Information Technology Reference
In-Depth Information
the user or the employee. Most often efforts to secure the enterprise are more focused on
external threats than internal threats. We have seen from security incident statistics that in-
ternal threats are also on the increase especially where there is collusion between external
parties and employees. Employees either motivated by financial gain or just out of ignor-
ance have given out passwords and other internal security information to outsiders who
later hack into enterprise systems.
Enterprises have seen emergence of new threats due to the use of new technologies, such
as wearable technologies. These technologies could be cameras, sensors, health monit-
ors or smartwatches which employees wear in the office. Some of these technologies use
Bluetooth for communication, which is also used by other office equipment. It is possible
that security can be compromised by vulnerabilities existing in the software, configurations
of these wearable technologies or from unprotected devices which might connect to rogue
Bluetooth devices.
The purpose of security awareness is to provide education to users on security measures the
enterprise has put in place. In addition, it is important that security training is also provided
to IT professionals responsible for implementing security technologies.
The content of security training to be provided to all users in the enterprise (that includes
the board and senior management) should be based on the approved information security
policy and procedures used in the enterprise. Users should be aware of the security require-
ments which management has put in place. It is also essential that users are taken through
all possible practical examples of maintaining security in the enterprise. The content of
security training should be updated whenever new information is available, which would
assist in securing information assets. New viruses are detected every day, and it is the re-
sponsibility of the information security team that this information is made available to the
users as soon as it is available.
Some important aspects about security training include how training is delivered to users
especially busy people like those in senior management. It is recommended that training
providers use different methods of training to ensure that the message is effectively de-
livered. For example trainers can make use of workshop-style delivery to new joiners and
email communication to existing employees or make use of social media, such as Face-
book, Twitter, and YouTube. Some enterprises have made use of newsletters or other forms
of newsflash to communicate with users. Each enterprise has different ways of effectively
delivering training. It is the role of the IS auditor to assess how effective this training is
by interviewing users and managers responsible for such training programs. The IS auditor
can use various techniques to assess effectiveness of security awareness training.
The frequency of awareness training programs depends on the type of training and content.
Where training is delivered in short sessions and focusing on different topics, it is possible
Search WWH ::
Custom Search