{"id":316,"date":"2020-05-25T19:46:31","date_gmt":"2020-05-25T19:46:31","guid":{"rendered":"http:\/\/www.spktechfit.com\/?p=316"},"modified":"2020-09-25T20:03:59","modified_gmt":"2020-09-25T20:03:59","slug":"security-course-3-2-user-training","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=316","title":{"rendered":"Security+ Course \u2013 3.2 User Training"},"content":{"rendered":"<h2>1. Security Education<\/h2>\n<p>There are 2 important components of security training programs.<\/p>\n<p><strong>Security training: <\/strong>this provides users with the knowledge they need to protect the organisations security<br \/>\n<strong>Security Awareness:\u00a0<\/strong> Keeps the lessons learned at the front of the users mind. EG: posters, email reminders etc&#8230;<\/p>\n<h3>Security Training Methods<\/h3>\n<ul>\n<li>instruction in onsite classes<\/li>\n<li>as part of new staff induction or orientation<\/li>\n<li>education through online providers<\/li>\n<li>participation in vendor provided classroom training<\/li>\n<\/ul>\n<h3>Example of training programs<\/h3>\n<p>This site offers training modules that customisable. <a href=\"https:\/\/www.sans.org\/security-awareness-training\/products\/end-user\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.sans.org\/security-awareness-training\/products\/end-user<\/a><\/p>\n<p>This site allows you to conduct fake phishing attacks: <a href=\"http:\/\/www.phishme.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.phishme.com<\/a><\/p>\n<h3>Training Content &amp; Frequency<\/h3>\n<p>Different roles need different levels of training. i.e.: IT support staff need different training than a receptionist. You need to cater for their needs accordingly.<\/p>\n<p>Training frequency:<\/p>\n<ul>\n<li>initial training for new employees<\/li>\n<li>update training for employees in roles<\/li>\n<li>refresher training on a annual basis<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>2. Information Classification<\/h2>\n<h3>Data Classification Policies<\/h3>\n<p>These policies assign information into classifications that determine storage, handling and access requirements.<\/p>\n<p>Information classification is based upon:<\/p>\n<ul>\n<li>sensitivity of information<\/li>\n<li>criticality of information<\/li>\n<\/ul>\n<h3>Classification Levels<\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-317\" src=\"http:\/\/www.spktechfit.com\/wp-content\/uploads\/2020\/05\/ClassificationLevels.png\" alt=\"\" width=\"667\" height=\"297\" \/><\/p>\n<p>Classification guides other security questions, EG: should this data be encrypted?<\/p>\n<p>Information in classifications should be labelled correctly.<\/p>\n<h3>Secure Disposal Procedure<\/h3>\n<p>When devices are being sold or recycled the drives must be wiped correctly using something like <a href=\"https:\/\/dban.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">DBAN<\/a><\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>3. Compliance Training<\/h2>\n<p>Compliance programs ensure that an organisations information security controls are consistent with the laws, regulations and standards that govern the organisations activities.\u00a0Compliance requirements differ a lot between organisations. EG: a University will have different requirements to a retail shop. Compliance obligations should be covered in security training. EG: if a law requires that employees never write down credit card numbers, employees should be made aware of this in training.<\/p>\n<h3>3 types of Compliance Obligations<\/h3>\n<ol>\n<li>Laws: these come with civil or criminal penalties for failure to comply. EG: in financial firms there are laws that state they must have an Information Security Officer and a formal Information Security program in place to protect customer information.<\/li>\n<li>Regulations: these are mandatory requirements that an organisation must follow but are not embodied by law.<\/li>\n<li>Standards: these are detailed technical specifications for security and other controls. Organisations may be required to comply with standards by a contract or regulation.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>4. User Habits<\/h2>\n<p>User habits education programs should address:<\/p>\n<ul>\n<li>password security practices<\/li>\n<li>data handling procedures (how data is handled and destroyed)<\/li>\n<li>Physical security training (no tailgating into buildings)<\/li>\n<li>BYOD policies should be covered<\/li>\n<li>Appropriate use of social media<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>5. User Based Threats<\/h2>\n<p>This was covered in other chapters: <a href=\"http:\/\/www.spktechfit.com\/?p=159#1412_Social_Engineering_Attacks\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.spktechfit.com\/?p=159#1412_Social_Engineering_Attacks<\/a><\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>6. Measuring Security Education<\/h2>\n<p>It is important that organisations take steps to measure the effectiveness of their security education efforts. Some methods include:<\/p>\n<ul>\n<li><strong>Simulated phishing<\/strong>. this directly measures user awareness<\/li>\n<li><strong>Security awareness surveys<\/strong>. EG: &#8220;How well does the organisation prepare you to deal with security threats?&#8221;, &#8220;Do you know where to report a security incident?&#8221;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>1. Security Education There are 2 important components of security training programs. Security training: this provides users with the knowledge they need to protect the organisations security Security Awareness:\u00a0 Keeps the lessons learned at the front of the users mind. EG: posters, email reminders etc&#8230; Security Training Methods instruction in onsite classes as part of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[11,10,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/316"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=316"}],"version-history":[{"count":2,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions"}],"predecessor-version":[{"id":505,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions\/505"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}