Re: Enterprise Trainaing Programs

From: Martin W. Freiss (martin@atsec.com)
Date: Wed Jun 07 2006 - 03:40:31 EDT


> I'm the Securiy Director for a large bank. After having several pen-tests and audits performed for me I see that I need to do more training for my users.. THis is really apparent for phishing security knowledge...

You need a more holistic approach to security. Pentests are just one piece;
awareness trainings for users are another.

> My questions:
> What are aother large companies doing for training of the user base?

Different things, naturally. Everything from CBTs, large-scale awareness programs
underpinned by internal media / intranet, mandatory courses, or nothing at all.

Depends on your audience, really.

If have a technically savvy target audience, like IT staff, this will need a different
approach than a factory than a merchant bank.

> How often should this training take place? ( Refresher courses??? New hire training??)

New hire, definitely (if you have a QMS, this should happen anyway, so throw in security
training there). Refreshers annually; ideally, more often, realistically, less :-).

> How effective is CBT training of the user population using a LMS package?

About zero, in my experience. This is not always the CBTs fault, but rather
management expectation that staff can do CBTs "in between" their usual work, and this
seldom leads to good quality learning.

> Basically, I'm trying to figure out the best method for training my user population and enforcing my security policies I have created... I think an LMS system mught be the way to do it but it looks like LMS may be used mostly by colleges and NOT corporations???

Some do, some don't. You are approaching this too much from a toolbased view; instead,
think about your policies, your people, and how you can best make people understand
them. They will understand and follow the policies if they understand the relevance
to their work. The successful awareness programs I have seen at large corporations
so far were designed together with PR people, and the main difficulties were not
LMS, but actually reaching the audience and making them use the (LMS, CBT, guides, whatever).

The tools you need to use follow from that.

Just my 2 cents,
-Martin

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT