Identity Management and Security Awareness Training Plan

Identity Management and Security Awareness Training Plan

 

 

Name:

Institution:

 

 

 

 

 

 

 

 

 

 

 

 

 

Table of Contents

Abstract 3

Introduction. 4

Denver Computers Inc. Plan Model 4

Needs Assessment 5

Training Audience. 5

Awareness and Training Material 6

Learning Objectives for the Training. 6

Subsections of Training Content 6

Strengthening Security in Operating Systems. 6

Securing Networks, Systems and peripherals. 7

Applying Patches and Fixes. 7

Auditing and Maintaining Security. 7

Training Methods. 8

Collection of Feedback on Training. 8

References. 9

 

 

 

 

 

 

 

Abstract

The following training plan offers guidelines for training people who will manage a successful identity management and security awareness program in Denver Computers Inc. A functional identity management program cannot be implemented without considerable attention being given to the training aspects particularly on security procedures, policies, and techniques, in addition to the diverse technical, operational, and management controls essential to reinforce security awareness resources.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Identity Management and Security Awareness Training Plan

Introduction

Several groups of individuals have a role to play in the implementation of a security and identity management-training program. However, heads of agencies, information officers, program heads and identity program managers have major responsibilities to ascertain that a functional program is implemented across the agency. The content and range of the training plan must be linked to current security plan instructions and grounded agency policy. It is difficult for organizations and agencies to protect the accessibility, integrity, and confidentiality of information in a highly networked environment unless all the employees understand their responsibilities and the company’s security and identity management policy (Vacca, 2010). Three major steps are important and will be used in realizing the main objective: designing the plan, developing employee awareness and implementing the plan. Denver Computers Inc has a centralized structure in that the power center is located at the apex and authority flows in a top-down manner. Using this structure, the training plan will follow a centralized management approach.

Denver Computers Inc. Plan Model

In the company’s training plan, all the duties and finances for the whole company’s identity management and security awareness training program will be allocated to the central authority. All commands, scheduling, planning and strategy development will be organized through this training body. Denver Computers Inc. has a board of managers that will act as the training authority. In the event that training is not awarded the proper attention it deserves, the whole enterprise stands the risk of being exposed to human and electronic intrusion that may compromise information and contribute to significant losses.

Needs Assessment

This section deals with the process of establishing Denver Computers’ training and awareness needs. The results of this evaluation will assist in convincing Denver’s management that sufficient resources should be awarded toward meeting the training and awareness targets. The needs evaluation process will cover several key departments within Denver Computers Inc. Executive management, security personnel and system owners are the first cluster of stakeholders who have to be briefed on the directives and regulations that form the foundation of the security training plan. The next group consists of operational managers and system administrators as they administer the system at the lower levels. It is imperative for the needs assessment process to evaluate these two groups of departments, as their results will guide the rest of the training plan (Vacca, 2010). The information at this stage will be gathered using a combination of inter-departmental interviews, company surveys, evaluation of past assessments and review of security plans for different organizations. In performing the needs assessment process, the following areas should be addressed. The departments within Denver computers that need training the most have to be identified. The effectiveness of the current security and awareness plan will also be looked into. Lastly, the needs assessment will look into the most critical needs.

Training Audience

All employees dealing with information system security within Denver Computers Inc. will be trained. Specifically, the training will cover all employees who act in a permanent position on a long-term basis, the support staff (cleaning and construction) as well employees handling sensitive company information. The frequency of the training will be determined by the Denver Inc. management team after reviewing their yearly schedule as well as their need to keep employees aware of the security measures and significance of tight security. However, a mandatory refresher course will be taken on a quarterly basis to ensure that the security standards at Denver Inc do not deteriorate.

Awareness and Training Material

Supporting material will be developed for the Denver Inc. training plan in a way that can easily be integrated into the job descriptions of the employees. The goal of awareness material is to focus the attention of Denver Inc. employees on proper security practices. The awareness material will be created for all its users in the company. The information to be dispersed through an awareness plan should notify all the workers of their common IT security duties. Conversely, the information in specific training ranks will be designed to address a specific audience.

Learning Objectives for the Training

• To enable all employees grasp an awareness of the importance of identity management and security within Denver Inc.
• To remind all the key players within the company of their roles and responsibilities.
• To inform all the employees of new and potential changes that influences the security levels and plans in Denver Computers Inc.
• To reinforce any security threats that might surface in  the company’s IT system

Subsections of Training Content

The training content includes the different topics that will be addressed during the training period.

Strengthening Security in Operating Systems

            Proofing the operating systems is a major topic in the training program as it acts as the base upon which other security measure are installed. Physical protection will be taught and this includes physical protection practices such as locking workstations (CTRL+ALT+DEL), storing computers in a safe location and locking documents having personal identification information (PII) (Vacca, 2010). Encryption of sensitive information and its handling during online activity will also be taught. This includes controlling the usage and submission of PIIs and social security numbers (SSN) (Wilson & Hash, 2003; Bernik & Prislan, 2011). Within this topic, the sub-topic of handling intrusions of privacy will also be addressed. This section deals with how employees ought to handle external and internal threats to security and privacy. Most threats come from external environments such as email phishing and hackers making it imperative for employees at Denver Inc to know of these threats.

Securing Networks, Systems and peripherals

            This topic in the training process deals with protecting systems, networks and information from destruction by viruses and malware. It includes purchase and use of commercial software such as antivirus and anti-spy ware, updating the software and securing the Internet connection as well. Other aspects of the topic include understanding and using firewalls and passwords for Internet sharing options.

Applying Patches and Fixes

            This topic deals with upgrading software and hardware systems using patches and other fixes. Patching and updating computer software on a regular basis enhances the functionality of the products. Employees will be tutored on the significance of regular and correct patching

Auditing and Maintaining Security

This topic deals with training employees on the basic security measures to be used while handling company information. All the employees at the different classes will be briefed on the nature and sensitivity of the information they handle. This stage offers a revision of all the company security policies and can act as a refresher course (Vacca, 2010). This may involve the creation of a culture of security that will ultimately be adopted throughout the organization.

Training Methods

The choice of training method for Denver Inc. employees was largely dependent on the budgetary allocation released by the management. Due to budget constrains, classroom instruction was chosen as the primary form of training. The employees would be subjected to lectures, discussions and practical exercises that will focus on strengthening previous skills and concepts. This method has the advantage of instant feedback and ease of modification (Wilson & Hash, 2003; Kissel & National Institute of Standards and Technology, 2009). For a section of unavailable employees, computer-based training option would be provided. This option will be designed in a stage format that every participant must complete successfully. Lastly, online classes will also be developed that offer similar training courses but which require constant Internet connection. All the training methods will be complemented using handouts and reminders containing summarized points on the key security areas within Denver Computers Inc.

Collection of Feedback on Training

            Feedback on the training process is important as it provides the facilitators with an overview on the level of effectiveness and the possible changes to be made (Zelkowitz, 2004). At the lower levels, the training participants can be issued with self-complete questionnaires that can capture their attitudes and reactions. For the trainers, questionnaires and desk research methods will be used to evaluate their results and the challenges in achieving their goals. Lastly, the feedback from the Denver Inc. managers will be useful in determining the affordability and changes witnessed on the company. At the manager levels, feedback will involving requesting estimates for statistics such as person-hours spent and total expenditure. While estimates are not entirely accurate, they will be effective in the event that time and funds are limited (Matwyshyn, 2010).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

Bernik, I., & Prislan, K. (2011). Information security in risk management systems: Slovenian perspective. Varstvoslovje, 13, 208-221.

Kissel, R., & National Institute of Standards and Technology (U.S.). (2009). Small business information security: The fundamentals. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology.

Matwyshyn, A. M. (2010). Data devolution: Corporate information security, consumers and the future of regulation.

Vacca, J. R. (2010). Managing Information Security. Burlington, MA: Elsevier.

Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training program. Gaithersburg, MD: U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology.

Zelkowitz, M. V. (2004). Information Security. Amsterdam: Elsevier Academic Press.