“Awareness and training program” is considered as one of the main steps in improving security in organizations which should be considered necessary for everyone. APA has developed its own unique curriculum to fit the special needs of the audiences. We believe that the best way to secure a system is to provide security by the users themselves.
Audience Groups:
One of the key factors in “Awareness and training program” is the balance between the level of education provided and the prerequisites that the audience should have taken,therefore dividing the audience into suitable groups is essential for a successful program. Four main groups can be considered:
Administrators: They are considered as the main responsible person for IT and network security. Also they interact directly with other members in charge of smaller sections of the network. The topics considered for this group are specialized and contain management points as well.
Managers: They are thought of as the highest ranked persons in organizations. It can be said that without proper approval of managers,all efforts of securing an organization are useless. Concepts discussed at this level are of high level and are mainly round tables discussions can be performed. Providing an outline of security plans will play an important role in implementing any plan,as a result directors are the first audience in an Awareness and training program.
Developers: Software and services are regarded as applications of information technology and most of vulnerabilities are reported in this field. Therefore,training of developers is of great help to the safety and security of information systems. Transferring of concepts at this level is in the form of awareness raising and educating for the realization of security concepts in development of software.
End Users: They are the ultimate users of information technology. The training of users is targeted in two ways. On the one hand users need to be familiar with the general concepts of web security and on the other hand when users become involved with the concepts of web security,they tend to apply the security policies and recommendations effectively and easily. The concepts are normally conveyed through informing and awareness raising within the framework of general concepts.
Subject Groups:
Another important point in providing services awareness and training services is subject-based categorization of subjects and concepts. Network security includes a vast range of subjects. Providing subjects which can guarantee the basic security for the organizational networks is the main goal of implementing awareness and training services. The variety of organizations and their specific needs gives more importance to the selection of proper subjects to be held in organizations. Generally the main training topics within the framework of network security can be divided into 5 categories:
Vulnerability Management: The existence of vulnerabilities in software systems and services is inevitable. Each year large numbers of vulnerabilities are reported in various software systems and services. Normally the prevention of exploitation of such vulnerabilities is easy but could be critical if insufficient attention is paid at the right time. Because of the large number of vulnerabilities,confronting and handling these security threats needs systematic strategies and cooperation of different organizations at different levels. In the vulnerability management course,security concepts including vulnerability,exploitation and patching are well discussed. After that management of vulnerabilities and their applications within an organization will be further discussed and developed.
Incident Handling: In every organization,despite planning and implementing of all information security strategies,there would be still possibility of facing problems with computers and network related systems. Such incidents can be detected,go under containment,eradicated and recovered. Proactive strategies are systematic and highly related to conditions of the organizational circumstances and are applied at all levels of the network. In the incident handling course,management of incidents would be introduced and important concepts like prevention,observing and network monitoring,firewalls and honeypots would be discussed.
Basic security: An organizational network consists of different components like communication infrastructures,active and passive components,services and etc. Security implementation is a bottom-to-top process and should be applied at all levels and components. Safe network configuration needs more professional training than that of running and installing a network and every single component of a network has its own solution for providing security. In the basic security course,implementing secure network services,network equipments and different topologies of network will be discussed.
Offense and defense: In recent years attacks on computer networks has increased in volume and complexity. Besides that the level of knowledge needed to trigger successful network attacks has decreased gradually. However,higher level of knowledge is needed to prevent such attacks. In addition to attacks on computer network components,users would also be the target of attacks. Therefore,familiarity with various attack scenarios can help to defend attacks. In the offense and defense course,a description of common attacks and ways of overcoming them would be discussed.
Software Security: software system is considered as an important component of a computer system and vulnerability within it can make security provisions useless. However,many software developers are not aware of security strategies which are needed to be taken in attention. In the software security course,security considerations that developers should give attention to and also procedures of patch management and development would be further discussed.
