Security Awareness Overview

Security awareness, awareness training, and education[1] are all necessary to the successful implementation of any information security program. These three elements are related, but they involve distinctly different levels of learning.

Awareness

Awareness is not awareness training but is a prerequisite to it. Its purpose is to focus attention on security. Security awareness programs should be well established within the court.[2]

Awareness provides a baseline of security knowledge for all users, regardless of job duties or position. The base level of security awareness required of a summer intern program assistant is the same as that needed by management of the court. IT security awareness programs should be tied directly to security policy development and, if appropriate, the court’s information security incident response capability.

Awareness Training

Awareness Training is geared to understanding the security aspects of the particular IT systems and applications that the individual uses. For example, all users need to learn the security features of the office automation software resident on their respective systems. All IT users also need to understand the security features of the local area network (LAN) to which they are connected, as well as security issues related to connectivity to the Internet, Intranet, and/or Extranet. There may be overlapping issues, but each system is a distinct entity that requires its own set of IT security measures. Security training takes into account the uniqueness of each operating system and application.

Awareness training will be provided:

o For all new employees;[3]

o Whenever there is a significant change in the court’s IT security environment or procedures; and

o Whenever an employee enters a new position that deals with sensitive, critical and/or confidential information.

A sound practice is to conduct periodic (at least annual) refresher security awareness training, based on the sensitivity of the information that an employee handles.

Education

Education differs from training in both breadth and depth of knowledge and skills acquired. Security education, including formal courses and certification programs, is most appropriate for an organization’s designated IT security specialists.

Security Awareness Standards

Minimum Security Option

Description

Benefits

Disadvantages

Require security awareness program tied to security policy development and the court’s information security incident response capability.

Low cost (no formal training required).

Without proper training, users are not aware of critical security issues.

A security awareness program will be established to include:

The court IT liaison will monitor appropriate sources, such as vendor and security sites, to be aware of new computer security attacks and/or viruses, and will e-mail information about the attacks, attack impact, and other information users should know to detect or prevent similar IT system security incidents.
Computer security related posters or flyers will be displayed on the premises.
Employees will report computer security incidents according to the incident response procedure.
Documentation will be provided to all system users explaining the need for computer security and IT users’ responsibilities for computer security.

Optimum Security Option

Description

Benefits

Disadvantages

Require both a security awareness program and annual security awareness training.

Cost effective and provides appropriate security knowledge to users.

Cost associated with providing formalized security training.

In addition to the Minimum Security Option, the following standards apply:

1. Formalized computer security awareness training will be provided to users at orientation and on an annual basis. Topics covered may include, but are not limited to, the following:

Firewall training
Downloading of information and software
Applet software (Java, ActiveX)
Email security issues
Appropriate use
Proper password construction requirements
Internet security
Installation of software
Software licensing

Network and firewall administrators and staff, and technical managers of networks with Internet connections, will receive specific training on the operation of security products used in their environment to address IT security issues.

Employees will be required to sign acknowledgement of attending security training as described in the Minimum Security Option.

Maximum Security Option

Description

Benefits

Disadvantages

Require both a security awareness program and annual security awareness training with testing of users on security training issues.

Tests verify that users understand their responsibilities regarding computer security issues.

Costs associated with formalized security training and testing.

In addition to the Optimum Security Option, the following standards apply:

1. Users will pass a formal test regarding general computer security issues and network administrators will pass a formal test related to the specific security issues related to the hardware and software systems for which they are responsible.

2. Users will receive continuous security training in the form of news flashes, security alerts or tips, memos, and on-going annual training.

[1] See 1 TAC 201.13(b) (7)

[2] TAC 201.13(b) (5) (B) (ii) Information Security Standards—Management and Staff Responsibilities.

[3] TAC 201.13(b) (7) (D) Information Security Standards—Personnel and Contractor Practices.