Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Organisation, roles, responsibilities (generic introduction)

 High level introduction to security concepts tailored to organizational goals. This would touch on many of the aspects of other subjects by defining them, offering examples, and increasing awareness of organizational policy related to information security. This training should not attempt to cover technical details which are covered in other subjects, but should give the user a sense of the importance of information security and cover any policy necessary for the user to meet organizational requirements. It should also prepare the trainee to deal with any security emergencies they may encounter and give them the background to make sound information security choices.

AAI processes and procedures, FIM, SSO

...

Trainings of different kinds could be offered starting from AAI in local organizations up to management platforms for collaborative environments. The traing should investigate on those areas and provide the participant with hands-on information. how to set-up those AAI infrastructures.

Systems design

This training should provide insight to secure system design concepts. These could include some set if not all of the following concepts as well as including others important to the organization or stakeholders.

  • Least Privilege - A subject/program should be given only the minimum set of privileges necessary to complete its task
  • Fail-Safe Defaults - Unless a subject is given explicit access to an object, it should be denied access to that object
  • Economy of Mechanism - Security mechanisms should be as simple as possible
  • Complete Mediation - All accesses to objects must be checked to ensure that they are allowed
  • Open Design - The security of a mechanism should not depend on the secrecy of its design or implementation
  • Separation of Privilege - A system should not grant permission based on a single condition
  • Least Common Mechanism - Mechanisms used to access resources should not be shared
  • Psychological Acceptability - Security mechanisms should not make the resource more difficult to access than if the security mechanism were not present
  • Multiple Lines of Defense – Increase odds that no single vulnerability is common to all functionality

Reference: http://web.mit.edu/Saltzer/www/publications/protection/index.html 

IT security awareness for users 

...

Developing and maintaining policies and procedures

 The risk an organisation will commit itself to is highly dependend on the security policy it wants to implement. If no access from outside is offered, only internal weak point have tob e considered.

The other way round, a very open organisation provides numerous attack points to external intruders.

The training should provide an overview about different kinds of IT security policies, the risks associated with those, and the security tools available to cope with those environments. Furthermore there should be hints how to maintain the installed procedures. Since it is also required to have the defined security level up and running all the time, hints should be given also how IT security awareness of staff members and users can be periodicly refreshed.

Applying policies and procedures

Every organisation has setup its own IT security policies and procedures. All systems installed in this organisation have to apply to those policies. Therefore it is the task of any system administrator to implement these policies in a way that they are compliant to the intended security level.

The traing should provide an overview about default policies and procedures implemented out in the field and give hints how to handle those scenarios in a comprehensive way. After participating to the training the system administrator should be able to map the relevant organisational security policies to the system tools available in the corresponding systems.     

System acquisition

The acquisition of a system can be structured into different areas spreading from budgetarian issues (purchasing the system), needed space, cooling, power consumtion etc. Most often the security aspects are neglected  Is the system to be purchased the right one for the environment where it should be used and for the tasks to be fullfilled? Where some systems provide very good security features out of the box, others have to be adapted with a lot of effort. Some system designs are optimized for intranet usage only whereas others fit excellently in distributed envoironments.

The trainings offered should give the participants an overview about system architectures fittting into the one or the other scenario making it easier to decide for the best fitting architecture.

Decommissioning (data leakage prevention)

...