CISSP For Dummies

The CISSP candidate should be familiar with the tools and objectives of awareness, training, and education programs that compose security awareness.

 Remember   Security awareness is an often-overlooked factor in an information security program. Although security is the focus of security practitioners in their day-to-day functions, it’s often taken for granted that common users possess this same level of security awareness. As a result, users can unwittingly become the weakest link in an information security program. Several key factors are critical to the success of a security awareness program:

• Senior-level management support. Under ideal circumstances, senior management is seen attending and actively participating in training efforts.

• Clear demonstration of how security supports the organization’s business objectives.

• Clear demonstration of how security is important to all individuals and their job functions.

• Current levels of training and understanding of the intended audience taken into account. Training that’s too basic will be ignored; training that’s too technical will not be understood.

• Action and follow-up. A glitzy presentation that’s forgotten as soon as the audience leaves the room is useless. Find ways to incorporate the lessons with day-to-day activities and follow-up plans.

 Instant Answer   The three main components of an effective security awareness program are a general awareness program, formal training, and education.

Awareness

A general awareness program provides basic security information and ensures that everyone understands the importance of security. Awareness programs may include the following elements:

• Indoctrination and orientation: New employees and contractors should receive a basic indoctrination and orientation. During the indoctrination, they may receive a copy of the corporate information security policy, be required to acknowledge and sign acceptable use statements and non-disclosure agreements, and meet immediate supervisors and pertinent members of the security and IT staff.

• Presentations: Lectures, video presentations, and interactive computer-based training (CBTs) are excellent tools for disseminating security training and information. Employee bonuses and performance reviews are sometimes tied to participation in these types of security awareness programs.

• Printed materials: Security posters, corporate newsletters, and periodic bulletins are useful for disseminating basic information such as security tips and promoting awareness of security.

Training

Formal training programs provide more in-depth information than an awareness program and may focus on specific security-related skills or tasks. Such training programs may include

• Classroom training: Instructor-led or other formally facilitated training, possibly at corporate headquarters or a company training facility.

• On-the-job training: May include one-on-one mentoring with a peer or immediate supervisor.

• Technical or vendor training: Training on a specific product or technology provided by a third party.

• Apprenticeship or qualification programs: Formal probationary status or qualification standards that must be satisfactorily completed within a specified time period.

Education

An education program provides the deepest level of security training focusing on underlying principles, methodologies, and concepts.

An education program may include

• Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP or Cisco Certified Internetworking Expert (CCIE).

• Certificate programs: Many colleges and universities offer adult education programs with classes on current and relevant subjects for working professionals.

• Formal education or degree requirements: Many companies offer tuition assistance or scholarships for employees enrolled in classes that are relevant to their profession.