Become an IT Security Specialist. I've been out of college for about two years, Lynda.com has changed my outlook on my career. Taking the foundational courses in marketing has helped me launch my career. Army Skillport Tips, Tricks & Cheats. 26 September 2013 By: Megan H. The Army Skillport system is one of the easiest and fastest ways to get Army promotion points. If you have already registered for Army Skillport E. Information Assurance Training Center. Lesson Overview/Objectives: One of the duties of the IASO is to ensure that all personnel associated with IS receive system- specific and general awareness security training (see AR 2. In this lesson you will learn about the information assurance training that is required for all personnel associated with an IS. IA training and certification. IA situation and awareness briefing. Information Assurance Workforce Improvement Program Information Assurance Training and Certification Best Business Practice (BBP) Why Information Assurance Training and Certification? People are a crucial factor in ensuring the security of computer systems and valuable information resources. Human actions account for a far greater degree of computer- related loss than all other sources combined. Of such losses, the actions of an organization's insiders normally cause far more harm than the actions of outsiders. The major causes of loss due to an organization's own employees are: errors and omissions, fraud, and actions by disgruntled employees. One principal purpose of security awareness, training, and education is to reduce errors and omissions. However, it can also reduce fraud and unauthorized activity by disgruntled employees by increasing employees' knowledge of their accountability and the penalties associated with such actions. In this lesson we will examine three documents that seek to address these problems.
Sources of training material. A good place to start is the References and Web Resources page. Your unit's procedures and policy publications is another good source. You will find that your unit's IS accreditation documents and contingency plans have a wealth of material. Also, this course provides much useful information. Information Assurance Training. AR 2. 5- 2, para 4- 3. AR 2. 5- 2 directs that all personnel associated with an IS undergo annual information assurance awareness training. This training is required for managers, designers, developers, maintainers, operators, and users. Skillport IA Modules Learning Programs. Security Plus Certification Study Guide If looking for the book Security plus certification study guide in pdf form. Training Certificate Plus Program. Appropriate awareness for management officials might stress management's pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their job. In today's systems environment, almost everyone in an organization may have access to system resources and therefore may have the potential to cause harm. Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. If employees view security as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security nor recognize and report security threats and vulnerabilities. Awareness is also used to remind people of basic security practices, such as logging off a computer system or locking doors. A security awareness program can use many teaching methods, including video tapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at logon, talks, or lectures. Even electronic mail messages with tips and reminders have a noticeable impact. Today, some units are using web pages to make their users more aware about security. An IASO may have other mission critical duties, making it difficult to conduct formal training. Although formal training is always best, it may not always be possible or practical to use this method. One technique is to develop a training/policy guide that users can read (and sign). Awareness is often incorporated into basic security training. Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process (also known as acclimation). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed. The initial security awareness briefing can consist of training material governing IA in general but must be tailored to the system the employees will be managing or using. Knowledge of the threat environment allows the system managers to implement the most cost- effective security measures. Under this portion of the initial briefing, specific information regarding measures to reduce the threat from malicious software must be provided, including prohibitions on loading unauthorized software, the need for frequent backup, and the requirement to report abnormal program behavior immediately. A good place to obtain material for training on threats, vulnerabilities and risks associated with your IS is the risk assessment and risk management review. Information security objectives. What is it that needs to be protected? Information security objectives should be based on system functional or mission requirements, but should clearly state the security actions that are required by the users to support the overall mission. Responsibilities and accountability associated with system security. Generally, the overall goal of an IA training program is to sustain an appropriate level of protection for computer resources by increasing employee awareness of their computer security responsibilities and the ways to fulfill them. Both the dissemination and the enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to demonstrate accountability and to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when caught doing something wrong. Training employees is also necessary to show that a standard of due care has been taken in protecting information. Simply issuing policy, with no follow- up to implement that policy, does not suffice. Many organizations use acknowledgment statements which state that employees have read and understand computer security requirements. This includes accessibility, handling, and storage considerations. It is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms (e. In addition to the automation security SOP in the accreditation documentation, a sound basis for training computer information security is your unit's published information security policies and procedures. Physical and environmental considerations necessary to protect the system. Cover physical access controls that restrict the entry and exit of personnel, (and often equipment and media) from an area, such as an office building, suite, data center, or room containing a LAN server. Physical security training should include controlled areas and screening measures at each of the entry points. In addition, staff members who work in a restricted area should be trained to challenge people they do not recognize and the extent to which strangers are challenged Training users to care for environmental security is crucial. Training should address care of electrical equipment used to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements required by system's operation. Building fires are a particularly important security threat because of the potential for complete destruction of hardware and data, the risk to human life, and the pervasiveness of the damage. Train about smoke and corrosive gases, ignition sources, fuel sources, fire detection, extinguishment, individual responsibilities and exit routes, etc. System data and access controls. This includes what users (or user groups) can or cannot do with system resources. This topic deals with software that is authorized to be executed or loaded on computer systems as well as the management of hardware and peripherals. If change is not managed, system security can be adversely affected over a period of time. Remind users of their obligations to protect unit- owned and licensed software from damage and loss, as well as from unauthorized use and duplication. Users should be reminded that personal software cannot be used without first having it checked and approved according to regulations and your unit's policies. This includes the reporting of incidents, intrusions, malicious logic, viruses, and abnormal program or system responses to the servicing RCERT. Periodic security training and awareness. In accordance with AR 2. IS are required to have refresher training every 1. There are many methods that can be used for periodic and follow- up training. They can be as sophisticated as computer- based training or as simple as memorandums and electronic mail messages. Periodic training may include various combinations of the following: Self- paced or formal instruction Security education bulletins Security Posters Training films and tapes Computer- aided instruction Do. D Sponsored IA Workshops Since various laws, directives, and regulations require information assurance training, it is good practice to maintain records of training, such as rosters and correspondence, for inspection purposes. The IAM, managers and commanders also have a responsibility to ensure that IA training is conducted and may inspect the documentation. Information Assurance Workforce Improvement Program. DOD 8. 57. 0. 0. 1- MDOD 8. M is a manual which implements Do. D Directive 8. 57. Authorized user risk from social engineering. Common methods to protect critical system information and procedures. Principles of shared risk in networked systems (i. Risks associated with remote access (e. Legal requirements regarding privacy issues, such as email status (see Do. D Directive 1. 00. Knowledge of malicious code (e.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |