The document discusses security awareness training and policies. It explains that a security policy is composed of multiple sub-documents covering different security topics. These are created by security personnel with management support. They detail expected behaviors and consequences for violations. Training should be tailored based on roles and ongoing to address changing threats. All data should be classified and users assigned access levels. Personally identifiable information requires the highest protection.
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certification
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
5. Page 5
A security policy is actually
composed of many sub-
documents that cover the
expected behavior of personnel
from a security perspective.
It is created by personnel tasked with securing company assets,
but it also has the backing of management. Without
management’s backing, it’s difficult to enforce a security policy.
All personnel should be required to be trained on the security
policy and then acknowledge such training with a signature.
The individual sub-policies contained within the security policy
will not only detail the expected behavior, but will also outline the
disciplinary actions that can or will be taken if the policy is
violated. Disciplinary actions can range from a simple reprimand
to termination or prosecution.
Security related awareness and training.
6. Page 6
– Role-based security training.
» When training on individual security policies, it is important to
craft the training to fit the intended user.
• General user: needs to know the what of the policy.
• Technical user: need to know the how and what of the policy.
• Management: needs to know the why of the policy.
– Security policy training is vital.
» Helps to ensure compliance with regulations (e.g., PCI-DSS or
HIPPA).
» Helps to ensure security best practices are followed (protecting
the organization from threats).
» Helps to ensure that internal standards are adhered to.
– Ongoing security policy training.
» The threat environment is not static, and neither should the
security policy.
• The security policy should be changed to adjust for new
threats and trends as needed (e.g., zero-day exploits).
Security related awareness and training.
7. Page 7
– Training types and environment.
» Different types of training can and should be employed to help
ensure consistent awareness and compliance with the security
policy. These can also be used as refresher courses.
• Printed documentation: can be used as part of the initial
training after hiring; is easily tracked with a signed copy on
file.
• Computer based training (CBT): the use of IT media to
provide the training; this allows for an interactive experience
and is easily tracked.
• Seminars: half day or full day security policy seminars can be
used to impart knowledge to large groups at one time.
• Working lunches: similar to the seminar, but usually will only
cover a single topic.
• Informal training: security personnel should always be
striving to help users and management understand the
importance of the security policy.
» All training should be documented and tracked (with the
exception of informal training).
• The documentation and tracking can be measured.
Security related awareness and training.
9. Page 9
Most users take a fairly
casual approach to IT
security, even when they
don’t think that they do.
Social networks are actually a security risk. It is all too easy for a
user to share information on a social network that shouldn’t be out
in the wild (it can even happen unintentionally).
P2P (peer-to-peer) type networks are also a security risk. Just like
social networks, a user may make information that should be kept
in-house available on the network. P2P networks are also
vulnerable to security exploits and have been used as threat
vectors in the past to introduce malware into other networks.
Security related awareness and training.
10. Page 10
– Information classification.
» All data and files should be classified (also called data labeling)
as to their level of sensitivity.
• In most cases, organizations are responsible for establishing
the level of classification (e.g., top secret, secret, public, or
private).
» After data and files have received their classification, users
should be assigned to levels of access (i.e., their clearance
level).
– Personally identifiable information (PII).
» PII is any information that can be used to uniquely identify an
individual (e.g., a social security number).
• PII should always receive the highest level of classification
and restrictions.
• PII should never leave the control of the organization.
Security related awareness and training.
11. Page 11
– Data handling and disposal.
» Policies should outline how data can be stored and the
appropriate methods for disposal (both electronically and
physically).
• If data is allowed to be placed on removable media (e.g., a
USB flash drive) it should be encrypted.
• Hard drives may be sanitized or physically destroyed.
– User habits.
» It is up to security personnel to instill strong security habits into
other personnel. Items to focus on include:
• Strong passwords and password management.
• Proper data handling techniques.
• Clean desk techniques.
• Physical security.
• Personally owned devices.
Security related awareness and training.
12. Page 12
Security related awareness and training.
A security policy is actually composed of multiple sub-documents that cover
security topics. They are created by security personnel with support from
management. They detail the expected behavior and the consequences for
violating the policy. Training on security should be role-based. Training is
vital to maintaining a secure environment. It should be ongoing and can
take different forms.
Topic
The security policy.
Summary
Most users actually take a casual approach to security. It is up to security
personnel to make them aware of the risks. All data and files should receive
a classification level and then users should be assigned to levels of access.
PII is anything that can uniquely identify an individual and should never
leave the control of the organization. Policies should be put in place that
detail how to properly handle and dispose of data and hardware. It is up to
security personnel to instill good security habits in other personnel.
Security awareness.
14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.