If I’ve said it once, I’ve said it a million times, but I’ll say it again…
Providing general information security and privacy training to all personnel is good, and should be done! However, you ALSO need to provide targeted training, and ongoing awareness communications, to different groups throughout your organization based upon their job responsibilities that involve information assets and personally identifiable information (PII).
You should be providing this targeted training, and ongoing awareness communications, to areas such as Marketing & Sales, HR, Legal, Physical Security, Auditing, Call Centers, Customer Service, Accounting, and any other groups you have in your organization.
And yes, you need to provide targetted training to your IT folks; they get left out too often!
So, what are some of the common topics for which IT need training? I’m glad you asked! 🙂
The following is the second part of the 2nd article in my July IT Compliance Journal, “Providing IT with Information Security and Privacy Education“; download the entire issue to see a much nicer format…
—————————————
Targeted Content for IT Personnel
When you consider the vast array of issues and situations for which IT personnel must be knowledgeable about how to effectively safeguard information, you should be able to clearly see why training must occur regularly and awareness communications and activities must be ongoing. I have identified more than 60 information security and privacy topics for which IT personnel should receive training and awareness communications. However, this is most likely far from a complete list; I’m sure others have many more to add.
The following list highlights 20 of those topics and provides very brief descriptions for what IT personnel need to know and understand. As you probably can imagine, writing out all the details for all topics would fill a fairly large book. However, this list should give you a good start for determining the topics for which your IT personnel need training.
- Information security and privacy policies–IT personnel must understand information security and privacy policies so that they can create procedures to support them, and also so they can create and maintain applications and systems that are in compliance with the policies.
- Roles and responsibilities –IT personnel must understand their responsibilities for safeguarding information resources during the course of their normal work responsibilities. Establishing and communicating responsibility to personnel creates personal accountability.
- Information security and privacy in job definitions and performance appraisals –IT leaders must understand how to work with Human Resources (HR) to incorporate information security and privacy responsibilities into job descriptions. Information security and privacy actions and policy compliance can then be included within job appraisals. Such actions will better motivate personnel to be diligent in safeguarding information.
- Applications, systems, and associated privacy implications –IT personnel must understand how the applications, systems, and networks that they build, implement, and maintain impact information security and privacy. They must know and understand how to effectively build privacy protections in, and how to remove vulnerabilities from applications, systems, and networks that could, and often do, result in privacy breaches.
- Monitoring systems access and use –IT personnel must know and understand when and how to implement monitoring into applications, systems, and networks not only to detect inappropriate activities but also to be in compliance with a wide range of laws, regulations, industry standards, and their own company information security policies.
- Security and privacy standards for systems development –IT personnel must understand how to effectively and consistently incorporate information security and privacy checks into each and every stage within the applications and systems development life cycle.
- Information security and privacy frameworks and architectures –IT personnel must know and understand the information security frameworks, such as ISO/IEC 27001 and COBIT, and the privacy frameworks, such as the OECD privacy principles, that they can use to build and maintain more secure systems, applications, and networks.
- Information classification and controls –IT personnel must know the classifications for the information that is processed within the applications, systems, and networks that they build and manage. Doing so will help to ensure that appropriate safeguards are built into applications, systems, and networks based upon data classification levels.
- Securing third-party access to business and customer information –IT personnel must know and thoroughly understand the policies and procedures for providing third parties with access to information resources and corporate network components to ensure third parties do not establish access in ways that put the company, along with customers, at risk.
- Information security and privacy for outsourced services –IT personnel must know and understand the security and privacy requirements–policy-based, contract-based, and regulatory-based–that the outsourced entities with whom they work and share information must follow so that personnel will not inadvertently provide access or give outsourced entities data when they should not.
- Information security and privacy incident response –IT personnel must understand, know their roles for, and be ready to effectively respond to information security and privacy incidents according to the organization’s documented incident and breach response plans.
- Physical security –IT personnel must know how to protect against the physical security risks to information. They need to know how to secure printed information, how to spot physical dangers to information and data within work areas, and how to report individuals who may have inappropriate physical access to, or be a physical threat to, information.
- Computing equipment security –IT personnel must know and understand how to physically protect computing and electronic storage equipment in their work areas, within the business facilities, and when they are away from business facilities.
- Backups –IT personnel must know and understand the importance of creating regular and frequent backups, your organization’s backup policies, regulatory and legal requirements for making backups, and the procedures to follow for creating backups.
- Logging –IT personnel must know and understand the organization’s requirements for logging computer and network activities; the procedures for logging network, applications, and systems events and faults; and the storage and access requirements for the logs.
- Customer information storage –IT personnel must know and understand the organization’s customer information security and privacy policies, procedures for securely storing customer information, and the safeguards that must be implemented to protect customer information while it is in storage.
- Using customer information for testing –IT personnel must know the organization’s policies for what is acceptable and what is not acceptable with regard to using actual customer data for test, development, and pilot purposes. IT personnel must know and understand when data masking and/or data de-identification is required as well as how to mask and de-identify customer data.
- Customer information transfer –IT personnel must know the organization’s policies that address how to safeguard customer information when it is physically and electronically transferred, along with the procedures that have been established for customer information transfer.
- Sanctions and disciplinary actions –IT personnel must know and understand their responsibilities for following the organization’s information security and privacy policies, along with the possible sanctions and disciplinary actions that could occur as a result of policy noncompliance.
- Key information security and privacy contacts –IT personnel must know who is responsible within your organization for information security, privacy, and compliance. They must know who to contact for related issues, and to whom they can turn with information security and privacy concerns and questions
.
—————————————
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training