Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: cosmetics, typos

...

  • Initial security training: getting acquaintanced with rules and regulations. Initital Initial training will be specific for a role or function.
  • Repeat security training: on a regular basis repeat parts of the initial training and get more indepth in depth training on specific subjects, related to a specific role or function.
  • Regular security awareness training: repeated security awareness activities on several generic and actual subjects, a mix of high- end low-intensity

...

When someone start in a new function, a new role of starts using of managing a new system there should be an initial security training. This initial training gives all security details about the security aspects of the new role or function. It will make the new person acquaintance with rules and regulations, processes and procedures for both day-to-day operations and for emergency situations. This applies for both usage of systems and for acquiring, designing, developing and managing systems.

Repeat Training

After initial training all people involved should have a repeat training on regular intervals. These might cover the same subjects as the initial training but ideally go into more detail or tpouich diffenrent touch different subjects or the same subjects from a differnet different angle. Just as initial training repeat training must be focused on teh targetted the targeted audience. Some training might be generic for all involved, some repeat training will be subject and role specific.

Security awareness training

<…>For awareness raising and maintaining several methods can be used. Security awareness mostly means an adaption of behaviour and this is a difficult thing to achieve. Mostly this involves repeating a message and repeating it in different ways, with examples or with background information. Security awareness should be addressed at multiple scheduled and unscheduled moments using multiple methods. It can be in the format of classes, with posters or gadgets, but also integrated in other communication, like normal staff meetings.

Training formats

Trainings can be in different formats. A training plan should use multiple formats and were possible training materials shoudl should be available for reveiw after traiiningreview after training. Of course the format mostly is already choosen by training content supplier, however when you have a  choice, choose different formats to make is more interesting for the trained subjects. Most used formats are: training classes, workshops, simulation sessions, books and other printed material, websites and wikis, MOOCs and other e-learning systems, games, instruction videos, recorded talks and presentations.

Maintenance of trainings and the training plan

Trainings and the training plan need to be maintained on a regular bases. It is a good practice to set up and review the training plan on a yearly basis. Based upon feedback from training activities trainings you can identify if there is any training module that needs to be updates or replaced, or if there are any subjects missing or new subjects have come up. There also might be new trainings available within the communities or commercial that can be a good or better alternative for existing training modules.

Roles and responsibilities

Security training and awareness is the responsibility of everyone involved. The system owner should make sure there is an actual training plan in place and that it is used accordingly, and allocate funding or decide upon financing.The system owner will designate roles for executing the training plan and the actual training activities. This can be a distributed role though it should be coordinated.

Funding

Hiring a tutor or buying training materials will need budgets. As part of the high level training plan a E-infrastructure needs to define how security  training an awareness is financed. When it is not funded from the E-infrastructure budgets clear appointments must be made on how will take which part of the costs.