Security Manager's Journal: Security training on the cheap
With no budget, our manager has to devise a security awareness and training program on his own
Computerworld - This month, I've been putting together a security awareness and training program. It's been an opportunity to exercise my creative side (which admittedly is pretty weak). The challenge, of course, is the same as always (you're probably way ahead of me) -- I have no budget.
So like many other things that I've done in this job, I'm doing it myself. The difference this time is that I'm not building technology systems, which I'm comfortable with -- I'm putting together communications and training materials. That requires a different set of skills. Fortunately, I'm already comfortable with writing; these columns have given me a great opportunity to practice my written communication skills. But writing is only part of a comprehensive awareness and training strategy. Just sending out emails and posting information on a website isn't going to be enough to reach everybody.
The National Institute of Standards and Technology (NIST) has published a document, numbered SP800-50, that specifies some best practices for security awareness and training. Though it's oriented toward U.S. government agencies, it's a good starting point for determining what should go into a >security training and awareness program for any organization. It has some good guidance for people like me who aren't training professionals but need to teach people good security practices and show them how to follow security policies.
You can download SP800-50 for free, so I won't go into detail about what's in it. I'll just say that the focus is on reinforcing desired security behaviors and teaching security skills to the users. The NIST recommends various techniques to get the message across, most of which you've probably seen before. I'm putting together a Web-based training program to get across my key messages and show people how to properly apply our security policies. Putting up posters and sending out email newsletters are things I've already done, because they're free. These will supplement and reinforce the messages in my training. Giveaways and fancy video presentations are out of my range, since I don't have any budget. I'm also considering in-person meetings, such as joining department staff meetings to give a quick security presentation and dropping in on new-hire orientations. I'd rather have some slick materials to give out, but I'm making do with what I can produce myself. It seems there's a lot I can do to improve security awareness without spending money.
Document classification (Public, Internal or Confidential) is one of the core concepts I'm communicating with the training and awareness materials. Last month, I wrote about my new document protection technology project. It's going well so far. I found a consulting firm that can do the work and talked to some other companies that have implemented the technology. Now the key is to get my company's users to properly classify their documents. The technology will take care of the protection if the documents are classified according to their confidentiality.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts