CompTIA Security+ SY0-501 Ch 3

Confiential

A classification of information policy privacy level below secret and lowest classification level. Public disclosure of this information could cause potential damage to national security.

Secret

A classification of information policy privacy level below top secret. Public disclosure of information classified as this could cause serious damage to national security.

Age

A data retention policy that specify that each piece of information must include metadata identifying the creation date and the expiration date. This helps someone looking at the data know whether it needs to be retained or can be destroyed, because it is possible that old data is outdated and inaccurate. This limit on data could be three years to seven years.

Security policy

A large document made up of many subdocuments that defines the company's security strategy. It is a document that defines all the rules in the organization that all personnel need to follow - including users, network administrators, security professionals, and the management team. It is important to note that even the security team in the organization must follow this defined by the organization. It should be stressed that this is designed to protect the assets of the organization and ensure that actions within the organization are legal and compliant with any regulations governing the organization. Employees should understand that legal and compliance requirements are everyone's responsibility in order for the security posture of the company to be strong. As mentioned, this is made up of many subdocuments, with each subdocument covering a specific area of concern, known as a policy. These policies specify the dos and don'ts that everyone within the organization must follow. The policies are created by the security professional, but are sponsored by upper-level management. The first step to creating a security policy is to get the support and approval of upper-level management, to ensure that the policy will be enforceable. Before implementing this within the organization, you need to ensure that you have buy-in from management, or else there will be no enforcement of the policy, which results in no one following the policy.

Videos on demand

A newer approach to internal training is to have seminars recorded as this delivery method available for download from an internal server.

Security-Related

A number of these other HR policies and procedures related to human resources and employees should be implemented and followed. The following security principles should be included in policy and followed as much as possible to help increase the level of security within the company: job rotation, separation of duties, and least privilege.

Private/public

A simple approach to classification of information policy privacy is to label the information as these. One means that the information is for internal use, which the other is information that does not present a security risk if exposed to the public.

Human resorces

An often overlooked area of businesses is how HR functions can affect security in the business and what HR can do to help improve the security in the organization. HR is responsible for personnel management, and there are a number of security policies that could be implemented by HR to help create a more secure environment. The following are some of these type of policies: hiring, termination, mandatory vacations, and security-related.

Proprietary

Another classification of information level that could be used to identify information as being private to the company, or internal, is this. This information is information that is company owned and should not be shared outside the company without authorization.

Data retention policy

Another common security policy affecting management is this specifying how long certain information must be retained within the organization. Organizations may have a retention policy that specifies a number of actions that are performed on data: age and retaining.

Unclassified

Any information that is not classified falls into this classification of information policy privacy level category. Public disclosure of this information is considered safe and not harmful to national security.

Business users

Areas of security that this typical job role should be educated about are password best practices, social engineering, virus protection, and the importance of physical security.

Computer based training

CBT is a delivery method in which employees use self-study tools such as training sessions played from a CD-ROM to learn about security.

User education and awareness

Creating and implementing a security policy is an important step to creating a secure environment for your company, but if your company does not educate employees on security and the relevant security policies within the business, there is no security. It is important to spend some time to develop a security training and awareness program that involves educating all employees at all levels on their responsibility for security.

New threats and security trends

Ensure that your training and awareness program discusses the fact that new viruses come out each day and that employees should ensure that their home and work computer virus definitions are up to date at all times. Ensure that the company has a method to inform the employees of new virus threats so that all employees are aware of the threat right away. Ensure that employees are aware of common threats such as phishing attacks. Also educate your employees on zero-day exploits. The issue here is that if the vendor is not aware of an exploit, then they do not have a fix for it. It is important to educate your users that hackers are always coming up with new ways to exploit systems and therefore users need to be security-focused in their everyday thinking.

Termination

It is critical that this HR policy be in place to help human resources determine the steps to follow to terminate an employee legally. The steps taken during termination depend on whether it is friendly or unfriendly.

Policy

It is important that each of these has a consistent format. The following sections should be included: overview, scope, itself, enforcement, definitions, and revision history. Each type of this serves a different purpose. The popular types are standards, guidelines, and procedures. This section is the largest section in the Security Policy document and is the listing of dos and don'ts. This section may be divided into different parts to help organize all of the rules specified by the policy.

Training metrics and follow-up

It is important that you gather training metrics to gauge the success of your security training. You should have a training plant that includes all required training for each employee and a way to track whether the training was taken. You should also have a method of testing the effectiveness of the training, whether that be with testing or simulations. You need to validate the effectiveness of the training, compliance to policy, and the strength of the organization's security posture.

Job rotation

Just as it is important to enforce mandatory vacations, your company should also employ this security-related HR policy. This ensures that different employees are performing different job roles on a regular basis. This will help detect and deter fraudulent activities within the business.

Clean desk policy

Many organizations implement this user habit policy that requires users to ensure that any sensitive documents are stored away in a secure location at all times and not left in plain view on someone's desk. It is important to stress to employees what the ramifications of not following this policy are and to be sure to perform periodic checks in the evening by walking around the office to see if anyone has left sensitive documents in plain view.

Use of social networks and peer-to-peer programs

One of the leading security concerns regarding employees' everyday computer use is their Internet habits at hoe, in the office, or on a company laptop. These are the two areas of concern that allow users to download music, movies, and software. Both of these can be a way that viruses are spread to the user systems. Be sure to educate your employees on acceptable use of social media such as Twitter, Instagram, and Facebook. Ensure that employees know not to post company-related information on such sites, and prohibit them from posting pictures of company parties and other events. Such activities could damage the security or reputation of the company. You should also specify in the acceptable use policy the company's rules regarding the use of these during work hours. Many organizations block these sites at the firewall. Be sure to keep AV software up to date because a large number of viruses are being written in applications used in these sites. This other software such as BitTorrent is used to share music, videos, and software applications on the Internet for the rest of the world to download. There are two areas to educate your employees on P2P software use. First, this is a popular way for hackers to distribute viruses across the network, which is one of the reasons why P2P software should not be allowed in the company. But employees should be reminded that they should have AV software up to date on all systems at home. The second point that should be made in the AUP is that downloading or sharing of any copyrighted material (such as music, movies, TV shows, or software) from the company systems and assets is prohibited. Make it clear that the company has no tolerance for copyright violations and software piracy.

Seminars

One of the most popular methods to educate employees is to hold this delivery method where a security expert explains the relevant issues to the participants. These are normally half- or full-day.

Personally identifiable information

PII is any information that can uniquely identify a person. It should be protected at all times. The following are two examples of information considered PII: national identification number and driver's license number. PII should be protected at all times and kept confidential.

Regulations and standards

Some of these can affect how and why your organization creates policies, so be sure to look up these that are specific to your industry. The following outlines some popular examples: ISO/IEC 17799, PHI and HIPAA, PII.

Acceptable use

The AUP is an import security policy affecting users because it lets the users know what the company considers acceptable use of its assets such as Internet service, e-mail, laptops, and mobile devices. Have all employees read and sign the AUP to ensure that they understand what is considered acceptable use of company assets such as computers, Internet service, and e-mail. The AUP should be reviewed by all employees during employee orientation and should be signed as proof that they have read the policy and agree to its terms. The following are topics typically covered by the AUP: Internet, e-mail, laptops, mobile devices, and social media.

Drug screening

The HR hiring policy may also state that candidates should be asked during the last interview if they would be willing to do this. Again, if the candidate says no to this, this could be a reason to not hire the candidate, depending on the type of job.

Sign a noncompete and nondisclosure agreement

The HR hiring policy may state that candidates should be asked during the last interview if they would be willing to do these if hired. If a candidate is not willing to do this, this could be a reason not to hire the candidate.

The international standards organization/international electrotechnical commission 17799

The ISO/IEC 17799 specifies best practices for information security management. ISO/IEC 17799 breaks the management of information security into different categories (typically known as domains). The following is a list of some of the categories: risk assessment, security policies, security organization, asset protection, personnel security, physical and environmental security, communication and operation management, access control, system maintenance, and business continuity. The ISO/IEC 17799 was officially adopted in 2000, updated in 2005, and then relabeled in 2007 to ISO/IEC 27002.

Virtual private network

The VPN security policy specifies how remote users will connect to the network using the Internet. A VPN encrypts communication between the client and the VPN server. In the VPN policy, you specify which VPN protocol and solution are to be used for remote access via a VPN. You may also specify that the client system must be up to date with patches and antivirus updates.

Protected health information and health insurance portability and accountability act

There are a number of policies and acts that are designed to protect the privacy of health information in the United States. PHI is health information about a patient, their care, health status, and payment history that is protected by rules in the HIPAA. Organizations will typically anonymize this information from the patient to maintain the privacy of the patient. The HIPAA was created in 996 and deals with the privacy of health care records. HIPAA is a U.S. standard whose key area of concern is to protect any individually identifiable health information and to control access to that information.

Zero-day

These exploits are attacks on newly discovered vulnerabilities that the vendor of the software or hardware is not aware of yet.

Personnel management

These security policies directly apply to any member of the executive team or upper-level management within the organization. The following policies should be defined and signed off by each executive user: NDA, onboarding, continuing education, AUP/rules of behavior, and adverse actions.

Policies affecting administrators

These security policies include the following: change management, secure disposal of equipment, and service level.

Policies affecting management

These security policies include the following: privacy policy, classification of information, data retention policy, and others.

Tailgating and piggybacking

These user habits are methods intruders use to bypass the physical security controls put in place by a company. This is when an intruder waits until an authorized person uses their swipe card or pass code to open a door, and then the intruder walks closely behind the person through the open door without the authorized person's knowledge. This other method is when the intruder slips through the door with the authorized person's knowledge. To help prevent the first, your organization can use a revolving door or a mantrap. A security guard can monitor the mantrap to make sure only one person enters at a time. Educate your employees on what to do if someone tries to do these through an open door. Most companies tell employees not to open the door if someone is hanging around the entrance and to ensure the door closes completely after they enter or leave the building.

Interview process

This HR hiring policy may specify the order of types of interviews to be performed.

Background check

This HR hiring policy may specify the types of background checking that are to be performed on candidates. During this phase of the hiring process, information on the applicant's resume should be verified. Any indication that the candidate has lied on their resume is a good reason not to hire the candidate. The goal of this policy is to ensure that the candidate actually has the education and job experience claimed on their resume. The policy may also require doing criminal background checks and Google searches on the candidate.

Contact references

This HR hiring policy, during the in-person interview, may specify to ask for references so that they can be contacted before the next interview. Also, this policy may specify when and how to contact references that the candidate has provided and specify what questions to ask.

Hiring

This HR policy should be created to help HR understand what they need to do during the hiring process to help maintain security. The hiring policy may specify any of the following to be performed by HR: interview process, contact references, background check, sign a noncompete and NDA, and drug screening.

Mandatory vacation

This HR policy, from a security point of view, is important for the security policy - vacation time must be used. The importance of taking vacation time is that it helps detect fraudulent or suspicious activities within the organization because another employee will need to take over the job role while someone is on vacation. This will help keep employees honest in their job functions because they know they will be held accountable for irregular activities discovered during their absence.

Unfriendly

This HR termination policy typically involves an employee being fired from the company or leaving on bad terms. Often, this policy stems from the employee leaving the company for competitive reasons or being let go due to failure to follow company policy. Either way, the termination policy should direct HR to notify the network team of their intention to let the employee go so that the network team can disable the employee's access to network resources and sensitive areas of the building at the time HR is giving notice to the employee. More often than not, in this policy, the policy should specify that a member of the security department must escort the employee from the premises to ensure that the employee leaves the facility.

Driver's license number

This PII is a good example of unique information about an individual that would need to be secured.

National identification number

This PII would be something like the Social Security number (in the United States) or the social insurance number (in Canada).

Phishing

This attack is when the employee receives an e-mail asking them to click the ink provided to visit a site. This typically is a fake e-mail that appears to be coming from your bank, asking you to click the link provided to verify your bank account has not been tampered with.

Retaining

This data retention policy specifies how long information must be retained before it is allowed to be destroyed. Many companies have these periods of up to seven years. The policy should also identify the periods for different types of information. The policy should also identify where information is archived for long-term storage. Some data may have a category assigned, such as transient data, which is data that does not need this. This may include items such as voicemails and some types of e-mail. It should be noted that regulations governing an organization may dictate the retention policies that are required for different types of information.

Lunch and learn

This delivery method is similar to a seminar, but it approximately 50 minutes in length and designed to touch on one specific issue. Most companies will supply lunch while the employees are being educated on security.

Acceptable use policy/rules of behavior

This is a personnel management policy. The AUP defines the rules for how employees, management, and executives are to use technologies such as mobile devices, e-mail, the Internet, and social media.

Nondisclosure agreement

This is a personnel management policy. The NDA should be read and signed by employees, contractors, and management personnel to acknowledge that they understand and accept that they cannot share company sensitive information that they gain access to while working at the company. The NDA applies not only while working for the company but also after the work engagement has completed.

Onboarding

This is a personnel management policy. The company should have these policies defined that specify for each job role any specific training employees should have to help them in that job role. This includes doing this for employees, management, and executives.

Continuing education

This is a personnel management policy. Training is one of those company perks that really help boost employee morale. The company should have this policy defined that specifies each employee's budget for training per year based on their job role.

Adverse actions

This is a personnel management policy. With the support of the executive team, each policy should specify this for anyone who does not follow the security policies. The executive team should understand that failure of the company overall to follow policies and regulations could result in being denied credit or, more importantly, being denied insurance.

Service level agreement

This is a security policy affecting administrators. A SLA is a contract, or agreement, between your organization and anyone providing services to the organization. The SLA sets the maximum amount of downtime that is allowed for assets such as Internet service and e-mail service and is an important element of the security policy. It is important to ensure that you have an SLA in place with all providers, including Internet providers, communication link providers, and even the network service team. Should the provider not meet the SLA requirements, that could warrant looking elsewhere for the service. It should also be noted that SLAs are used within a company between the IT department and the other departments so that the various departments have reasonable expectations regarding quality of service.

Secure disposal of equipment

This is a security policy affecting administrators. In highly secure environments, it is critical that you physically destroy any hard drives that hold sensitive data. In less secure environments, you may want to securely wipe the drives so that the data cannot be recovered. Simply reformatting a drive does not remove the information, and it still can be retrieved. Also specify in this policy what to do with other old equipment taken out of production.This includes servers, tapes, switches, routers, and mobile devices.

Change management

This is a security policy affecting administrators. This specifies the process to follow when implementing a change to the network. When this process is not in place and the policy is not being followed, access to the network may be denied due to mistakes made when implementing changes. Having one of these that specifies procedures to follow should reduce mistakes in configuration because a process can ensure that the change will be properly tested. This policy should also specify who should be notified of a change before it is implemented so that person can sign off on the change.

Classification of information

This is a security policy affecting management. This helps define the different classifications of information. Assigning classification level (known as data label) to information determines which security controls are used to secure the information and how much money is invested in protecting that information. The following are some popular information classifications used by the military: top secret, secret, confidential, and unclassified. The security policy should specify what type of information is top secret, secret, confidential, and unclassified. The policy should specify under what circumstances information can be declassified (the classification removed or changed) and what the process is to have that changed. Once the information in the organization has been classified, the next step is to assign to persons within the organization a clearance level. To access top secret information, an employee would need top secret clearance and need-to-know status. There are other classification levels that can be assigned to information. The previous examples are common with government and military, but companies may use their own internal classification system. The following are other examples of classification labels: high/medium/low, private/public, and proprietary.

Privacy

This is a security policy affecting management. This is used to educate employees and customers as to how and why information is collected from its customers and how that information will be used. Most businesses place a privacy statement on their web site to inform the public how they intend to use and manage that information.

Mantrap

This is an area between two interlocking doors in which a person must wait until the first door completely closes before the second door will open to allow access to the building.

Top secret

This is the highest classification of information policy privacy level. Public disclosure of this information would cause grave damage to national security.

Technical team

This job role consists of the system administrators, network administrators, security administrators, and potentially the desktop support team. These individuals require training on the technical solutions that offer security, such as intrusion detection systems, firewalls, and malware protection solutions.

System owner

This job role is responsible for the asset, such as the server, workstation, or device. They should be trained on the value of each type of system and the types of security controls that should be used to protect the asset.

Data owner

This job role is responsible for the data and should be trained on how to protect that data. That includes training the data owner on determining the classification label for the data, determining permissions needed, and determining if encryption should be used.

Privileged user

This job role is someone who has been assigned extra permissions to perform an administrative task. It is important to train these individuals on how to properly perform those tasks as you do not want them making configuration errors that could create a vulnerability

Minimum age

This password policy is a minimum number of days that a user must have their password. This setting prevents employees from changing their password multiple times in order to get the desired password out of the history with the intent of reusing an old password.

Complexity

This password policy setting specifies whether you require a password that has a mix of letters, numbers, and symbols and uses a mix of uppercase and lowercase characters. It is highly recommended to have this enabled within your environment.

Maximum age

This password policy specifies how long an employee is allowed to have a specific password. This value is normally set anywhere from 30 to 60 days, at which time the user must change their password.

Minimum length

This password policy specifies how many characters employees must have in their passwords. The typically has eight characters.

History

This password policy specifies how many past passwords the system should keep track of. The concept here is that employees are not allowed to reuse a password in this. Companies typically set this to 12 or 24 passwords.

Scope

This policy section defines who the policy applies to. You should specify if the policy is to apply to all equipment within the organization.

Definitions

This policy section is where you can add definitions for terms that are used in the policy that the reader of the policy may not know.

Revision history

This policy section lists the date the policy has been changed, who made the change, and maybe who authorized the change. Do not forget to add an entry to the revision history showing the creation date of the policy.

Overview

This policy section should identify what the purpose of the policy is and how it helps secure the environment.

Enforcement

This policy section specifies what happens if employees do not follow the policy. This section is usually a short section specifying that if employees do not adhere to the policy, disciplinary action and maybe even termination of employment could result.

Guideline

This policy type is a recommendation on how to follow security best practices. In the past, the NSA had published on their web site a number of guidelines on security best practices for different types of servers and operating systems. No disciplinary actions result from not following a recommended policy because it is just that - a recommendation.

Procedure

This policy type is also known as a standard operating procedure (SOP). The SOP documents step-by-step procedures showing how to configure a system or device, or step-by-step instructions on how to implement a specific security solution.

Standard

This policy type needs to be followed and typically covers a specific area of security. Failure to follow this policy typically results in disciplinary action such as termination of employment.

Audit

This security policy is an important policy that should specify what types of servers on the network need auditing enabled and what type of activity should be audited. The policy should also specify who is to review the logs and how frequently.

Incident response

This security policy is designed for the security team that will be handling security incidents. The incident response policy specifies what each person on the incident response team is responsible for and how to handle security incidents.

Remote access

This security policy is designed to determine how remote users will gain access to the network, if at all. In this policy, you specify remote access protocols that are required to be used and specific software solutions that the company has tested and approved. You may also specify that the client system must be up to date with patches and antivirus updates.

Physical security

This security policy is designed to specify any of these controls, such as locked doors, fencing, and guards, that should be implemented. It is important to ensure that you control access to servers by placing them in a locked server room.

Firewall

This security policy specifies the company's firewall solution and the types of traffic that are allowed and not allowed to pass through this.

Software

This security policy specifies what software is approved for the business and indicates what software can and cannot be installed on the system. This policy should also specify how a piece of software can be added to the approved list. You also want to ensure you indicate in the this that software piracy by employees is prohibited.

Backup

This security policy specifies what type of data needs to be backed up and how frequently. Administrators will look to this to determine how they will back up data within the business.

Wireless

This security policy specifies whether wireless networking is allowed to be used within the company. If wireless networking is allowed, this policy specifies the security controls that should be put in place.

Virus protection

This security policy specifies which devices and systems require AV software installed. It also specifies what settings should be configured within the AV software.

Password

This security policy that affects users is an important policy to both users and administrators. Note that it affects the administrators as well because it dictates to the administrators what to configure as password restrictions on the servers and the requirements. The following outlines some of the considerations that should go into this: minimum length, history, maximum age, minimum age, and complexity.

Separation of duties

This security-related HR policy is the concept that critical job functions should be divided into multiple tasks with a different employee performing each of the different tasks.

Least privilege

This security-related HR policy is to ensure that employees are always assigned the minimal permissions or privileges needed to perform their job function and nothing more.

Security control

This term is used to identify any mechanism that is used to protect an asset within the organization.

Friendly

This termination policy typically involves an employee leaving the company on good terms and normally for noncompetitive reasons. With this policy, the termination policy should specify that HR host an exit interview and document the reasons for the employee leaving the company. More importantly, HR needs to remind the employee of the NDA they signed when joining the company and inform them that they still need to adhere to the agreement even though they will no longer be working for the company. HR should be sure to collect any pass cards and keys from the employee and instruct the network team to disable their accounts after they have left the company.

Mobile devices

This topic of AUP should cover any rules surround the types of these that can be used for corporate e-mail and phone calls. Also specify how much personal use is allowed with this and what to do if this is stolen. Lastly, you may want to specify what features of this are to be enabled or disabled.

Social media

This topic of AUP should cover rules surrounding what type of content the employee is allowed or not allowed to share or comment on.

Laptops

This topic of AUP should cover topics such as locking this in the trunk of the car if it is left in the car - these are not to be left in plain view. Also specify whether the content on this should be encrypted and whether the user can connect this to non-work networks.

E-mail

This topic of the AUP should cover the fact that this is for business use, with minimal personal use allowed. Also specify in the policy what the company rules are surrounding the topic of forwarding chain letters, and specify that harassment cannot be sent from these business accounts.

Internet

This topic of the AUP typically covers rules such as prohibiting inappropriate content. You may also want to state whether this should be used for only business purposes and what the company tolerance is for use of social networking sites during business hours.

Data handling

Users should be educated on this secure user habit. Data that is stored on a removable drive should be stored on a removable drive should be stored in an encrypted format so that if the removable media falls into the wrong hands, the data is protected. Policies should be in place as to what types of removable media are allowed in the business and what types of information are allowed to be stored on that media. You must ensure that users review the policy and understand the terms for such media. Be sure to educate your users on the proper destruction of data. Educate the users that simply deleting the files off the drive does not remove the data from the the disk and that employees must follow the secure disposal of equipment policy to get rid of any devices. Educate your users on proper destruction of hard copies of data (paper-based printouts), and ensure that there is a shredder available to all users to shred sensitive hard-copy documents when they are no longer needed. Some companies may pay for a shredding service where the company puts all papers to be shredded in a secured shredding bin. The shredding company comes on site and shreds the material onsite - employees just need to place sensitive documents in the shredding bin. Educate the users on the fact that hackers will dumpster dive, meaning they will go through the garbage to try to find sensitive information, which is why documents need to be shredded.

Password behavior

When it comes to this user habit, educate your users on the importance of having strong passwords and the fact that a simple password that has a least eight characters, has a mix of upper- and lowercase characters, and contains numbers and/or symbols. Ensure that users are not using easy-to-guess passwords or writing the passwords down anywhere. This point should be clearly specified in the password policy. Also ensure that users are not sharing their passwords with others, and that they are changing their passwords on a regular basis to help prevent a hacked account from being used for a long period. Finally, users should not be using the same password they use for other user accounts because if someone hacks the password for one of the accounts then the hacker can get into all the accounts. This applies to accounts used to log onto web sites. Don't have the same password for your bank account, hotmail account, and Facebook account as a cracked password means the hacker can get into all of these.

Awareness of policy

When training all personnel in the organization, make sure that you educate everyone on topics that will reduce the likelihood of a security event occurring. Educate employees, technical teams, and management on the purpose of the security policy and the types of rules that are contained in the security policy. Ensure that you educate the employees on what PII is, and give examples of PII that your company stores so that employees know to not give out that information and can focus on securing the information. Educate all employees on your information classification system and about data labeling. As mentioned earlier in the chapter, a data label is the classification label, such as top secret, that is assigned to information. Ensure that employees know the different clearance levels that can access different data labels. You also want to make sure you spend time educating employees on the secure disposal of drives and erasing configuration from old equipment. Ensure that employees understand the importance of complying with laws and regulations within the company's industry.

User habits

When training employees on security best practices, you should focus on a number of areas. This section identifies some common points that you want to educate your users on.

Intranet site

You can have resources on this delivery method such as documents describing security best practices.

Delivery methods

You can use a number of different methods to deliver the awareness training to your employees. You can use any of the following methods or a combination of methods, for continuing education within your organizations: seminars, lunch and learn, CBT, intranet site, and videos on demand.

High/medium/low

You company may use an internal classification of information policy privacy system to rate the security risk if the information is exposed to the public.

Personally owned devices

You should ensure that your security policy and AUP cover the company's policy surrounding the usages of these devices for business use or within the company's network and facility. This is known as BYOD policy. The security best practice is to not allow usage of these because the company has no right to search or monitor activity if the device is not owned by the company. For this reason, it is safest to simply state that none of these devices are allowed for work-related purposes.

Management

You will take a totally different approach with this job role. Members of this role typically are more concerned about why things are done than how things are done. When raising security awareness to them, focus on why they should support the security initiatives being proposed by giving them examples of past occurrences where businesses have lost huge amounts of money and/or suffered loss of reputation due to security incidents. Also, research whether any laws and regulations require the organization to make an effort to protect its assets and include your findings in the training, or find and present past cases where an organization has been held legally accountable for not implementing appropriate security measures to protect its assets. Another good idea would be to find cases where insurance companies have denied coverage based on violations of the insurance policy requirements that a company make reasonable efforts to secure its assets. These are all examples of the type of information that would grab the attention of management in a security awareness seminar geared toward management.

General training and role-based training

Your first major decision when designing a security training program is to identify which content is appropriate to present to the different employee roles or departments within the organization. Because security is such a critical concept and an area where you want to captivate your audience during the training and awareness seminars, you want to make sure that you keep the training relevant to the audience and based on job roles. The following is a basic outline on what should be explained to different job roles or types of employees in the organization: business users, technical team, management, data owner, system owner, and privileged user. In addition to receiving security training for their specific job role, all employees should go through an onboarding process where they are properly trained for their specific job in such a way that enables them to be effective employees right after the onboard training.