Deck 5: Developing the Security Program

Training is most effective when it is designed for a specific category of users.

Large organizations spend a larger portion of their IT budget on security than small organizations.

The planning function needed to implement the information security program often takes a project management approach to planning.

The professional agencies such as SANS,ISC2,ISSA and CSI offer industry training conferences and programs that are ideal for the average employee.

According to Charles Cresson Wood,"Reporting directly to top management is not advisable for the Information Security Department Manager [or CISO] because it impedes objectivity and the ability to perceive what's truly in the best interest of the organization as a whole,rather than what's in the best interest of a particular department."

A security administrator does not require technical knowledge.

Training for management should be conducted in large groups.

The information security budgets of very large organizations grow faster than their IT budgets.

In small organizations,security training and awareness is most commonly conducted on a one-on-one basis.

Providing training to general users on policies ensures that those policies will be read and understood.

The size of the information security budget usually corresponds to the size of the organization.

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

In general,security programs are overstaffed for the tasks that they have been assigned.

According to Briney and Prince,"Security spending per user and per machine declines exponentially as organizations grow."

Small organizations spend more per user on security than medium- and large-sized organizations.

Threats from insiders are more likely in a small organization than in a large one.

A security technician is usually an entry-level position.

The security education,training,and awareness (SETA)program is designed to reduce the incidence of external security attacks.

An organization's size does not affect the structure of the organization's information security program.

The scope of the security training program should focus on information security personnel responsible for the protection of organizational information assets.

On-the-job training can result in substandard work performance while the trainee gets up to speed.

The term information security program describes the structure and organization of the effort to contain the risks to the information assets of an organization._________________________

Several keys to a good poster series include 1)standardizing the content and keeping posters updated,2)making them complex,and thus visually interesting,3)making the message clear and 4)reminding users of penalties for non-compliance.

One of the most commonly implemented but least effective security methods is the security awareness program.

Distance learning/Web seminars can be low- or no-cost.

Computer-based training (CBT)allows users to learn from each other.

The organization's size and available resources also indirectly affect the size and structure of the information security program._________________________

In smaller organizations,the security administrator frequently turns to commercial off-the-shelf software to lower the costs of assessing and implementing security._________________________

When developing an awareness program,be sure to: Focus on people both as part of the problem and as part of the solution.

In the self-study method of training,trainees learn the specifics of their jobs through performing their jobs.

The average amount spent on security per user in a(n)very large organization is less than that in any other type of organization._________________________

Very large organizations tend to have the largest budget per user of all organizational sizes discussed._________________________

A(n)small-sized organization typically spends about 5 percent of the total IT budget on information security._________________________

Effective training and awareness programs make employees accountable for their actions.

A(n)medium-sized organization typically spends about 20 percent of the total IT budget on information security.________________________

In large organizations,it is recommended to separate information security functions into four areas,including: non-technology business functions,IT functions,information security customer service functions and information security compliance enforcement functions._________________________

An organization's size is the variable that has the greatest influence on the structure of the organization's information security program._________________________

A(n)large-sized organization typically spends about $300 per user on information security._________________________

Training for managers would be more detailed than that for security staff.

In the on-the-job method of training,a trainer works with each trainee on an individual basis._________________________

A security trinket program is one of the most expensive security awareness programs._________________________

Security education involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely._________________________

To their advantage,some observers feel that small organizations avoid some threats precisely because of their small size._________________________

The purpose of the CAEIAE program is to enhance security by building in-depth knowledge,by developing security-related skills and knowledge,by improving awareness of the need to protect system resources._________________________

In informing and preparing employees for their role in information security,security awareness provides the "what",training provides the "how" and education provides the "why"._________________________

Managers often resist organized training of any kind._________________________

The distance learning method of training is in use when a single trainer works with multiple trainees in a formal setting._________________________

An organization's information security Web site should be placed on the Internet._________________________

Security managers are accountable for the day-to-day operation of the information security program._________________________

The Computer Security Act of 1987 requires federal agencies to provide mandatory periodic training in computer security encryption and accepted computer practices to all employees involved with the management,use,or operation of their computer systems._________________________

Individuals who perform routine monitoring activities are called security technicians._________________________

A convenient time to conduct training for general users is during employee orientation._________________________

Security training and awareness activities can be undermined if information security personnel do not set a good example._________________________

Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization's information._________________________