Security Basics mailing list archives
Re: Administrators security training
From: "ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>
Date: Tue, 7 Oct 2008 10:02:20 +0530
The topics you are gonna cover are pretty good. Personally I think, many times the list of topics depends on the size, type of company . However, I can think of below additional point : Escalation Path: This document/topics should clearly define the escalation procedure to be followed in various circumstances. This topic will make your staff aware who should be communicated and how should that communication happen in case of situations like A ) B) C) etc give examples . Many times, staff is unclear of these things or sometimes they assume or sometimes they don't ask etc which leads to lot of confusion, wastage of time. Company Certification: If your company is certified by some organization like ISO, it is good to share that with the staff.Explain them in brief what this certification stands for and what are its objectives. This provides good orientation to the non-technical staff and helps them understand some controls ( technical, administrative or physical) which has been set. Some of the staff might be cursing the IT department for restrictions set, but after explaining this topic, they will understand these restrictions as controls. This will make them feel responsible and involved in the process to maintain the certification.This will also help them understand the company's goal (not all but few) and how will it impact business if not achieved. If you use ticketing/tracking system for events, you should explain the importance of good and timely documentation. Test: After the presentation take a short test of multiple choice/ scenario based questions.This test will not be proportional to their salary or bonus but will bring some seriousness and meaning to the presentation. In each topic, explain the impact caused if things are not followed.Sometimes people understand things much faster if they know the negative impact than the positive ! Generic suggestion would be : Provide examples of scenarios while training each topic so that staff can relate,grasp and understand it mcuh better ( n not sleep during the presentation :) ). Thanks, Aditya Govind Mukadam On Mon, Oct 6, 2008 at 9:41 PM, <s0h0us () yahoo com> wrote:
As ISO I put together trainig material as part of security awaress for staff and customers. I am in the proces of creating an information security training presentation for individuals, outside the IT department, who have administrative responsibilities for internal applications and web portals. (don't ask) These are not necessarily extremely technical people, so it is a high level presentation that will require some additional support from IT staff as well. Below is a list of topics I'm planning on covering. Any others you can suggest would be greatly appreciated: General responsibilities as an admin (privileged access, become familiar with security controls, stronger requirements for account passwords and expirations, point out application weaknesses and suggest ways to mitigate) How to perform entitlement reviews(identify users and "need to know", periodic review of users, minimize number of admin users, etc) How to review reports and application logs Documentation/procedures for creating, deleting, and modifying accounts) I have also developed a checklist that includes questions like: is the application accessible from non private networks, password and account requirements, bcp documentation, backup of data, dormant account reviews, session timeouts, etc) thanks for the feedback happy security awareness month!!
Current thread:
- Administrators security training s0h0us (Oct 06)
- Re: Administrators security training p1g (Oct 07)
- Re: Administrators security training ॐ aditya mukadam ॐ (Oct 07)