Page 193 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 193

awareness program should also be tied to an understanding of how the
               corporate culture will affect and impact security for individuals as well

               as the organization as a whole. If employees do not see enforcement of
               security policies and standards, especially at the awareness level, then
               they may not feel obligated to abide by them.

               Training is teaching employees to perform their work tasks and to
               comply with the security policy. Training is typically hosted by an
               organization and is targeted to groups of employees with similar job

               functions. All new employees require some level of training so they
               will be able to comply with all standards, guidelines, and procedures
               mandated by the security policy. New users need to know how to use
               the IT infrastructure, where data is stored, and how and why resources
               are classified. Many organizations choose to train new employees
               before they are granted access to the network, whereas others will
               grant new users limited access until their training in their specific job
               position is complete. Training is an ongoing activity that must be

               sustained throughout the lifetime of the organization for every
               employee. It is considered an administrative security control.

               Methods and techniques to present awareness and training should be
               revised and improved over time to maximize benefits. This will require
               that training metrics be collected and evaluated. This may include
               post-learning testing as well as monitoring for job consistency

               improvements and reductions in downtime, security incidents, or
               mistakes. This can be seen as a program effectiveness evaluation.

               Awareness and training are often provided in-house. That means these
               teaching tools are created and deployed by and within the organization
               itself. However, the next level of knowledge distribution is usually
               obtained from an external third-party source.

               Education is a more detailed endeavor in which students/users learn

               much more than they actually need to know to perform their work
               tasks. Education is most often associated with users pursuing
               certification or seeking job promotion. It is typically a requirement for
               personnel seeking security professional positions. A security
               professional requires extensive knowledge of security and the local
               environment for the entire organization and not just their specific
   188   189   190   191   192   193   194   195   196   197   198