Information Technology Reference
In-Depth Information
wise for policies; they may exist and there may be mechanisms to enforce them,
but they may not actually be enforced.
Security procedures describe how to implement and enforce policy. Security
procedures incorporate best practices for configuration and operations (see the IA
2
LoS in chapter 2). Details of security procedures are organizational and situational
specific. Risk assessments, threat space assessments, vulnerability assessments, and
business impact assessments all provide considerations for the degree of security.
Security procedures reflect how to implement and maintain that degree.
8.7
Security education, training, and
Awareness Management
In the beginning of the this topic, in the section Goals for the Reader, Figure 8.5
presents learning phases to progress from unaware through to fluency and special-
ized skills. The same principles apply to a security education, training, and aware-
ness (SETA) program.
SETA is a comprehensive program for introducing and expounding on security
issues within the organization in a series of iterative and ongoing steps, as shown
in Figure 8.6. External compliance requirements and internal policy drive the need
for one or more aspects of SETA. Security awareness targets the broader employee
base to communicate:
n
n
n
That there are security issues
What those issues are
How to recognize anomalies as security issues
Architecting a security awareness program determines what issues to com-
municate, how to communicate them, and how to measure the effectiveness of
Learning Phases to
Secure Use
Refinement Cycle
Figure 8.5
learning phases to secure use.
