of the IT security architecture and framework cannot be done with internal resources. The organization is forced to hire outside information security consultants or outsource portions of its information security responsibility to managed security service providers.

The methodology and approach for identifying the training needs of current IT staff is as follows:

• Define the roles, tasks, responsibilities, and accountabilities for information security in the seven areas of information security responsibility.
• Interview the human resources staff and appropriate IT staff who are currently responsible and accountable for implementation of the IT security architecture and framework and the procedures and guidelines in each of the seven areas of information security responsibility.
• Review the IT staff's current job descriptions and identify any gaps, voids, or missing elements in regard to the roles, tasks, responsibilities and accountabilities for information security.
• Prioritize the gaps and voids in the IT staff's knowledge and background in the seven areas of information security responsibility.
• Create a training strategy and budget that will allow the organization to educate, train, and certify its own internal IT staff in information security practices and techniques or create a budget to hire outside information security consultants to help fill in the gaps and voids as an interim solution prior to training internal IT staff.
• Commit to continuous information security education and training for the organization's IT staff, particularly as new systems, applications, and countermeasures are designed and implemented throughout the IT infrastructure.
• Verify and validate that the organization's IT staff are getting the appropriate level of training and knowledge through professional certifications such as the CISSP professional certification for information security professionals or GIAC.
• In concert with human resources, update the roles, tasks, responsibilities, and accountabilities of the IT staff's job descriptions and annual performance review criteria so that information security is brought to the forefront of the organization's IT staff's priorities.
• Review the education, training, and certification strategy along with human resource development and annual performance review changes so that the IT staff is now information-security ready and motivated.

Developing and delivering an organizational security awareness training program requires a strategy for how best to deploy the knowledge and awareness in concert with the organizations information security policies and standards. In most cases, security awareness training is best delivered via videotape or via an online, e-Learning platform if the organization's end user population is large and distributed in many remote locations. The security awareness training program should focus on the AUPs, policies, standards, procedures, and guidelines that the IT organization wants to deploy throughout the organization. In addition, the security awareness training should stress the importance of each employee's, contractor's, or third-party individual's responsibility and accountability for ensuring the confidentiality, integrity, and availability of the organization's IT infrastructure and its assets.

In concert with the organization's security awareness and training policy for all employees, contractors, and third-party individuals, an organization should define consistent goals and objectives throughout the enterprise. The security awareness and training policy goals and objectives should include the following:

• Develop a comprehensive security awareness program based on the organization's security awareness and training policy for different audiences, including IT, human resources, IT directors and managers, employees, contractors, and third-party individuals.
• Develop a unique information security training program that consists of training the organization's IT and human resource directors and managers, employees, contractors, and third-party individuals who have specific roles, tasks, responsibilities, and accountabilities pertaining to the policies, standards, technical standards, procedures, and guidelines as defined by the organization's IT security architecture and framework.
• Deliver periodic information security awareness programs and initiatives that educate and make the organization's employees, contractors, and third-party individuals aware of the organization's IT security architecture and framework for ensuring the confidentiality, integrity, and availability of the IT infrastructure and assets.
• Align the information security roles, tasks, responsibilities, and management accountability to the seven areas of information security responsibility and train those individuals for their new responsibilities and accountabilities.
• Make it easy to deliver, track, and audit all employees, contractors, and third-party individuals who take the security awareness training programs. Tracking the security awareness training and the signed AUPs of the employees, contractors, and third-party individuals must be simple and easy to correlate.

Typically, security awareness training is targeted to the end users and the systems and applications that they access on a day-to-day basis, whereas security awareness training for IT staff is more technical and focused on the information technology goals and objectives. Common topics for information security awareness usually incorporate elements of the information security standards that are part of the organization's IT security architecture and framework definition. Security awareness training can be derived from the organization's IT security architecture and framework. By focusing on the policies and standards, an organization can address the security awareness and information security topics in its security awareness training program and campaign.