Security Manager's Journal: Security training on the cheap
With no budget, our manager has to devise a security awareness and training program on his own
Computerworld - This month, I've been putting together a security awareness and training program. It's been an opportunity to exercise my creative side (which admittedly is pretty weak). The challenge, of course, is the same as always (you're probably way ahead of me) -- I have no budget.
So like many other things that I've done in this job, I'm doing it myself. The difference this time is that I'm not building technology systems, which I'm comfortable with -- I'm putting together communications and training materials. That requires a different set of skills. Fortunately, I'm already comfortable with writing; these columns have given me a great opportunity to practice my written communication skills. But writing is only part of a comprehensive awareness and training strategy. Just sending out emails and posting information on a website isn't going to be enough to reach everybody.
The National Institute of Standards and Technology (NIST) has published a document, numbered SP800-50, that specifies some best practices for security awareness and training. Though it's oriented toward U.S. government agencies, it's a good starting point for determining what should go into a >security training and awareness program for any organization. It has some good guidance for people like me who aren't training professionals but need to teach people good security practices and show them how to follow security policies.
You can download SP800-50 for free, so I won't go into detail about what's in it. I'll just say that the focus is on reinforcing desired security behaviors and teaching security skills to the users. The NIST recommends various techniques to get the message across, most of which you've probably seen before. I'm putting together a Web-based training program to get across my key messages and show people how to properly apply our security policies. Putting up posters and sending out email newsletters are things I've already done, because they're free. These will supplement and reinforce the messages in my training. Giveaways and fancy video presentations are out of my range, since I don't have any budget. I'm also considering in-person meetings, such as joining department staff meetings to give a quick security presentation and dropping in on new-hire orientations. I'd rather have some slick materials to give out, but I'm making do with what I can produce myself. It seems there's a lot I can do to improve security awareness without spending money.
Document classification (Public, Internal or Confidential) is one of the core concepts I'm communicating with the training and awareness materials. Last month, I wrote about my new document protection technology project. It's going well so far. I found a consulting firm that can do the work and talked to some other companies that have implemented the technology. Now the key is to get my company's users to properly classify their documents. The technology will take care of the protection if the documents are classified according to their confidentiality.
More by J.F. Rice
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts