Answer: IT organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all the people involved in using and managing IT:
Understand their roles and responsibilities related to the organizational mission
Understand the organization’s IT security policy, procedures, and practices
Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible
Fulfill their security responsibilities.
As cited in audit reports, periodicals, and conference presentations, it is generally agreed by the IT security professional community that people are the weakest link in attempts to secure systems and networks.
While there is no one best way to develop a security awareness program, the process that follows is an all-inclusive process of the best security awareness training program. This example includes these three steps:
1. IT management creates a security awareness policy.
2. Develop the strategy that will be used to implement that policy. (Note that this practice focuses on that strategy. Other practices will explain how to implement the steps in that strategy.)
3. Assign the roles for security and awareness to the appropriate individuals.
Submit