Security awareness training
You're really only as secure as your users make you. If they don't understand the security measures you have put in place and don't adhere to them, your security will suffer. Training is really the only way to ensure that users are part of the security solution, rather than the problem.
This excerpt from
Users are typically not aware of security ramifications caused by certain actions. People who use computer networks as a tool to get their job done want to perform their job functions as efficiently as possible -- and security measures often are more of a nuisance than a help. It is imperative for every corporation to provide employees with adequate training to educate them about the many problems and ramifications of security-related issues.
The security training should be provided to all personnel who design, implement or maintain network systems. This training should include information regarding the types of security and internal control techniques that should be incorporated into the network system development, operations and maintenance aspects.
Individuals assigned responsibilities for network security should be provided with in-depth training regarding the following issues:
- Security techniques
- Methodologies for evaluating threats and vulnerabilities
- Selection criteria and implementation of controls
- The importance of what is at risk if security is not maintained
For large corporate networks, it is good practice to have a LAN administrator for each LAN that connects to the corporate backbone. These LAN administrators can be the focal point for disseminating information regarding activities affecting the LAN.
Rules to abide by typically should exist before connecting a LAN to the corporate backbone. Some of these rules are as follows:
- Provide documentation on network infrastructure layout
- Provide controlled software downloads
- Provide adequate user training
Training is also necessary for personnel in charge of giving out passwords. This personnel should ensure that proper credentials are shown before reinstating a "forgotten" password. There have been many publicized incidents in which people received new passwords simply by acting aggravated enough but without presenting adequate credentials. Giving out passwords in this fashion can have serious-enough ramifications that the person who bypasses known regulations should be terminated.
Read more of this article at InformIT. Registration is required, but it is free.
This was first published in November 2001