|
|
CHAPTER 10
Training: A Necessary Investment in Staff |
|
|
|
|
|
Organizations must reclaim the role of security
educator from the mass media!
|
|
Introduction to Training
Most staff in an education organization could probably offer a fairly accurate description of the term computer virus if asked. Viruses are big news. They are reported in the major media quite regularly, and, on occasion, are even headline stories. But ask those same staff members what encryption software is, or to suggest effective disk backup procedures, and they will most likely find themselves without much to say. While threats and catastrophes are newsworthy, day-to-day activities that protect information systems are often considered mundane.
|
|
|
When an organization allows television, magazines, and newspapers to be solely responsible for educating its staff, there is no logical reason for it to expect its employees to know how to implement even the most clearly stated of information technology security procedures. After all, while staff may have heard a thirty-second newsflash about the latest megavirus, they will not have been exposed to proper ways of using computer equipment and protecting information.
As mentioned throughout Chapters 5-9, all of the technological and procedural precautions in the world will be ineffective if they are not executed properly. But through well-conceived and committed security training programs, staff will be better prepared to avoid problems in the first place, minimize the damage of those problems that do arise, and maximize their contributions to system and information recovery when necessary. Without appropriate training (and associated reference tools), staff will instead be more likely to actually contribute to security risk through accidental but not necessarily malicious behavior. After all, most security problems are the result of unintentional human error. These mistakes will be less likely to occur when a well-intentioned employee has been properly trained.
|
Because system security demands information security and confidentiality, staff training must incorporate both topics. Refer to Appendix B for more information about FERPA.
|
|
It Really Happens!
The annual Management Information Systems (MIS) meeting was always a big deal. It was a great time for educators from across the state to meet and share fresh ideas and innovative projects. Dr. Lambeth spent the better part of the first day of the conference telling his fellow superintendents about the computerized student record system his staff had developed. He was very proud of the project and enthusiastically invited his counterparts to attend the presentation that his staff was giving later in the week.
When the day of the big presentation finally arrived, Dr. Lambeth was pleased to see several of his peers scattered throughout the large audience that had come to learn about the new system. His MIS Director, who was the lead speaker, began by offering a few introductory remarks before proceeding with a much-anticipated demonstration.
"Before we get started," he said into the microphone confidently, "we would like you to know that we've done everything we can to show you how this system really works. To this end, every step you see us take will be just as we do back in the office." He pushed a button on his computer and the overhead monitor displayed a student transcript. "For example, this transcript is exactly what we see when we access a student's record."
A hand was raised in the back of the room. The MIS Director acknowledged it. "Do you have a question?"
"Yes," a woman stood up and replied. "You accessed that sample student record very quickly. Are you running the software on a particularly powerful computer or have you just limited the number of records and files that you're using for the demonstration?"
The MIS Director smiled, pleased with the answer he was able to offer. "Neither. This equipment is no different than any other machines we run in our schools. And the records are 100% authentic school-level data. This demonstration re-creates our experiences in the real world accurately."
Another hand was raised. "You're not suggesting that the record we're looking at on the screen is that student's actual transcript. We can see her name, address, and grades."
The presenter interjected, "That's right, you're seeing the real thing, just like we do back in our district." Dr. Lambeth twisted in his seat uncomfortably. So did many other members of the audience, including several of the superintendents who had been encouraged to attend.
The next voice from the audience asked the MIS Director what everyone else was now wondering: "How can you interpret FERPA in a way that allows you to openly display that student's record?" Someone else added, "Especially considering that the presentation wouldn't be hindered if you just masked the parts of the transcript that identified that individual student. This is a public meeting. Anyone could walk in off the street and attend these sessions, including the parents of that young lady... who, we can all see, received a D in English last year."
The MIS Director was surprised by the criticism, "But I just wanted to make the demonstration
realistic...." Dr. Lambeth interrupted the explanation. Despite his profound personal and professional embarrassment, the Superintendent stood up to apologize to the audience. "As you have duly noted, this demonstration of our student record system is flawed. It is apparent that we will need to share details about our project at another time when we are prepared to abide by laws such as FERPA and our own internal policies on protecting individual student record information. I am sorry, but this presentation is over."
|
|
|
|
|
|
|
Commonly Asked Questions
Q. If funds are scarce, isn't it better to implement security and postpone training rather than neglect security altogether?
A. Neglecting security altogether is a terrible option. Unfortunately, attempting to implement security without appropriate training is not much better. A more effective approach is to rely upon the security priorities that are established in the organization's risk assessment (see Chapter 2) and then fund as many precautionary measures as can be implemented and trained for based on those priorities. While some vulnerabilities might be left unaddressed, the organization can have the peace of mind of knowing that at least those steps it has taken have a realistic chance of being properly implemented. It can then informally increase vigilance in areas of vulnerability it will not be able to address until additional funds become available.
|
|
|
Q. Can't training sometimes be overdone?
A. Training can surely be overdone, although that is rarely the case in today's world of shrinking and non-existent training budgets. More often, training problems are a result of poor focus and poor timing. A training program should be focused on helping staff do their jobs better. It must be relevant to assigned duties and be presented in an understandable way that encourages employees to make security a part of their everyday routines. Similarly, training classes should be scheduled at convenient times for participants. If focus and timing are properly handled (i.e., sessions are helpful and convenient), it is much less likely that participants will complain about training being a burden.
|
|
Training is a prerequisite for order, consistency, and realistic expectations of effective system defense. |
|
|
Q. How does an organization know if its training program is effective?
A. The most obvious way of measuring the effectiveness of security training is by monitoring the workplace for improved security performance. Scheduled and unscheduled testing of the security system is an excellent way of assessing its condition (see Chapter 4). Pre- and post-testing staff on training content is also an effective way of measuring improvements in security awareness, while yet another (and even more straightforward) way of evaluating training is to simply ask training participants what they thought of the experience. Since security depends heavily on the attitude and resulting commitment of staff, their opinion of the training, its relevance, and effectiveness is quite probably a good indicator of its success.
|
Staff technology training is also addressed in another National Center for Education Statistics publication, Technology @ Your Fingertips (see Appendix E).
|
|
Targeting Training Efforts
Who should receive security training? In a word, everybody! After all, a security breach affects each person in an organization. No matter the task a staff member is assigned, chances are that his or her role influences, and is influenced by, security policies and procedures. For example, people who clean offices need to know what can and can't be thrown away, and which rooms may or may not be off-limits. Teachers need to appreciate the necessity of protecting passwords and monitoring computer activity in their classrooms. Superintendents need to understand the importance of policy enforcement. And students need to be aware of proper floppy disk use and the viruses that can be spread if they fail to exercise due caution.
How Does Security Affect the Workplace?
| |
Security Area |
Affected Activities |
Physical strategies (Chapter 5) |
Housekeeping/custodial, maintenance and operations, weekend/evening activities |
Information/data protection (Chapter 6) |
Public relations releases, research and evaluation reporting, interoffice mail delivery, disposal services |
Software regulations
(Chapter 7) |
Administrative/clerical assistance, instructional delivery, library offerings |
Access mechanisms
(Chapter 8) |
Access by Board members, substitute staff, students, and telecommuters |
Network/Internet connections
(Chapter 9) |
Internet searches, site-to-site transmissions, public access (e.g., a school's homepage) |
|
|
Every effort should be made to make security training as relevant as possible to day-to-day activities in the staff's work environment.
|
|
Exercises in the theoretical are not often well received by busy people. If staff members to whom training is directed don't think that it is practical, then the training will be seen as an additional burden. One way to make training sessions meaningful is to customize separate training programs to meet the needs of different types of staff and job groupings. For example, a training session designed to address security issues that affect clerical staff (e.g., software use and system access) has a good chance of being well-received by people who perform clerical duties because it is relevant to their jobs. Those same people might find a more general training session that includes significant periods of time discussing the management of students in computer labs less applicable to their duties and, consequently, less interesting.
|
|
|
It Really Happens!
Nancy had finally had enough of the training session. She raised her hand to ask the district's technology security manager a simple question: "Why am I here?"
Dan, the security manager, was taken by surprise. He thought through what he believed to be a straightforward answer to the question, and offered his reply. "Well, Nancy, protecting the district's information and equipment is important to us as an organization, and we must all do our part."
"I understand that," Nancy interrupted him, "and I agree with it. But I've been here for over an hour listening about how to transmit transcripts to colleges, how to mask individual identifiers in press releases, and how to develop documentation when programming new software. In twelve years as a classroom teacher, I've not done one of those things, and I seriously doubt that I will in the next twelve years either. What I do need to do as a teacher is submit end-of-the quarter grades... by Thursday. Going to the teachers' lounge and doing so would be a much better use of my time than this training class."
Dan hadn't expected such an attack on his training session, and explained that the time would prove worthwhile for everyone if, as a group, the audience could be patient. "Nancy, I pride myself on being thorough. I plan to address electronic grade book issues in the next fifteen minutes or so. Will that satisfy you?"
Nancy sensed that Dan was put off by her comments. She didn't want to be unfriendly but felt strongly about her point. "I'm glad that you're planning to talk about the security of our electronic grade books. It is an important issue to many of us, especially the teaching staff. But it would have been better for each of the twenty or thirty teachers here if you would have just told us that you wouldn't be getting to the part that matters to us until the end of the session. We could have then shown up at that point and wouldn't have felt like the rest of this had been a waste our time. I'm sorry to be so blunt about it, Dan, but you need to hear this so that you can plan the next training a little more efficiently. Please accept this as constructive criticism, because you do a great job with the training material when it is relevant--but, like teaching, it doesn't matter how well you present the material if the students don't see any point to it."
|
|
|
|
Each organization will be different in terms of the types of job-alike training sessions that it might want to offer, but the following groups are common to many organizations and are logical target audiences for security training.
|
"Job-alike" training is used to describe a training program in which sessions are designed for specific user groups based on the similarities of their job duties.
|
|
Typical Job-Alike Training Groups
|
- High-Level Administrators
- Middle Managers
- Teachers
- Students
- Data Processing/MIS Professionals
|
- Clerical Staff
- Custodial Staff
- Paraprofessionals
- Volunteers
- Other Support Staff
|
|
Goal 5 stands out as key when customizing for job-alike training.
|
|
Training Goals
Even when information security training is customized to meet the needs of specific user groups through a job-alike approach, every session, no matter the target audience, should have the following goals:
Goal 1: |
Raise staff awareness of information technology security issues in general.
|
Goal 2: |
Ensure that staff are aware of local, state, and federal laws and regulations governing confidentiality and security. |
Goal 3: |
Explain organizational security policies and procedures. |
Goal 4: |
Ensure that staff understand that security is a team effort and that each person has an important role to play in meeting security goals and objectives. |
Goal 5: |
Train staff to meet the specific security responsibilities of their positions. |
Goal 6: |
Inform staff that security activities will be monitored. |
Goal 7: |
Remind staff that breaches in security carry consequences. |
Goal 8: |
Assure staff that reporting potential and realized security breakdowns and vulnerabilities is responsible and necessary behavior (and not trouble-making). |
Goal 9: |
Communicate to staff that the goal of creating a "trusted system" is achievable. |
|
|
|
Each of the above goals should provide the same types of information to all employees without regard to their job-alike grouping--the significant exception to this point is Goal 5, in which security responsibilities are explained as they specifically relate to participant duties.
|
This list is adapted from the Code of Conduct for Computer Users as developed by The Computer Ethics Institute (see Appendix E).
|
|
In the broader sense of computer use, staff should learn to:
- Never use a computer as a tool to harm other people.
- Never interfere with other people's computer work.
- Never snoop around in other people's computer files.
- Never use a computer to steal.
- Never use a computer as a tool for misrepresenting information.
- Never use other people's computer resources without their permission.
- Never lose sight of the social consequences of the work being done with the computer.
|
|
While security training focuses on improving the implementation of security procedures, training staff on basic computer use also contributes to system security, and is vital.
|
|
|
See Chapters 1-3 for information about FERPA and other policy concerns.
Ongoing training is essential for keeping staff focused. Distributing handouts, "cheat" sheets, and other reference materials is an effective way of supporting staff long after a training session is over and everyone is back on the job.
|
|
A Sample Training Outline
Allowing for customizing to meet the requirements of job-alike training, the following outline provides an overview of how a typical security training session could be effectively structured:
- Security overview
- What is information security?
- Why does it matter?
- Federal laws
- FERPA overview
- FERPA relevance and application (include specific examples that relate to audience duties)
- State and local laws, regulations, and standards
- Statute, regulation, and standard overview
- Statute, regulation, and standard relevance and application (include specific examples that relate to audience duties)
-
The organization's security plan
- Risk assessment findings
- Assets
- Threats
- Vulnerabilities
- Organizational security policies, procedures, and regulations (focus on those related to audience duties)
- Physical security regulations
- Information security regulations
- Software security regulations
- User access security regulations
- Network security regulations
- Security administration
- Expectations
- Monitoring activities
- Authoritie
- Enforcement and consequences
- Avenues of communication
-
On-the-job training (i.e., "Here's what you really need to do...")
- Explanations
- Turning the computer on and off
- Logging in and out
- Changing passwords
- And so on
- Demonstrations
- Turning the computer on and off
- Logging in and out
- Changing passwords
- And so on
- Testing
- Turning the computer on and off
- Logging in and out
- Changing passwords
- And so on
- Monitoring
- Turning the computer on and off
- Logging in and out
- Changing passwords
- And so on
|
|
One way of illustrating the rationale for security regulations is to have staff look at the vulnerabilities of an unsecured system from the perspective of a potential intruder, and then consider how much more difficult it would be to attack a secured system.
|
|
True training entails more than telling employees what they can and cannot do. Simply saying "back up your work because it is a rule" does not educate staff. Instead, rationale for policies and regulations should be explained to employees. This does not require every step of the organization's risk assessment to be rehashed, as much as it means that procedures should be justified and made relevant to the audience's work. For example, instead of telling staff that they must protect their passwords, an explanation of what a malicious user could do while posing as an innocent staff person (through the use of their password) might be more effective--after all, very few people are willing to allow themselves to be made someone else's scapegoat! By describing how security protects users as well as the system and organization, security training can become an effective way of garnering staff support and ensuring that policies and regulations are implemented.
Users must be reminded what is at risk if the system is not effectively secured, including:
- Organizational resources and reputation
- Confidential information that students trust school employees to protect
- Personal work files that would need to be re-created at considerable staff effort
|
|
|
An overwhelming three-hour session in which staff learn little is a poor use of time compared to three more manageable forty-five minute sessions in which they retain a lot.
|
|
|
Training Frequency
How often staff should be trained (and when) is an issue that requires significant consideration. A good rule of thumb is that all newly hired employees should undergo general organizational security training as a part of their orientation before they actually assume their duties. Similarly, job-alike or comparable training should be required of all staff (new or old) at the onset of initiating a security program.
After initial training sessions have been offered, it is important to continue to educate staff regularly. Ongoing efforts allow for major points to be reemphasized, while also providing trainers with opportunities to break complex issues into manageable pieces of information that staff can more easily comprehend. For example, the concept of user authentication may be more readily understood by staff if it is broken into separate sessions on in-house log-in procedures (session one) and remote access (session two).
|
|
|
Training surely demands the dedication of time and resources, but the alternative usually exacts a far higher toll!
|
|
|
|
|
|
Closing Thoughts on Security Training
Security policies and regulations are "living" concepts. That is, they can change depending on circumstances. If, for example, an improved type of encryption software is released, an organization and its employees might need to learn how to use it. Similarly, if a new data collection is initiated, policy-makers will need to evaluate the confidentiality of the information it generates. In both cases (and countless other examples), having a training mechanism in place to inform and educate staff is not only very valuable, but a real necessity--because a staff that is not properly trained limits, and perhaps even negates, the potential effectiveness of even the best devised security strategies.
|
Shortchanging security training is the equivalent of short-changing security itself. Don't undermine an investment in equipment, software, and policy development by failing to also invest in your people. |
|
Security Training Checklist
While it may be tempting to simply refer to the following checklist as your security plan, to do so would limit the effectiveness of the recom-mendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.
|
|
|
Security Checklist for Chapter 10
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.
Check Points for Policy Development and Implementation
|
-
Have decision-makers committed to comprehensive training as a necessary part of implementing any information technology security program?
|
|
|
- Is training targeted at everyone in the organization to the degree their activities warrant?
|
|
|
- Are training sessions customized to meet the needs of specific user groups, a concept referred to here as "job-alike" training (see Point 8 below)?
|
|
|
- Is training designed to raise staff awareness of information technology security issues in general?
|
|
|
- Is training designed to make staff aware of local, state, and federal laws and regulations governing information confidentiality and security?
|
|
|
- Is training designed to explain organizational security policies, procedures, and regulations?
|
|
|
- Is training designed to ensure that staff understand that security is a team effort and that each person has an important role to play?
|
|
|
- Is training designed to help staff meet the specific security responsibilities of their positions?
|
|
|
- Is training designed to inform staff that security activities must and will be monitored?
|
|
|
- Is training designed to remind staff that breaches in security carry consequences for the individual and the organization?
|
|
|
- Is training designed to encourage staff to report potential and actual security breakdowns and vulnerabilities?
|
|
|
- Is training designed to communicate to staff that the goal of creating a "trusted" system is achievable?
|
|
|
- Has the sample training outline been reviewed as an aid in helping the organization's training planners develop their own program?
|
|
|
- Is the rationale for security policies and regulations explained as a part of training?
|
|
|
- Are all new staff trained before they assume their duties?
|
|
|
- Will staff training be initiated at the onset of implementing any security program?
|
|
|
- Is staff training and related support information provided on an ongoing basis?
|
|
|
- Have decision-makers recognized that a security policy is a "living"concept and, therefore, requires frequent reevaluation?
|
|
|
|
|
|