Information Assurance Training – Why Do It?

Why should you deliver Information Assurance training to your staff?  Information is the life blood of most enterprises so merits appropriate protection.

If your organisation aspires to a credible Information Security Management System (ISMS) then you must take this training seriously.

Aim of Information Assurance Training

In many organisations protecting information is not a top priority unlike business targets and profits.  Managers often do not realise how protecting their information assets contributes to meeting their business objectives.

Information security is everyone’s responsibility.

However, people are considered to be the weakest link in any organisation’s security chain.  Educating your staff in the behaviours you need them to adopt towards Information Assurance is vital to the success of the enterprise.

As a security control, staff understanding their responsibilities to Information Assurance and awareness of the risks to information assets is very important.

All staff, therefore, require some form of appropriate training to help them fulfil their individual responsibility.

The aim of Information Assurance training is to ensure users are aware of information security threats and equip them to support your organisation’s security policy in the course of their normal work .

The Purpose of Training

The purpose of your Information Assurance training programme is to equip staff to meet the information security requirements of the organisation.

Training ensures users are:

  • Aware of the threats to information security;
  • Appreciate the need for business controls;
  • Understand the correct use of facilities;
  • Competent to fulfil their roles.

If your organisation aspires to a credible ISMS then you must take Information Assurance training seriously.

Appropriate Training

Appropriate staff training should be delivered at all levels within the organisation.  So what constitutes appropriate training?

The type of training you deliver will depend on the individual user and their role in the organisation.  You should remember users also includes third parties, not just contracted staff.

Staff must be given the appropriate level and type of training to enable them to do their jobs and meet their obligations under the organisation’s ISMS.

For ‘general’ users the training will include:

  • General awareness of information security threats;
  • The organisation’s ISMS/security policy including:
    • How to respond to a security incident;
    • User responsibilities regarding acceptable use of facilities;
    • Legal issues;
    • Issues specific to the software applications they use on a daily basis;
    • Access controls;
    • Control of assets.

For specific roles such as CIO, IT Manager and sys admins the training will include that given to ‘general’ users plus any specific to their roles.  For example, an IT manager would need more detailed and in-depth security training than a system user.

Your organisation would need to conduct a Training Needs Analysis (TNA) for those staff who need a very specific type of training in information security. For example, sys admins may need systems supplier training.

The organisation may have its own TNA processes or it may call on a specialist training provider to conduct the exercise on their behalf.

Training should never be a random activity.  All Information Assurance training should form part of a structured staff training programme in support of the ISMS.

A formal system of recording training undertaken and completed satisfactorily by staff should be in place.

Delivering Training

The style of training delivery is dependent upon the target audience and their number.

For small numbers who need very detailed and highly specific training, like sys admins, the normal classroom technique would be most appropriate. This type of training would probably best be delivered by a specialist accredited supplier.

Specialist training

Sys Admins would benefit from specialist supplier training

For more general training in information security and for promoting information security awareness across the enterprise an organisation might consider a delivery route that reaches large numbers of staff in a cost effective manner.

Computer Based Training might be considered appropriate.  This would mean staff can access the training when convenient and they could remain onsite.

staff Information Assurance training

CBT allows staff to complete Information Assurance training on-site

Alternatively, conference style delivery could reach large numbers of staff.

All Information Assurance training should form part of a structured staff training programme

A suitable audit system would need to be in place so the training could be effectively managed.  This would need to record staff completion of the training and demonstrate their level of competence.

The staff identified for more detailed specific training should also complete the wider awareness programme.

In addition to formal training an organisation might adopt other publicity media such as DVD, booklets, reports, posters and stationery as means to increase awareness in a more informal way accessible to all staff.

Many organisations place information security information on their intranets making it accessible by all staff and system users. This centralised source of information could be supported by global e-mail notifications of changes, important updates and alerts.

It also brings the added benefit of maintaining central version control of the information ensuring all staff always have access to the latest up to date security information

The Benefits Of Training

It is well known that when times get tough for an organisation the training budget is one of the first to be cut.  All trainers know how difficult it can be to demonstrate the real benefits of training to the business when senior management often sees it in simple cost terms.

So how can we show the organisation that the Information Assurance training has made a positive contribution to its security?

This is where training evaluation plays its part.

‘Happy sheets’, where students provide feedback on the training received, are the most basic evaluation tool.  But for Information Assurance training, as part of an ISMS, something more sophisticated is needed.

Information Assurance training and awareness are aimed at changing staff behaviours, to improve the organisation’s information security.  The analysis that laid the foundation for the ISMS will have demonstrated the link between Information Assurance and business objectives.  The ISMS will indicate what security behaviours are expected from staff to support those objectives.

One way to evaluate Information Assurance training effectiveness would be to measure behaviours before and after the training.  This evaluation might be through an in-house survey or some form of performance monitoring.

Regardless of any positive change in security behaviours post-training, management will probably be more interested in cost benefits.  Here the subject of Return On Investment (ROI) comes into play.

I will look at ROI more closely in another post.

If you want to find out more about Information Assurance training and how I could help, you can contact me here.

Posted in Opinion, Training.