Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 19
Organisational Back Up
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menunjukkan
Organisational back up
2
Outline Materi
• Information Security Training
– Why Is Security Training Important?
– Security Training and Security Awareness –
What Is The Difference?
– Who Should Be Trained, How, and What
Should They Be Trained In?
• Who Needs To Be Trained?
• How Should The Training Be Conducted?
• What Training Is Required?
3
– What Training Structure Would Be The Most Effective
in The Long Term?
•
•
•
•
•
•
•
•
•
Principle 1 – Awareness
Principle 2 – Responsibility
Principle 3 – Response
Principle 4 – Ethics
Principle 5 – Democracy
Principle 6 – Risk Assessment
Principle 7 –Security Design and Implementation
Principle 8 – Security Management
Principle 9 – Reassessment
– Conclusion
4
Information Security Training
• Why Is Security Training Important?
• Security Training and Security Awareness
– What Is The Difference?
– Who Should Be Trained, How, and What
Should They Be Trained In?
– Who Needs To Be Trained?
– How Should The Training Be Conducted?
– What Training Is Required?
5
• What Training Structure Would Be The Most
Effective in The Long Term?
–
–
–
–
–
–
–
–
–
Principle 1 – Awareness
Principle 2 – Responsibility
Principle 3 – Response
Principle 4 – Ethics
Principle 5 – Democracy
Principle 6 – Risk Assessment
Principle 7 –Security Design and Implementation
Principle 8 – Security Management
Principle 9 – Reassessment
• Conclusion
6
Why Is Security training Important?
• This may sound like an obvious question,
but it is important to look at what problems
security training is likely to address
effectively. Training is a ‘people’ issue –
again, an obvious statement, but so often
we overlook the obvious.
7
Security Training and security
Awareness – What Is The Difference?
• Information security is, above all, a business
issue, which involves people, processes and
technology.
• Security awareness can be thought of as
creating the aspiration, whilst security training
can be seen as one important means of
achieving this aspiration. They are
complementary and both are necessary for
creating a security-aware culture by helping
people move round the security learning cycle.
8
Who Should Be Trained, How, and What
Should They Be Trained In?
• The answer to the ‘who’, ‘how’ and ‘what’
question will depend on the individual and
on the needs of your business, but the
following points are relevant.
9
Who Needs To Be Trained?
• It is glib to say that everyone in an
organisation at some time or another
should receive some sort of information
security training. In some organisations it
is not unusual for every employee to have
a security-related item in their job
description and, where appropriate, to
have specific relevant personal objectives.
10
How Should The Training Be Conducted?
• One example of how to conduct the training has
already been given where distance learning was
used effectively. Training courses are also very
effective, both external and in-house, and on
some of the more technical training it is
important to provide hands-on training facilities.
There are many vendor-specific technical
training courses, and counsulting firms can be
employed to run courses on almost any aspect
of information securities.
11
What Training Is Required?
• This question is perhaps the most complex to
deal with, as what training is required depends
on the individual, their role within an
organisation and the aspirations of both the
individual and the organisation. A good starting
point, however, is to look at possible structures
for determining what training is needed.
• A logical place to start would be to organise
training around the ‘information security policy’
of the organisation, where, for example, all
desktop users could be trained on the Internet
usage policy.
12
What Training Structure Whould Be The
Most Effective in The Long Term?
• This section proposes that an effective
structure for security training should be
one that is bases on the nine principles
described in the OECD guidelines.
• The guidelines state that: ‘All participants
will be aided by awareness, education,
information sharing and training that can
lead to adoption of better security
understanding and practices.’
13
Principle 1 - Awareness
• The guidelines expand on the importance
of risk awareness as the first line of
defence and of people understanding the
consequences arising from the abuse of
information systems and networks.
• Training should therefore ensure that
people in all roles clearly understand these
risks, and what they need to do to mitigate
them.
14
Principle 2 - Responsibility
• The guidelines promote good
management practices in terms of
ensuring that individuals are aware of their
responsibility and are accountable.
• Training should therefore be provided to
help ensure people have the necessary
skills and knowledge for themto discharge
this responsibility.
15
Principle 3 - Response
• This recognises that security incidents will occur
and that it is important to respond to them in a
co-operative and timely manner. This raises an
important point in terms of co-operation,
because ideally training would need to inform on
other people’s misfortunes – that is, learning
from other people’s mistakes. However,
information sharing is recognised as being
difficult due to the potential loss of reputation
arising from the risk of unsympathetic media
reporting.
16
• Training should therefore attempt to
include content from shared information on
sensitive issues such as incidents.
17
Principle 4 - Ethics
• This is fundamental to changing the
culture in terms of making people
recognise that their action or inaction may
harm others.
• Training should therefore be provided on
codes such as these and delivered to all
people in an organisation. A good place to
start is induction training.
18
Principle 5 - Democracy
• This can often be taken for granted in the
UK, but it addresses the need for
information security to be compatible with
the essential value of a democratic
society.
• Training should therefore be provided to
help people understand the relevant
legislation, both in terms of their rights and
what is illegal.
19
Principle 6 – Risk Assessment
• Participants are encourage to conduct risk
assessments in this section of the
guidelines. Risk is a term used by many
but, arguably, understood by few.
• Training should be given on risk and how it
relates to the individual’s role within the
organisation.
20
Principle 7 – Security Design and
Implementation
• I would argue that this is one of the most
fundamental principles of the OECD guidelines
where it states that systems, networks and
policies need to be properly designed,
implemented and co-ordinated to optimise
security.
• Training should be provided on how security can
be designed into IT systems and networks, as
well as on implementing and maintaining them in
a secure manner. Suppliers and users should
teach their staff how to do it, and clients should
teach their staff how to procure systems and
services that will be secure.
21
Principle 8 – Security Management
• The guidelines state that participants
should adopt a comprehensive approach
to security management.
22
Principle 9 - Reassessment
• Security training should, therefore, not be
a single event for any individual, but
should be provided continuously to meet
to needs of the changing environment.
This also applies to security awareness,
as important to continuously re-enforce the
need for good security practice.
Otherwise there is a risk of complacency,
especially if no significant incidents occur.
23
Conclusion
• It is recognised that not all the points of
advice provided above will apply to
everyone,b ut it is hoped that with the right
prioritisation the reader can go away and
act on at least one price of advice or
comment in this chapter.
24
The End
25