Home > Articles

This chapter is from the book

This chapter is from the book

Security Awareness Training

Know what is required for Security Awareness Training.

The importance of security awareness training and education cannot be overstated. By taking the policy, standards, and procedures and teaching all the stakeholders about their roles in maintaining the security environment, they will embrace the policy as an integral part of their jobs. This is not easy. One problem is that over the last decade, the commitment to security by industry-leading companies has been viewed as lacking. The results are products that have insufficient security measures being installed into environments that further weaken the information security program. The dichotomy can be confusing.

Security awareness training requires clear communication. One thing you might consider for your organization is hiring a technically competent communicator for the security department. This person would do the training, educate the department to the concerns of its users, and act as a liaison between users and the department. Having someone who can communicate helps raise the confidence level users should have for the department.

Mandating that training be required for anyone with access to an organization's information assets is reasonable. Human resources should have complete records, including information on training courses required and taken as well as all signed documents showing acceptance of defined corporate policies.

Management should not only set aside time for training, but also encourage it. One company I was involved with mandated training during specific time periods, and unless employees were involved with a client or were ill, they were required to attend. This policy allowed the employee to be suspended without pay until she attended the course or watched it on videotape. You might not want to go to this extreme, but it is a good way to get 100% compliance.

Understanding the management role of information security means understanding how the information security process interfaces with the rest of the organization. It is not enough to just set policies—security is a process that must be molded into the business process to support its functions. Management must support these processes with commitment and training.

Understanding what is to be protected is an important beginning of the management process. A risk analysis is used to determine the information assets that need to be protected and how they can be best protected. The risk analysis takes into consideration the costs of the assets to determine not only the countermeasures, but also whether the assets are worth protecting.

Using this information, policies, guidelines, standards, and procedures can be created to reach the security goals. Policies can be described as the goals of the information security program. Guidelines are suggestions, and standards are the specific security mechanisms that can be used. Procedures use the guidelines and standards to implement the policies.

Access methods and protection mechanisms are used to manage the access and movement of data. A typical access method paradigm is to set the roles and responsibilities for access to the data. Protection mechanisms are used to compartmentalize access to data and processes. Layers are used to prevent unauthorized access to protected resources and data, whereas abstraction and data hiding are used to protect data.

Knowing who your users are is as important as setting their access rights to information assets. Employment policies enforce background checks during the hiring process to prevent hiring those who might be security risks. They can also set termination procedures to prevent the terminated user from destroying systems and data out of malice.

Change control and configuration management can be used to prevent unauthorized changes to the network. Change control policies can be used to maintain the configuration of all information assets to prevent them from being used to attack your organization.

The only way to really demonstrate management support of the policies and procedures is to require and support security awareness training. Through training, users come to understand their roles and responsibilities in the security environment. Training is the only way for the users to understand their responsibilities.

Chapter Summary

KEY TERMS

  • Abstraction

  • Access control

  • Accountability

  • Annualized loss expectancy

  • Annualized rate of occurrence

  • Asset valuation

  • Audit

  • Authentication

  • Authorization

  • Availability

  • Awareness training

  • Baselines

  • Change control

  • Confidentiality

  • Configuration management

  • Countermeasures

  • Cryptographic keys

  • Data classification

  • Data hiding

  • Encryption

  • Exposure factor

  • Guidelines

  • Identification

  • Incident response

  • Integrity

  • Layering

  • Nonrepudiation

  • Password

  • Policies

  • Procedures

  • Responsibilities

  • Revision control

  • Risk analysis

  • Risk management

  • Roles

  • Single loss expectancy

  • Tokens

Apply Your KnowledgeExercises

3.1 Making Information Security Management Decisions

A good way to understand the management responsibilities of information security is to look at an aspect of a risk assessment and determine the best course of action. The following questions are designed to lead you down the decision path.

Estimated Time: 30–45 minutes

  1. Your organization uses a dial-in terminal service to support customer service. The system consists of 21 inbound telephone lines and 3 outgoing lines. When calculating the risk because of an outage, the annualized loss expectancy (ALE) is $350,000. As a countermeasure, it has been decided to look into installing another telephone circuit and modem bank. The cost for this new installation is estimated to be $350,000, but it will lower the ALE to $25,000. Is this a cost-effective countermeasure? Why?

  2. For the previous question, which policy statement(s) should be written to support your decision?

  3. Which policy statement(s) could be written that would cover the usage of the outbound modems?

  4. How would you ensure that everyone knows and follows these policies, aside from awareness training?

Review Questions

  1. What are information security's fundamental principles?

  2. What is the method for a system to know who is accessing its resources?

  3. What is nonrepudiation?

  4. What is the purpose of performing a risk analysis?

  5. What are the categories of risks that are looked at during a risk analysis?

  6. How are information security procedures formed?

  7. The Bell-LaPadula security model uses what mechanism to protect system resources?

  8. What is the difference between synchronous and asynchronous encryption technologies?

  9. What is the purpose of classifying data?

  10. In the context of information security, why would an organization do a background check and have an employee sign an employment agreement?

Exam Questions

  1. How do you calculate the annualized loss expectancy of a particular risk?

    1. SLE x ARO

    2. Cost of asset – Cost of Safeguard

    3. Asset value x EF

    4. EF x ARO

  2. What is an information security policy?

    1. Guidelines used to define a security program

    2. Procedures for configuring firewalls

    3. Management's statements outlining its security goals

    4. Risk management procedures

  3. A security program is a balance of what?

    1. Risks and countermeasures

    2. Access controls and physical controls

    3. Firewalls and intrusion detection

    4. Technical and nontechnical roles

  4. Which statement is true when considering the information security objectives that the military would use versus the objectives used for commercial systems?

    1. A military system requires higher security because the risks are greater.

    2. Military systems base their controls on confidentiality, whereas commercial systems are based on availability and data integrity.

    3. Only the military can make systems really secure.

    4. Military systems base their controls on availability and data integrity, whereas commercial systems are based on confidentiality.

  5. What does a risk analysis show management?

    1. The amount of money that could be lost if security measures are not implemented

    2. How much a countermeasure will cost

    3. The cost benefit of implementing a countermeasure

    4. The amount of money that can be saved if security is implemented

  6. Who has the responsibility to determine the classification level for information?

    1. Users

    2. Management

    3. Data owners

    4. Security administrators

  7. Why should the team performing a risk analysis be formed with representatives from all departments?

    1. To ensure everyone is involved.

    2. To ensure that all the risk used in the analysis is as representative as possible.

    3. The risk analysis should be performed by an outside group and not by biased insiders.

    4. To hold those accountable for causing the risk.

  8. Which of the following is not a basic principle of authentication?

    1. What the entity knows

    2. Where the entity is

    3. Who the entity is

    4. What the entity may have

  9. What is the purpose of designing a system using the Bell-LaPadula model?

    1. To hide data from other layers

    2. To manage data and methods as objects

    3. To convert data to something that cannot be read

    4. To separate resources of a system into security zones

  10. Managing an information security program is a matter of using the following principles except which one?

    1. Accountability

    2. Integrity

    3. Confidentiality

    4. Availability

Answers to Review Questions

  1. Confidentiality, integrity, and accountability. For more information, see the section "CIA: Information Security's Fundamental Principles."

  2. Identification and authentication is the method that associates that the object (user, process, and so on) is the entity it claims to be. See the section "Identification and Authentication" for more information.

  3. Nonrepudiation is the ability to ensure that the originator of a communication or message is the true sender by guaranteeing authenticity of its digital signature. For more information, see the section "Nonrepudiation."

  4. The purpose of a risk analysis is to assess and quantify damage to information assets and to help justify appropriate safeguards. This was described in the section "Risk Management and Analysis."

  5. The risk categories are damage resulting in physical loss of an asset or the inability to access the asset, disclosure of critical information, and losses that may be permanent or temporary. This was discussed in the section "Risk Management and Analysis."

  6. Procedures are formed from guidelines and standards to implement the stated policies. For more information, see the "Policies, Standards, Guidelines, and Procedures" section.

  7. The Bell-LaPadula model uses layering to separate resources into security zones. This was discussed in the "Layering" section.

  8. Synchronous encryption uses the same key to encrypt and decrypt a message. Asynchronous, or public key, encryption uses two keys: The public key of the user who is to read the message is used to encrypt that message, and the private key is used by the recipient to decrypt the message. More information can be found in the "Encryption" section.

  9. Classifying data is supposed to tell you how the data is to be protected. The section "Classifying Data" explains this further.

  10. Background checks and employee agreements are tools used to prevent insider attacks. This was discussed in the "Employment Policies and Practices" section.

Answers to Exam Questions

  1. A. Answer A is the correct answer because the calculation for the annualized loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). Answers B and D are not correct and do not calculate anything worthwhile for a risk analysis. Answer C calculates the SLE value. See the "Asset Valuation" section for more information.

  2. C. Answer C is the correct answer because policies are used to describe how an organization wants to protect information assets. Answer A is wrong because guidelines are derived from the policies. Answer B is a procedure that would support a policy. Answer D is wrong because risk management is a component in creating the policy and does not define them. See the "Policies, Standards, Guidelines, and Procedures" section for more information.

  3. D. Answer D is correct because, as the entire chapter shows, security has both components, including physical and personnel security. Answer A is incorrect because it describes only the risk analysis process. Answer B is incorrect because it is focused on two areas of a security program. Answer C is wrong because it concentrates only on network controls.

  4. B. Answer A is wrong because the risks can be similar and even greater for some commercial systems. Answer C is wrong because there are plenty of commercial systems that are secure, and answer D is the reverse of the correct answer. See the "Classifying Data" section for more information.

  5. A. Answers B and C are wrong because they are parts of the risk analysis. Answer D is wrong because it is what the analysis demonstrates, which is only part of the story. See the "Risk Analysis" section for more information.

  6. C. Answer A is wrong because the users are the ones for which the protections are being instituted. Answers B and D are wrong because they do not have the custodial responsibility to understand how data should be accessed. See the "Classifying Data" section for more information.

  7. B. Answer A is a nice idea but not the reason to include all departments. Answer C is wrong because, even if outsiders were used, which was discussed as an option, the insiders would have to provide input into their departments' risks. Answer D is an interesting concept, but not everyone is involved in risks. See the "Risk Analysis" section for more information.

  8. B. Answers A, C, and D are all principles of authentication. Identifying the location can be helpful but is not one of the basic principles. See "Identification and Authentication" section for more information.

  9. D. Answer A is wrong because it is the purpose of data hiding. Answer B is wrong because it is a principle of abstraction, and answer C is wrong because it is the principle of encryption. See "Understanding Protection Mechanisms" section for more information.

  10. A. Answers B, C, and, D are the basic C.I.A. principles. See the "Defining Security Principles" section for more information.

Suggested Readings and Resources

  1. Barman, Scott. Writing Information Security Policies. New Riders Publishing, 2001.

  2. Nichols, Randall K., and Julie J. Ryan. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Professional Publishing, 2000.

  3. Peltier, Thomas R. Information Security Risk Analysis. Auerbach Publications, 2001.

  4. ftp://ftp.isi.edu/in-notes/rfc2196.txt (RFC 2196, "Site Security Handbook").

  5. ftp://ftp.isi.edu/in-notes/rfc2504.txt (RFC 2504, "Users' Security Handbook").

  6. ftp://ftp.isi.edu/in-notes/rfc2828.txt (RFC 2828, "Internet Security Glossary").

  7. ftp://ftp.isi.edu/in-notes/rfc3013.txt (RFC 3013, "Recommended Internet Service Provider Security Services and Procedures").

  8. http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF (NIST SP 800-18 is a security standard used by civilian agencies).

  9. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (NIST SP 800-30, "Risk Management Guide for Information Technology Systems").

  10. http://rr.sans.org (The SANS Institute Reading Room has several individual articles that focus on many areas of information security management).

  11. http://www.rfceditor.org (The Internet Engineering Task Force's relevant requests for comments [RFCs] are available from the RFC Editor).

  12. http://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html (OMB Circular A-130 Appendix III).

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020