by: khaled alateeq. learning objectives what is seta? what are its purposes? security education ...
TRANSCRIPT
By: Khaled Alateeq
Learning Objectives What is SETA? What are its purposes? Security Education Security Training Security Awareness
Define security education, training and awareness
List situations where each strategy is appropriate
Identify how organizations can use each strategy to mitigate threats to information security
SETA is an acronym, for Security Education, Training, and Awareness
It targets all users in an organization with specific programs for their jobs and level of technical expertise
The SETA program is generally the responsibility of the Governance And Privacy Dept.
SETA holds employees accountable for their actions by communicating policy to all users
Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems
Develops skills and knowledge so that users can perform their jobs using IT systems more securely
Improves awareness of the need to protect system resources
Most basic level of SETA Used for employees who are new or
unskilled Gets employees to focus on security Least common, but extremely effective
Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, and bulletin boards to reach employees
An example of a Security Awareness Topic: ‘Virus Protection’ What would the session cover? How does this benefit all users?
Focus on people both as a part of the problem and as part of the solution.
Refrain from using technical jargon; speak the language the users understand.
Use every available venue to access all users. Define at least one key learning objective, state it
clearly, and provide sufficient detail and coverage to reinforce the learning of it.
Keep things light; refrain from "preaching" to users.
Don't overload the users with too much detail or too great a volume of information.
Help users understand their roles in information security and how a breach in that security can affect their jobs.
Take advantage of in-house communications media to deliver messages.
Make the awareness program formal; plan and document all actions.
Provide good information early, rather than perfect information late.
Intermediate level of SETA According to the NIST SP 800-16:
Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.
Provides detailed information and hands-on instruction
Teach users what to do and how to do it Employees are divided into general users,
technical users, and managerial users at beginner, intermediate, and advanced levels
General users are trained in the policies of the organization such as security practices, password management, violation reporting, and access controls. It is best to do this when they are first hired.
Managerial users should be trained in smaller groups to facilitate discussion.
Technical users are trained more in-depth than general and managerial users. This is often outsourced because of the high level of expertise required. Technical users are often separated according to job category, job function, and technology product.
Effective training programs are crucial to the success of an organization
Wrong training methods can lead to unnecessary expense and frustrated and poorly trained employee’s
Good training methods, regardless of delivery method, take advantage of the latest learning technologies and best practices.
One-on-One Method Formal Class Computer-Based Training Distance learning / Web Seminars User Support Groups On The Job Training Self-Study
Depending on the training deliver method chosen, A dedicated training staff may be required.
They should continually provide specific, effective training programs for an organization’s employee’s.
Staff must assess organizational needs, plan effective programs, implement these programs, and evaluate their effectiveness.
Step One: Identify the Programs Scope, Goals, and Objectives
Step Two: Identify the training staff Step Three: Identify the Audience Step Four: Motivation Step Five: Administer The Security Training Step Six and Seven: Listen to Employee feedback,
evolve the program to increase its effectiveness.
Highest level of SETA Used for employees in highly technical or
skilled positions that demand greater information security
Having a good Information Security Program is not enough.
SETA is crucial to a successful information security program in an organization.
Helps minimize loss of information assets and hold employee’s accountable for breaking policies.