This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
‘The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education’ – Kevin Mitnick
‘Always remember: amateurs hack systems, professionals hack people’ – Bruce Schneier
(Reproduced from IWS web site)
CESG undertook research on behalf of the Cabinet Office in June 2004 to gain a better understanding of current levels of awareness of IA in government.
One of the key issues identified was the low or inconsistent levels of IA awareness, which was proving a major obstacle for DSOs and those involved in implementing IA policy and the ISO/IEC 17799 standard within government.
Education is the process of raising security awareness amongst a general population of users.
Training refers to the development of relevant skills and knowledge in staff with specific IA responsibilities, such as ITSOs. There are two levels of training: one relating to roles where the security aspects are incidental (such as a System Manager); and the second relating to roles where security is the primary responsibility.
ISO/IEC 17799
ISO/IEC 17799 identifies user security training and education as key issues in ensuring IA.
ITPC
The Infosec Training Paths and Competencies Scheme (ITPC) has been developed for information security professionals who manage protectively marked information in departments and their Agencies, their accredited contractors and public sector bodies such as police forces.
The ITPC Scheme develops and supports Infosec Core Competency Profiles for key security roles within UK government and related sectors. It also manages a formal practitioner qualification and quality assures development paths assembled from leading training providers in the UK public and private sectors. Further information on this scheme is available from the Serious about Infosec website [External website] .
There are other widely recognised qualifications, e.g. the Certified Information Systems Security Professional (CISSP) [External website], although in contrast to ITPC not all are competency based. It should be noted that there is an increasing focus on professionalisation of the Information Assurance industry, and an Institute for Information Security Professionals is being launched in January 2006 with the support of academia, Industry and Government.
Principles
Security education programmes must encompass an entry ‘gate’ whereby a minimum level of security awareness is provided to all staff prior to commencing work. This should be irrespective of whether or not the staff are in IT roles i.e. this should address information security rather than IT security.
The induction element must address as a minimum:
Security education must be based on a target 100% coverage including contractors and temporary staff.
The programme must include an element of ‘refresher’ courses to ensure that coverage remains complete, and that knowledge remains current.
The programme should be aimed at instilling a security culture across the organisation rather than simply providing information. This can only be achieved by considering security in the context of the existing organisational culture: for example, it may be more effective in a growing organisation to introduce security as a potential threat to the future of the business, and therefore a responsibility shared in part by all, whereas this may not be so effective in a relatively slowly growing business.
Measurement of effectiveness
Security education programmes must be associated with an effectiveness measurement scale based on key indicators, with agreed target levels for effectiveness. The key indicators should preferably be based on organisational measures such as behaviour rather than on security measures such as incident counts.
Sources of advice
The Security Matters website [External website], maintained by the Cabinet Office, aims to inform civil servants at all levels of key security issues, and to raise awareness of security issues within Central Government.
The IWS web site, referenced in the introduction to this section, provides general articles and information on tools for security education.
For companies with List X sites, security awareness material is available from NSAC.
Principles
Security training must be based on the results of a training needs analysis, to ensure that the right people are provided with the right skills.
The effectiveness of training should be assessed on an ongoing basis, through participant feedback.
Security training should aim to ensure that employees with specific security responsibilities: