I am tasked to help develop a security and training awareness program for my small-to-medium organization (see scenario below).
"The Business Organisation is an information holdings with about 600 staff. A recent audit of the organisation's information security management system found it to be deficient in some key areas, notably incident response, disaster recovery and business continuity, social engineering exploitation of personnel, an apparent lack of personnel awareness of the various threats to information, and poor password security. Technical systems were found to be reasonably effective in maintaining database and document management security, and were well serviced by the IT team"
The proposed plan should include:
2. Topics to be covered
3. Level of learning (knowledge, skill or competence)
4. Recommended Instructional methods and media to use/support
5. Example of learning activities and exercises
6. Evaluation criteria
Some theory sources:
? The plan should be based on real commercial security education techniques, and your best knowledge and expertise in security education.
? Answers should not be theoretical definitions
? As far as possible, please avoid too much word-quoting from sources. Minor citation allowed
? Any citation must be from credible sources.
Security Awareness, Training, and Education Plan
Since XYZ is an information holding organization the need for security awareness and training and education is critical in successful business operations. The objective of security awareness program is to focus on employees to maintain the confidentiality, integrity, and availability of information assets.
The objective of security awareness training is to promote employee understanding that the management of the company supports the security program.
The overall objective of this program would be to create an ongoing security awareness program which includes continuous training, communication and reinforcement.
2. Topics to be covered
The topics to be covered under the security plan include:
Incident Response plans (IRPs), Disaster Recovery Plans (DRPs), and Business Continuity Plans (BCPs): Given the complexity of business systems, incident response has become very critical for organizations. An organization is at a high risk if it is not able to respond efficiently to incidents, especially to incidents in which critical resources are exposed. Primary functions of the above plans are:
• IRP focuses on immediate attack. If the attack escalates, the process changes to DRP and BCP
• DRP focuses on restoring systems after attack has occurred. It works in association with BCP
• BCP works in conjunction with DRP when damage is of large magnitude which requires more than simple restoration of information and information resources
Social engineering exploitation of personnel: Social engineering is the most common and the easiest method of maneuvering around security obstacles. Such networks extract information without raising suspicion. The technology based social engineering exploitation makes users into believing that they are interacting with real application or system to extract confidential information. Common technical attacks are phishing, Spam mails, Popup window, etc.
Awareness of various threats to information: There are many information security threats that are important for employees to know in order to protect the sensitive information of the company. Most common information threats are:
• Unauthorized Access: This is the successful access of information without permission
• Cyber Espionage: It involves hacking of company to obtain sensitive information
• Malware: A term used for malicious software such as viruses, worms, and Trojans designed to infiltrate systems and information for criminal activities or destruction purposes.
• Phishing: A form of social engineering which involves sending emails which look legitimate aimed at fraudulently extracting information from recipients.
• Spam: Unsolicited emails send to mass to spread ...
Security educations and training awareness programs are examined.