Page 192 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 192

Establish and Maintain a Security Awareness,

               Education, and Training Program


               The successful implementation of a security solution requires changes
               in user behavior. These changes primarily consist of alterations in

               normal work activities to comply with the standards, guidelines, and
               procedures mandated by the security policy. Behavior modification
               involves some level of learning on the part of the user. To develop and
               manage security education, training, and awareness, all relevant items
               of knowledge transference must be clearly identified and programs of
               presentation, exposure, synergy, and implementation crafted.

               A prerequisite to security training is awareness. The goal of creating

               awareness is to bring security to the forefront and make it a recognized
               entity for users. Awareness establishes a common baseline or
               foundation of security understanding across the entire organization
               and focuses on key or basic topics and issues related to security that all
               employees must understand and comprehend. Awareness is not
               exclusively created through a classroom type of exercise but also
               through the work environment. Many tools can be used to create

               awareness, such as posters, notices, newsletter articles, screen savers,
               T-shirts, rally speeches by managers, announcements, presentations,
               mouse pads, office supplies, and memos as well as the traditional
               instructor-led training courses.

               Awareness establishes a minimum standard common denominator or
               foundation of security understanding. All personnel should be fully
               aware of their security responsibilities and liabilities. They should be

               trained to know what to do and what not to do.

               The issues that users need to be aware of include avoiding waste,
               fraud, and unauthorized activities. All members of an organization,
               from senior management to temporary interns, need the same level of
               awareness. The awareness program in an organization should be tied
               in with its security policy, incident-handling plan, business continuity,
               and disaster recovery procedures. For an awareness-building program

               to be effective, it must be fresh, creative, and updated often. The
   187   188   189   190   191   192   193   194   195   196   197