CISSP and Information Security Education, Training, and Awareness
The Certified Information Systems Security Professional (CISSP) credential exam candidate should be familiar with the tools and objectives of security awareness, training, and education programs.
Appropriate levels of awareness, training and education required within organization
Security awareness is an often-overlooked factor in an information security program. Although security is the focus of security practitioners in their day-to-day functions, it’s often taken for granted that common users possess this same level of security awareness. As a result, users can unwittingly become the weakest link in an information security program. Several key factors are critical to the success of a security awareness program:
- Senior-level management support: Under ideal circumstances, senior management is seen attending and actively participating in training efforts.
- Clear demonstration of how security supports the organization’s business objectives: Employees need to understand why security is important to the organization and how it benefits the organization as a whole.
- Clear demonstration of how security affects all individuals and their job functions: The awareness program needs to be relevant for everyone, so that everyone understands that “security is everyone’s responsibility.”
- Taking into account the audience’s current level of training and understanding of security principles: Training that’s too basic will be ignored; training that’s too technical will not be understood.
- Action and follow-up: A glitzy presentation that’s forgotten as soon as the audience leaves the room is useless. Find ways to incorporate the security information you present with day-to-day activities and follow-up plans.
The three main components of an effective security awareness program are a general awareness program, formal training, and education.
A general security awareness program provides basic security information and ensures that everyone understands the importance of security. Awareness programs may include the following elements:
- Indoctrination and orientation: New employees and contractors should receive basic indoctrination and orientation. During the indoctrination, they may receive a copy of the corporate information security policy, be required to acknowledge and sign acceptable-use statements and non-disclosure agreements, and meet immediate supervisors and pertinent members of the security and IT staff.
- Presentations: Lectures, video presentations, and interactive computer-based training (CBTs) are excellent tools for disseminating security training and information. Employee bonuses and performance reviews are sometimes tied to participation in these types of security awareness programs.
- Printed materials: Security posters, corporate newsletters, and periodic bulletins are useful for disseminating basic information such as security tips and promoting awareness of security.
Formal training programs provide more in-depth information than an awareness program and may focus on specific security-related skills or tasks. Such training programs may include
- Classroom training: Instructor-led or other formally facilitated training, possibly at corporate headquarters or a company training facility
- Self-paced training: Usually web-based training where students can proceed at their own pace
- On-the-job training: May include one-on-one mentoring with a peer or immediate supervisor
- Technical or vendor training: Training on a specific product or technology provided by a third party
- Apprenticeship or qualification programs: Formal probationary status or qualification standards that must be satisfactorily completed within a specified time period
An education program provides the deepest level of security training, focusing on underlying principles, methodologies, and concepts.
An education program may include
- Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP or Cisco Certified Internetworking Expert (CCIE).
- Certificate programs: Many colleges and universities offer adult education programs that have classes about current and relevant subjects for working professionals.
- Formal education or degree requirements: Many companies offer tuition assistance or scholarships for employees enrolled in classes that are relevant to their profession.
Periodic reviews for content relevancy
Congratulations! You’ve chosen a profession that is constantly and rapidly changing! As such, security education, training, and awareness programs constantly must be reviewed and updated to ensure they remain relevant, and to ensure your own knowledge of current security concepts, trends, and technologies remains current. We suggest that the content of security education and training programs be examined at least once per year, to ensure that there is no mention of obsolete or retired technologies or systems, and that current topics are included.