![\"aplus\"](\"https:\/\/www.empowerbpo.com\/blog\/wp-content\/uploads\/2008\/04\/aplus1.gif\" "\\"aplus\\"")
We recently completed a security training needs assessment for one of the states here on the West Coast. Part of the study was to identify a list of accepted “best practices” in security awareness training.<\/p>\nWe recently completed a security training needs assessment for one of the states here on the West Coast. Part of the study was to identify a list of accepted “best practices” in security awareness training.<\/p>\n
<\/p>\n
To do this, we started from a definition given by Dr. John Nugent of the University of Dallas Center of Information Assurance:<\/p>\n
Best Practices are those documented, accessible, effective, appropriate, and widely accepted strategies, plans, tactics, processes, methodologies, activities, and approaches developed by knowledgeable bodies and carried out by adequately trained personnel which are in compliance with existing laws and regulations and that have been shown over time through research, evaluation, and practice to be effective at providing reasonable assurance of desired outcomes, and which are continually reviewed and improved upon as circumstances dictate.<\/i><\/p><\/blockquote>\n
Then, we looked for established training practices that met the following criteria:<\/p>\n
\n
- Documented.<\/li>\n
- Widely accepted.<\/li>\n
- Developed by knowledgeable bodies.<\/li>\n
- In compliance with existing laws and regulations.<\/li>\n
- Effective at providing reasonable assurance of desired outcomes.<\/li>\n
- Continually reviewed and improved upon.<\/li>\n<\/ul>\n
We looked closely at IT and business standards, laws and regulations, and official guidance documents such as:<\/p>\n
\n
- ISO 17799<\/li>\n
- COBIT 4.0<\/li>\n
- HIPAA (Privacy & Security Rules)<\/li>\n
- GLB-A<\/li>\n
- PCI Data Security Standard<\/li>\n
- OMB Circular A-130<\/li>\n
- FISMA<\/li>\n
- NIST SP 800-16<\/li>\n
- NIST SP 800-50<\/li>\n
- Section 508 of the Rehabilitation Act<\/li>\n<\/ul>\n
Here are 17 of the best practices that were identified as a result of the study cross-referenced against the sources.<\/p>\n
\n\n
\n STRATEGY & PLANNING <\/strong>
\n<\/strong><\/td>\n<\/tr>\n\n 1<\/td>\n Mandatory Security Awareness<\/b>
\nSecurity awareness training is mandatory for all staff (including management).<\/td>\nISO 17799
\nCOBIT 4.0
\nHIPAA Security Rule
\nBITS FISAP
\nFISMA<\/td>\n<\/tr>\n\n 2<\/td>\n Training for Third Parties<\/b>
\nAll third parties with access to an organization\u2019s information receive the same security awareness training, or training to an equivalent level.<\/td>\nISO 17799
\nPCI Data Security Std.
\nFISMA
\nOMB Circular A-130<\/td>\n<\/tr>\n\n 3<\/td>\n Training is Required Before Access is Granted<\/b>
\nSecurity awareness training commences with a formal induction process designed to introduce the organization\u2019s security policies and expectations before access to information or services is granted.<\/td>\nISO 17799
\nOMB Circular A-130<\/td>\n<\/tr>\n\n 4<\/td>\n Staff Must Acknowledge Policy<\/b>
\nStaff are required to acknowledge that they have read and understood the organization\u2019s information security policy.<\/td>\nPCI Data Security Std.
\nGLB-A<\/td>\n<\/tr>\n\n 5<\/td>\n Training at Least Annually<\/b>
\nAll staff (and third parties) are exposed to security awareness training at least once per year.<\/td>\nNIST SP 800-50<\/td>\n<\/tr>\n \n 6<\/td>\n Periodic Security Reminders<\/b>
\nAll staff are provided with periodic reminders about information security.<\/td>\nHIPAA Security Rule
\nNIST SP 800-50
\nGLB-A
\nOMB Circular A-130<\/td>\n<\/tr>\n\n 7<\/td>\n Management Support<\/b>
\nManagement supports and (where appropriate) attends security awareness sessions.<\/td>\nCOBIT 4.0
\nBITS Critical Success Factors<\/td>\n<\/tr>\n\n 8<\/td>\n Multiple Points of Contact<\/b>
\nWhere possible, multiple points of contact (e.g. IT, HR) are used to stress the importance of the program.<\/td>\nBITS Critical Success Factors<\/td>\n<\/tr>\n \n <\/td>\n<\/tr>\n \n PROGRAM DESIGN & DEVELOPMENT <\/strong><\/p>\n <\/td>\n<\/tr>\n
\n 9<\/td>\n Common Level of Security Literacy<\/b>
\nA “Common Level” of security training applicable to all staff in this and other organizations has been identified.<\/td>\nNIST SP 800-16
\nNIST SP 800-50<\/td>\n<\/tr>\n\n 10<\/td>\n Role-Based Training<\/b>
\nIn addition to the “Common Level”, training for staff is segmented based on roles and tailored accordingly.<\/td>\nNIST SP 800-16
\nBITS Critical Success Factors<\/td>\n<\/tr>\n\n 11<\/td>\n Training Content<\/b>
\nSecurity awareness training includes:<\/p>\n\n
- Information on known threats, including discussion of malicious software.<\/li>\n
- Security requirements including the good password practice, and the importance of monitoring login failure.<\/li>\n
- Legal responsibilities.<\/li>\n
- Business controls.<\/li>\n
- Information on the disciplinary process.<\/li>\n
- Who to contact for further security advice or to report incidents.<\/li>\n<\/ul>\n
Specific content has been determined based on a needs assessment including consideration of regulatory requirements.<\/td>\n
NIST SP 800-50
\nISO 17799
\nPCI Data Security Std.
\nHIPAA Security Rule
\nGLB-A<\/td>\n<\/tr>\n\n 12<\/td>\n References to Security Outside Work<\/b>
\nTraining includes the importance of security to the individual\u2019s life outside of work.<\/td>\nNIST SP 800-50
\nBITS Critical Success Factors<\/td>\n<\/tr>\n\n <\/td>\n<\/tr>\n \n DELIVERY & ADMINISTRATION <\/strong><\/p>\n <\/td>\n<\/tr>\n
\n 13<\/td>\n Multiple Delivery Modes<\/b>
\nWhere possible, multiple delivery modes are used to suit different learning modes.<\/td>\nNIST SP 800-50
\nBITS Critical Success Factors<\/td>\n<\/tr>\n\n 14<\/td>\n IT is Leveraged to Provide Training<\/b>
\nInformation technology is used in an optimized manner to automate training, and to provide tools for the training and education program.<\/td>\nCOBIT 4.0<\/td>\n<\/tr>\n \n 15<\/td>\n Accessibility for Staff with Disabilities <\/b>
\nWhere practical, all training materials should be made accessible to staff with disabilities. Where this is not possible, alternative forms of training are provided.<\/td>\nSection 508<\/td>\n<\/tr>\n \n 16<\/td>\n Record Keeping<\/b>
\nRecords of staff training are kept in personnel records, or in a compliance-tracking tool\/database.<\/td>\nNIST SP 800-50
\nBITS FISAP
\nHIPAA Security Rule<\/td>\n<\/tr>\n\n 17<\/td>\n Metrics<\/b>
\nBoth qualitative and quantitative metrics are used to obtain feedback, and to measure the effectiveness of the training program.<\/td>\nNIST SP 800-50
\nBITS Critical Success Factors<\/td>\n<\/tr>\n\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":" We recently completed a security training needs assessment for one of the states here on the West Coast. Part of the study was to identify a list of accepted “best practices” in security awareness training.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6],"tags":[],"class_list":["post-16","post","type-post","status-publish","format-standard","hentry","category-education","category-infosec"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}