Training Overview Security Awareness Responsibilities

Security Awareness Responsibilities

Roles and Responsibilities

The short answer is everyone is responsible for IT security awareness and training. Some organizations have a mature IT security program, while other organizations may be struggling to achieve this goal because of staffing, funding, and management support. Security awareness and training programs therefore vary greatly from one organization to the next.

One way to help ensure that a program matures is to develop and document IT security awareness and training responsibilities for those key positions upon which the success of the program depends.

  • CEO
  • Chief Information Officer (CIO)
  • Information Technology Security Program Manager
  • Managers
  • Users

Chief Executive Officer

CEO's must ensure that high priority is given to effective security awareness and training for their workforce.  This includes delegating responsibility for implementation of a viable IT security program with a strong awareness and training component.  CEO's should:

  • Designate a CIO;
  • Assign responsibility for IT security;
  • Ensure that an corporate wide IT security programs are implemented with the appropriate resources and budget, and
  • Ensure that the organization has enough sufficiently trained personnel to protect its IT resources.

Chief Information Officer

Chief Information Officers (CIO's) are tasked with administering training and overseeing personnel with significant responsibilities for information security. CIO's should work with the organization's IT security program manager to:

  • Establish overall strategy for the IT security awareness and training program;
  • Ensure that senior managers, system and data owners, and others understand the concepts and strategy of the security awareness and training program, and are informed of the progress of the program's implementation;
  • Ensure that the organization's IT security awareness and training program is funded;
  • Ensure the training of organization personnel with significant security responsibilities;
  • Ensure that all users are sufficiently trained in their security responsibilities; and
  • Ensure that effective tracking and reporting mechanisms are in place.

Information Technology Security Program Manager

The IT security program manager has tactical-level responsibility for the awareness and training program.  In this role, the program manager should:

  • Ensure that awareness and training material developed is appropriate and timely for the intended audiences;
  • Ensure that awareness and training material is effectively deployed to reach the intended audience;
  • Ensure that users and managers have an effective way to provide feedback on the awareness and training material and its presentation;
  • Ensure that awareness and training material is reviewed periodically and updated when necessary; and
  • Assist in establishing a tracking and reporting strategy.

Managers

Managers have responsibility for complying with IT security awareness and training requirements established for their users.  Managers should:

  • Work with the CIO and IT security program manager to meet shared responsibilities;
  • Serve in the role of system owner and/or data owner, where applicable;
  • Consider developing individual development plans (IDP's) for users in roles with significant security responsibilities;
  • Promote the professional development and certification of the IT security program staff, full-time or part-time security officers, and others with significant security responsibilities;
  • Ensure that all users (including contractors) are appropriately trained in how to fulfill their security responsibilities before allowing them access;
  • Ensure that users (including contractors) understand specific rules of each system and application they use; and
  • Work to reduce errors and omissions by users due to lack of awareness and/or training

Users

Users are the largest audience in any organization and are the single most important group of people who can help to reduce unintentional rrors and vulnerabilities.  Users may include employees, contractors, foreign or domestic guest researchers, other organization personnel, visitors, guests, and other collaborators or associates requiring access.  Users must:

  • Understand and comply with organization security policies and procedures;
  • Be appropriately trained in the rules of behavior for the systems and applications to which they have access;
  • Work with management to meet training needs;
  • Keep software/ applications updated with security patches; and
  • Be aware of actions they can take to better protect their organization's information.  These actions include, but are not limited to: proper password usage, using proper antivirus protection, reporting any suspected incidents or violations of security policy, and following rules established to avoid social engineering attacks.

 

  • 19.jpg
  • 22.jpg
  • 23.jpg
  • 26.jpg
  • 2.jpg
  • 20.jpg
  • tengasco.png
  • 1.jpg
  • 32.jpg
  • middle kingdom.png