Information Securityby Andy Taylor
What about training?
There are, of course, two aspects to this: the training you might need if you decide to specialise in information security, and then the training staff should have if your information security plans and policies are to work in practice.
Do I need a qualification?
Depending on your business, it is probably not necessary to be qualified in information security, since it should be clear that much of the work necessary is business-based and not really specialist in nature. There are some aspects, especially those related to IT systems, where specialist knowledge may be required in order to assess the real risks to those systems. It may be that the resident manager for the system knows enough, but it may be a good idea to invite in an expert to give their advice.
Can I get a qualification if I want to do this more?
If you choose to make information security your speciality, there are a number of qualifications available from bodies around the world. These start with simple information security principles examinations, such as the one run by the British Computer Society’s Information Systems Examination Board (ISEB). Then there are those dealing with specialist areas, such as business continuity, which is run by the Business Continuity Institute. There are also specific qualifications dealing with particular types of technology, such as CISCO equipment, or with certain types of risk, such as fire or flood.
There are also more generic qualifications, such as the Certificate of Information Systems Security Professional (CISSP), which covers the whole area, but is really intended more for those who wish to make their career in the field. There are naturally first and second degrees in the field as well, for those who feel they want to get the best in-depth understanding.
Training is required in three key areas:
- All new staff should be introduced to the way security is managed in the organisation
- Certain staff will require role-specific training
- All staff will need refresher training at some stage.
The initial training should include
- The acceptable usage agreement and statements about any security policies the organisation might have
- Notice of any monitoring the organisation might choose to do.
You might also wish to include
- How staff may access systems, both in the office and in other locations, including home
- What staff should do in the event of problems arising
- How to prevent certain common problems
- Their part in any BCP and DR plans (although there is a high possibility that these might change over time).
It might also be useful to cover some of the less likely events to try and reduce their incidence. This might include appropriate actions for checking data integrity, using a two-person rule in very sensitive areas, procedures for the disposal of paper copies or some other aspect of information security.
When BCP and DR plans are drawn up, it’s important to include the ongoing need to maintain the necessary skills and the question of succession planning and to ensure there are no single points of failure.
Among the skills required will be incident management, technical skills to deal with specific systems (ICT systems, engineering or manufacturing systems, for example), and the forensic skills to ensure appropriate evidence is not lost and to help uncover the cause and any culprit.
The need for refresher training is probably pretty obvious. To assume that because a staff member was trained a number of years ago they are still competent is foolish in any area of business. The risks to information will also be changing, so the staff need to be kept abreast of the latest developments and the protection that has been put in place. On occasion, this might result in staff having to do things in a different way and they need to be made aware of this. It could, of course, be entirely sensible and practical to combine the information security updates with other aspects of the work of the organisation.