When budgets are being squeezed, often security training will be one of the first items to be cut. However, this is a big mistake, as training in procedures is the essential step that actually implements the policy "on the ground". This is especially true of information security, where very often the countermeasures involve procedures and people rather than technology.
Many organisations, and businesses in particular, can spend a great deal of money and time on setting up a full Information Security Management System (ISMS). They draw up a high-level policy, conduct a thorough risk assessment, decide on a risk management strategy and appropriate countermeasures, and create standards and guidelines. However, in too many cases the activity effectively ceases at that point. The policy may be pinned on a noticeboard, but the importance of the new procedures is not communicated effectively to employees. This means that the carefully-framed procedures and standards will be either circumvented or ignored altogether. The result is that the ISMS is never truly implemented, and the organisation's information assets are just as much at risk as they were before.
The key to resolving this situation is security training – for employees, directors, contractors, even for visitors if appropriate. There is a real need for focused and timely information security education and awareness campaigns, in order to embed the ISMS deeply into the organisation's culture.
Security training can take one of two general forms:
· The training can be specific to an employee's job function, sometimes with highly technical content on the duties that he/she performs that are relevant to information security;
· Alternatively, the education programme can be more general and suited to all employees or directors. This kind of security training chiefly aims to instil a security-conscious mindset rather than educate in particular duties. It covers tasks that all members of the organisation should be prepared to carry out: for example, politely challenging an unknown person on the premises who is not wearing an identity badge.
Regular security awareness campaigns usually accompany formal security training. An awareness campaign seeks mainly to remind people of the importance of information security, bringing their training to the forefront of the mind and reiterating the importance that the directors place on this area.
The combination of security training and repeated awareness campaigns can be of great benefit. Firstly, it benefits the employees themselves, since it increases their marketable skills and hence their own job prospects. However, it also greatly benefits the business, since this is the means by which the ISMS is implemented at ground level. Without appropriate security education, all the new security policies and procedure would remain nothing more than impressive documents. It is effective training that can deliver a working implementation of the system. For this reason alone, the vital step of carrying out security training should never be omitted.
No comments:
Post a Comment