Заглавная страница Избранные статьи Случайная статья Познавательные статьи Новые добавления Обратная связь FAQ Написать работу КАТЕГОРИИ: АрхеологияБиология Генетика География Информатика История Логика Маркетинг Математика Менеджмент Механика Педагогика Религия Социология Технологии Физика Философия Финансы Химия Экология ТОП 10 на сайте Приготовление дезинфицирующих растворов различной концентрацииТехника нижней прямой подачи мяча. Франко-прусская война (причины и последствия) Организация работы процедурного кабинета Смысловое и механическое запоминание, их место и роль в усвоении знаний Коммуникативные барьеры и пути их преодоления Обработка изделий медицинского назначения многократного применения Образцы текста публицистического стиля Четыре типа изменения баланса Задачи с ответами для Всероссийской олимпиады по праву Мы поможем в написании ваших работ! ЗНАЕТЕ ЛИ ВЫ?
Влияние общества на человека
Приготовление дезинфицирующих растворов различной концентрации Практические работы по географии для 6 класса Организация работы процедурного кабинета Изменения в неживой природе осенью Уборка процедурного кабинета Сольфеджио. Все правила по сольфеджио Балочные системы. Определение реакций опор и моментов защемления |
Creating training and awareness programsСодержание книги
Поиск на нашем сайте
Issuing an information security policy pamphlet or directing employees to an intranet page that details security policies will not, by itself, mitigate your risk. Every business must not only define the rules with written policies, but must make the extra effort to direct everyone who works with corporate information or computer systems to learn and follow the rules. Furthermore, you must ensure that everyone understands the reason behind each policy so that people don't circumvent the rule as a matter of convenience. Otherwise, ignorance will always be the worker's excuse, and the precise vulnerability that social engineers will exploit.
The central goal of any security awareness program is to influence people to change their behavior and attitudes by motivating every employee
to want to chip in and do his part to protect the organization's information assets. A great motivator in this instance is to explain how their participation will benefit not just the company, but the individual employees as well. Since the company retains certain private information about every worker, when employees do their part to protect information or information systems, they are actually protecting their own information, too.
A security training program requires substantial support. The training effort needs to reach every person who has access to sensitive information or corporate computer systems, must be on-going, and must be continuously revised to update personnel on new threats and vulnerabilities. Employees must see that senior management is fully committed to the program. That commitment must be real, not just a rubber-stamped "We give our blessings" memo. And the program must be backed up with sufficient resources to develop, communicate, test it, and to measure success.
Goals The basic guideline that should be kept in mind during development of an information security training and awareness program is that the program needs to focus on creating in all employees an awareness that their company might be under attack at any time. They must learn that each employee plays a role in defending against any attempt to gain entry to computer systems or to steal sensitive data.
Because many aspects of information security involve technology, it's too easy for employees to think that the problem is being handled by firewalls and other security technologies. A primary goal of training should be to create awareness in each employee that they are the front line needed to protect the overall security of the organization.
Security training must have a significantly greater aim than simply imparting rules. The training program designer must recognize the strong temptation on the part of employees, under pressure of getting their jobs done, to overlook or ignore their security responsibilities. Knowledge about the tactics of social engineering and how to defend against the attacks is important, but it will only be of value if the training is designed to focus heavily on motivating employees to use the knowledge.
The company can count the program as meeting its bottom-line goal if everyone completing the training is thoroughly convinced and motivated by one basic notion: that information security is part of his or her job.
Employees must come to appreciate and accept that the threat of social engineering attacks is real, and that a serious loss of sensitive corporate
information could endanger the company as well as their own personal information and jobs. In a sense, being careless about information security at work is equivalent to being careless with one's ATM PIN or credit card number. This can be a compelling analogy for building enthusiasm for security practices.
|
||||
Последнее изменение этой страницы: 2020-11-11; просмотров: 175; Нарушение авторского права страницы; Мы поможем в написании вашей работы! infopedia.su Все материалы представленные на сайте исключительно с целью ознакомления читателями и не преследуют коммерческих целей или нарушение авторских прав. Обратная связь - 3.142.201.93 (0.005 с.) |