This week we were studying the reasons for having a good security awareness within our organization.
According to a writer at Native Intelligence Inc., awareness isn't just a good idea, it's the law.
Laws requiring security and privacy awareness or training programs apply to:
•The Federal Government (Federal Information System Security Managers' Act)
•The health care industry (Health Insurance Portability and Accountability Act)
•Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)
•Publicly-traded companies (Sarbanes-Oxley Act)
The Federal Information System Security Managers' Act (FISMA) requires government agencies to report on their security awareness and training efforts annually. (Unknown, 2010)
NIST SP 800-53, Recommended Security Controls for Federal Information Systems, addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is "security awareness training." (Unknown, 2010)
National Institute of Standards and Technology (NIST) SP 800-53 also says that the awareness program must comply with: 5 Code of Federal Regulations (C.F.R.) Part 930.301 and NIST SP 800-50, Building an Information Technology Security Awareness and Training Program. (Unknown, 2010)
5 C.F.R. Part 930.301 states that everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:
1.All users — security basics
2.Executives — security basics and policy level training in security planning and management
3.Program and functional managers — security basics and management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.
4.Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) — security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.
5.IT function management and operations personnel — security basics; management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.
As we all know from our research and reading, the biggest risk to an information system is easily the personnel working for the organization. The consistent need to keep our people trained in good security practices is turning into a increasing trend. The easiest thing for threat agents to exploit our systems, is to find the gaps within our practice.
Cited:
Unknown. (2010) Glenelg, MD Native Intelligence, Inc.: Information Security Awareness Courses, Posters, Daily Tips.Retrieved at: http://www.nativeintelligence.
This the excellent post which I have seen and it helped me a lot , Thanks for sharing it!!
ReplyDeleteit security awareness course