Information Security Training and Education - Report Example

Information Security Training and Education Name: Lecturer: Course: Date: Table of Contents Table of Contents 2 Introduction 3 Part 1 3 Role of Information Security education and training within Enterprises 3 Reflect business needs 4 Outline the security expectations to the workforce 4 Explain employee roles in information security 5 Act as a catalyst for training 5 Promote workforce participation 6 Explain right rules of behaviours for effective application of IS 6 Create an awareness mechanism for policies 7 Recommendations 7 Part 2 9 Significant Learning Experiences 9 Conclusion 11 Reference List 12 Introduction Information Security education and training encompasses educational program aimed at reducing the level of IT security breaches that happen because of lack of workforce security awareness (Kaur 2001). This paper examines the role of Information Security education and training within enterprises and a proposed set of recommendations considered to be most important for enterprises to act upon. Additionally, three most significant learning experiences about Information Security are identified and their impact on my future professional life. Part 1 Role of Information Security education and training within Enterprises Business computing has come forth as an important component of the general resource of the business. This development relates to the information resource, in addition to the information security of a business. End-users of the computing devices have access to the most important information that a company has (Hight 2005). They may have some knowledge on how to get around the information system put in place to protect the business information or lack the knowledge required to safeguard the information. To this end, it is reasoned that the more educated the end-users are, the better the decisions they make in the business. Therefore, the question of the role of Information Security education and training within Enterprises comes to the fore (Yanus & Shin 2007). Basically, Information Security education and training should consist of educational programs aimed at reducing the level of IT security breaches that happen because of lack of workforce security awareness. Reflect business needs An effective Information Security and education program should consist of developing IT security policy that reflects the needs of the business, informs the users of their information security responsibilities, as reflected in the enterprise’s security policy statement and lastly, developing processes essential for tracking and analysing the education and training program (Wilson & Hash 2003). In my view, this is since the education and training program is vital as it is the vehicle through which information needed by the users is disseminated to enable effective running of the enterprise. Additionally, it is as a vehicle for communicating security needs throughout an enterprise. Outline the security expectations to the workforce Information Security education and training should play the role of setting the security tone to the workforce within enterprises, particularly, if it consists of employee orientation. It should outline the security expectations that the enterprise has for the employees (Yanus & Shin 2007). The education and training should, however, not just be aimed at reviewing the policy. In my opinion, it should appropriately explain the reasons why an employee’s password has to have certain number of characters, as well as be made up of a number of characters. By clarifying such sensitive areas, it would be easier for the workforce to accept the policy (Kaur 2001). This would prevent them from coming up with creative ways to circumvent the system, which could put the network at more risk. Additionally, showing how it is easy to crack a simple password, would make more impact on end-user, in witnessing the role they can play in keeping the network and data safeguarded from intruders. Explain employee roles in information security Information Security education and training should serve to explain the role of employees in the areas of information security. In particular, they should show the users areas in which they can play important roles in safeguarding the enterprise’s information. Additionally, they need to inculcate a sense of purpose and responsibility, especially to the employees responsible for handling and managing information (Aloul 2012). To this end, it should be tailored towards encouraging employees to take more care about their workplace. I believe that these are particularly essential, as in this way, education and training can be leveraged to motivate employees within the enterprise, hence enabling them to learn more, as well as be more conscientious about certain security details. Act as a catalyst for training Education should at the same time be the catalyst for training. The training should in itself be made up of more hands-on-approach to learning (Patil 2008). In my opinion, this is since the principle goal of the education and training programs should be to motivate the employees to shift knowledge and expertise to long-term memory from short-term one. Here, awareness on information security is a component of training that designates the information into the short-term memory that should lead to long-term application of information in the day-to-day running of the enterprise (Patil 2008). The Information Security education and training programs should put security at the forefront of an enterprise’s workforce’s minds on a day-to-day basis, as well as the actions that they should take to repeatedly protect themselves and the enterprise’s date and network. Promote workforce participation The aim of information Security education and training to an enterprise should be promotion of workforce participation. I believe that is essential since education and training can make the employees more aware of how security affects an enterprise’s future, as well as protects them from the likely loss of jobs, through protection of assets. Additionally, they are intended to weave security into an enterprise’s fabric (Hight 2005). For instance, when it is focused on the topics seen by end-users each day in their work lives, it integrates security in each task that the end-user do. This may include reporting strange activities they witness in their internet files or emails. This is since employees can play an integral role in protecting an enterprise’s assets from identity theft and cybercrime. Additionally, enterprise workers who telecommute and connect their personal computers to the enterprise’s network should be educated and informed of the standards or policies of the enterprise designed for information security. Explain right rules of behaviours for effective application of IS The education and training program should also aim to explain to the user right rules of behaviours needed for effective application of the Information Systems and data. Therefore, the program should communicate the Information Technology policies and procedures needed to be complied with. It must, therefore, introduce and stress on the sanctions enforceable in case of noncompliance. In my view, this is since for effective Information System usage, users need to be informed of what is expected from them. Additionally, accountability should be originated from a well-trained employee base (Talbot & Woodward 2009). Create an awareness mechanism for policies The education and training policy should also be aimed at creating an awareness mechanism for policies. At this stage, the executive management should be made aware that although the organisation’s intranet site is an instrument for accessing the policies, it is not an efficient means of creating and embedding awareness. Additionally, the statement within a high-level policy that informs managers of their responsibility to create awareness is not an effective means of creating awareness. Recommendations Towards this end, education, training and awareness programs should include the means for confirming whether the employees have been made aware of the information security policies. Hence, five recommendations are made. First, the security education and training program should be centred on the enterprise's entire user population. Next, the enterprise's management should lay out the standards for proper IT security behaviour. At the same time, the education and training program should set off with an effort that can be applied and executed in a range of ways, aimed at all organisational levels the executive management and the entry-level staff. The effectiveness of the education and training program will in most cases depend on how effective it is applied and implemented in the enterprise (Talbot & Woodward 2009). The education policy should also aim at changing the organisational culture. The educational and training programs should therefore aim to change the existing culture that ignores the information security policies that views the policies as means of punishing the personnel to one of understanding the underlying significance of the policies. Organisations should also aim at educating the workforce on information security policies, in addition to ICT security matters, through well-defined and formal processes. The activities of training and awareness have to be undertaken uniformly across the entire organisation. This may require that all handouts and presentations created for education and awareness are published and distributed uniformly across the entire organisation (Talbot & Woodward 2009). Next, in order to create an effective awareness mechanism, the intranet and a high-level policy statement should be replaced by an e-learning package that applies the organisation’s domain authentication and network as the likely solution. In this way, employees who log into the network before ultimately accessing the network resources would have to first access the e-learning package that has relevant policies, which outline their roles in enforcing the information security policies (Shedden et al. 2010). Hence, once they read the policies, they would have to confirm that their knowledge of the policies has been refreshed. Lastly, organisations should as well use the work-centric periodic meetings as efficient means of enhancing education and awareness of the information security policies. The efforts of including the information security policy awareness in the meetings are likely to ensure that the members of staff are made aware. At the same time, if the meetings are formatted along the lines of ‘micro-training camp’, it would present a valuable training tool that has minimal expenses. Part 2 Significant Learning Experiences During the course of this topic, I obtained three most significant learning experiences about information security. A key learning experience is the ability to select appropriate practical essential for ensuring effective security policies. I have learnt that simplifying and developing the policy is a crucial step that should involve the entire workforce. In which case, to ensure compliance, the employees have to have an understanding of its significance for the overall good of the organisation, rather than as a punitive instrument. In my case, this learning experience is particularly significant for my career development. By understanding that security policies are meant for the overall good of the organisation, compliance with my future workplace’s security policies would be easy. Additionally, developing and reviewing the policies for my future employers would be more informed and set towards the right total security direction. I have also developed an understanding of legal and ethical issues in information security. Among the areas here include an understanding of the concepts of patents and copyrights, in addition to the fundamental issues of employee/employer rights and responsibilities. However, a fundamental learning experience is that of the different computer crimes and how to prevent them through the use of effective information security policies. It is clear to me that organisations become more prone to the security attacks when the employees are not aware of the different computer crimes and means of preventing them. Therefore, developing educational and training programs that are focused on informing the employees of the possible network threats, software policy, shoulder surfing and hacking is an incremental step towards ensuring absolute security system for the organisation. In my future profession, this is specifically important in ensuring the total security of my workplace. For instance, in supervising the workforce, I would seek to reinforce the need to integrate types of crime in the employee training and educational programs. However, this would only be possible through ethical practice. Therefore, the training and educational program that I would develop as a security team leader would integrate the legal and ethical issues to ensure effective prevention of the crimes and total compliance to the policies. In regards to security management, I have developed an effective understanding of the difference between security policy and practice. I have also learnt how to develop a comprehensive information security policy based on the organisational attributes, including organisational cultures. In this case, I can appropriately select the right practices for effective security policies, as well as conduct risk analysis and risk mitigation. This is important for my future professional life. For instance, by being aware of the social engineering attacks and the basic risk analysis and mitigation strategies, I will be able to perform security planning for my future workplace, including technological security and physical security. With knowledge in security planning, I have a wider career choice in the security management field, since I can combine life experiences, educational experiences and corporate security experiences on security management to land a great security position. For instance, rather than work in a corporate field, it will enable me to obtain employment in a high-threat environment, such as working with the IT department of a Private Security Company (PSC) or Private Military Company (PMC). Conclusion An effective Information Security and education program should consist of developing IT security policy that reflects the needs of the business, informs the users of their information security responsibilities as reflected in the enterprise's security policy statement and lastly, developing processes essential for tracking and analysing the education and training program. It should also set the security tone for the workforce, specifically, if it consists of employee orientation. The education and training program should as well describe the role of employee when it comes to information security. It should also serve to explain the role of employees in the areas of information security. Education should at the same time be the catalyst for training. The training should in itself be made up of more hands-on-approach to learning. Further, its aim should be the promotion of workforce participation. It should also aim to explain to the user right rules of behaviours needed for effective application of the Information Systems and data. The education and training policy should also be aimed at creating an awareness mechanism for policies. Reference List Aloul, F 2012, "The Need for Effective Information Security Awareness," Journal Of Advances In Information Technology, Vol. 3, No. 3, pp. 176-183 Hight, S 2005, The importance of a security, education, training and awareness program (November 2005), viewed 8 June 2014, http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf Kaur, H 2001, Introduction and Education of Information Security Policies to Employees in My Organization, SANS Institute Shedden, P, Smith, W & Ahmad, A 2010, Information Security Risk Assessment: Towards a Business Practice Perspective, Proceedings of the 8th Australian Information Security Mangement Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 Patil, J 2008, Information Security Framework: Case Study Of A Manufacturing Organization, Project submitted to the Faculty in the Department of Mathematics and Computer Information Science in partial fulfillment of the requirements for the degree of Master of Science in Information Assurance and Security Mercy College Talbot, S & Woodward, A 2009, Improving an organisations existing, Proceedings of the 7th Australian Information Security Management Conference, Perth, Western Australia Wilson, M & Hash, J 2003, Building an Information Technology Security Awareness and Training Program, National Institute of Standards and Technology Publication 800-50 Yanus, R & Shin, N 2007, Critical Success Factors for Managing Information Security Awareness Program, viewed 9 June 2014, http://support.csis.pace.edu/CSISWeb/docs/techReports/techReport238.pdf Read More