Overview

Education, training, and awareness are all necessary for the successful implementation of any information security program, according to the Critical Infrastructure Assurance Office of the United States Government. Although these three elements are related, they involve distinctly different levels of learning.

Awareness is not training but is a prerequisite to it. Its purpose is to focus attention on security. Awareness programs are generally well established within organizations. An example of an awareness campaign would be the plethora of posters visible in most federal buildings, reminding users that passwords are not to be shared.

Awareness provides a baseline of security knowledge for all users, regardless of job duties or position. The level of security awareness required of a summer intern program assistant is the same as that needed by the CEO, CIO, or a division manager in organization. IT security awareness programs should be tied directly to security policy development and the organization s computer security incident response capability.

Training is geared to understanding the security aspects of the particular IT systems and applications for which the trainee is responsible. Security training should take into account the uniqueness of each system and application.

Education differs from training in both breadth and depth of knowledge and skills acquired. Security education, including formal courses and certification programs, is most appropriate for an organization s designated security specialists. This chapter discusses how you can achieve your training needs, including:

• Training for IT and security professionals

• The basics of training

• Building awareness about physical security for...