Scribd
Upload
2K views

Security Education, Training and Awareness Program

The document discusses the importance of implementing a Security Education, Training and Awareness (SETA) program. The SETA program consists of security education, training, and awareness. Security education provides theoretical instruction to enhance understanding, security training provides hands-on instruction to develop skills, and security awareness uses media to disseminate information and keep security top of mind. The goal of SETA is to improve security awareness, develop skills to work securely, and build in-depth security knowledge as needed.

Uploaded by

Anusha K
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2K views

Security Education, Training and Awareness Program

The document discusses the importance of implementing a Security Education, Training and Awareness (SETA) program. The SETA program consists of security education, training, and awareness. Security education provides theoretical instruction to enhance understanding, security training provides hands-on instruction to develop skills, and security awareness uses media to disseminate information and keep security top of mind. The goal of SETA is to improve security awareness, develop skills to work securely, and build in-depth security knowledge as needed.

Uploaded by

Anusha K
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Security Education, Training and Awareness Program

Once your organization has defined the [policies that will guide its security program and selected
overall security model by creating or adapting a security framework and a corresponding detailed
implementation blueprint, it is time to implement a training, education, training and an awareness
program(SETA). The SETA program is the responsibility of the CISO and its control measure designed
to reduce the incidences of accidental security breaches by employees. Employee errors are among the
top threats to information assets so it is well worth expending the organizations resources to develop
programs to combat this threat. SETA programs are designed to supplement the general education and
training programs that many organizations use to educate staff on information security. For example, if an
organization detects that many employees are opening questionable email attachments those employees
must be restrained. As a matter of good practice systems development life cycle must include user
training during the implementation phase.
A SETA program consists of three elements: security education, security training and security
awareness. An organization may not be capable or of willing to undertake all three of these elements, and
may outsource elements to local educational institutions. The purpose of SETA is to enhance security by
doing the following:

1. Improving awareness of the need to protect system resources.


2. Developing skills and knowledge so computer users can perform their jobs more securely.
3. Building in-depth knowledge as needed to design, implement or operate security programs for
organizations and systems.

Comparative framework of SETA

Education Training Awareness


Attribute Why How What
Level Insight Knowledge Information
Objective Understanding Skill Exposure
Teaching Theoretical Instruction Practical Instruction Media
Method  Discussion  Lecture  Videos
Seminar
 Background  Case Study  Newsletters
Reading Workshop
Hanson Practice Posters
Test Measure Essay Problem Solving  True or False
 Multiple
Choice
Impact Frame Long Term Intermediate Short Term

Security Education
Everyone in the organization need to be trained and made aware of information security but not
every member of the organization needs a formal degree or certificate in the information security.
When the management agrees the formal education is appropriate an employee can investigate
available courses from local institutions of higher learning or continuing education. A number of
universities have formal coursework in information security. For those interested in researching
formal informal security programs there are resources available. The Centers of Excellence program
identifies outstanding universities with both coursework in information security and an integrated
view of information security in the institution itself.
Security Training
Security training provides detailed information and hands on instruction to employees to prepare
them to perform their duties securely. Management of information security can develop customized in
house training or out-source the training program.
Alternatives to formal training programs are industry training conferences and programs offered
through professional agencies such as SANS, ISC 2, ISSA< and CSI. Many of these programs are too
technical for the average employee, but may be ideal for the continuing education requirements of
information security professionals.
There are a number of available resources for conducting SETA programs that offer assistance in
the form of sample topics and structures for security classes.
Security Awareness
One of the least frequently implemented but most beneficial programs is the security awareness
program. Security awareness program is designed to keep information security at the forefront of
user’s minds. These programs don’t have to be complicated or expensive. Good programs include
newsletters, security posters, videos, bulletin boards, flyers and trinkets. Trinkets include security
slogans printed on mouse pads, coffee cups, T-shirts, pens or any object frequently used during the
workday that reminds employees of security. In addition a good security awareness program requires
a dedicated individual willing to invest the time and effort into promoting the program and a
champion willing to provide the needed financial support.
The security newsletter is the most cost effective method of disseminating security information
and news to the employee. Newsletters can be distributed via hard copy, email, or intranet. Newsletter
topics can include new threats to organizations information assets, the schedule for upcoming security
classes and the addition of new security personal. The goal is to keep the idea of information security
in user’s minds and to simulate users to care about security. If a security awareness program is not
actively implemented, employees may begin to neglect security matters and the risk of employee
accidents and failures is likely to increase.

You might also like