Re: Administrators security training

["ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>]

The topics you are gonna cover are pretty good. Personally I think,
many times the list of topics depends on the size, type of company .
However, I can think of below additional point :

Escalation Path: This document/topics should clearly define the
escalation procedure to be followed in various circumstances. This
topic will make your staff aware who should be communicated and how
should that communication happen in case of situations like A ) B) C)
etc give examples . Many times, staff is unclear of these things or
sometimes they assume or sometimes they don't ask  etc which leads to
lot of confusion, wastage of time.

Company Certification: If your company is certified by some
organization like ISO, it is good to share that with the staff.Explain
them in brief what this certification stands for and what are its
objectives. This provides good orientation to the non-technical staff
and helps them understand some controls ( technical, administrative or
physical) which has been set. Some of the staff might be cursing the
IT department for restrictions set, but after explaining this topic,
they will understand these restrictions as controls. This will make
them feel responsible and involved in the process to maintain the
certification.This will also help them understand the company's goal
(not all but few) and how will it impact business if not achieved.

If you use ticketing/tracking system for events, you should explain
the importance of good and timely documentation.

Test: After the presentation take a short test of multiple choice/
scenario based questions.This test will not be proportional to their
salary or bonus but will bring some seriousness and meaning to the
presentation.

In each topic, explain the impact caused if things are not
followed.Sometimes people understand things much faster if they know
the negative impact than the positive !

Generic suggestion would be : Provide examples of scenarios while
training each topic so that staff can relate,grasp and understand it
mcuh better ( n not sleep during the presentation :) ).


Thanks,
Aditya Govind Mukadam


On Mon, Oct 6, 2008 at 9:41 PM,  <s0h0us () yahoo com> wrote:
> As ISO I put together trainig material as part of security awaress for staff and customers. I am in the proces of 
> creating an information security training presentation for individuals, outside the IT department, who have 
> administrative responsibilities for internal applications and web portals. (don't ask) These are not necessarily 
> extremely technical people, so it is a high level presentation that will require some additional support from IT 
> staff as well. Below is a list of topics I'm planning on covering. Any others you can suggest would be greatly 
> appreciated:
>
> General responsibilities as an admin (privileged access, become familiar with security controls, stronger 
> requirements for account passwords and expirations, point out application weaknesses and suggest ways to mitigate)
> How to perform entitlement reviews(identify users and "need to know", periodic review of users, minimize number of 
> admin users, etc)
> How to review reports and application logs
> Documentation/procedures for creating, deleting, and modifying accounts)
> I have also developed a checklist that includes questions like: is the application accessible from non private 
> networks, password and account requirements, bcp documentation, backup of data, dormant account reviews, session 
> timeouts, etc)
>
> thanks for the feedback
> happy security awareness month!!