S 2.197 Drawing up a training concept for IT security

Initiation responsibility: IT Security Management Team

Implementation responsibility: Line managers, IT Security Management Team

The shared task of "IT security" can only be performed in the proper manner if everyone involved in the IT security process has a reasonable level of knowledge about IT security generally and in particular about the dangers and countermeasures in their own particular work areas. Although ultimately all users should be motivated to keep up-to-date on their own initiative, nevertheless it is up to line managers to help them do this by providing suitable training courses. Given the large range of possible training topics and the importance of IT security, a co-ordinated approach is required in the selection of training content. This must be presented and documented in training concepts.

In larger organisations with heterogeneous workstations, a single concept will generally not be sufficient. Instead, it will be necessary to tailor training concepts by scope and content to the importance and complexity of IT use in each target group. For example, an IT administrator or software developer obviously needs to know more about IT security than a commercial person or a typist. The first stage in drafting an IT security training concept is therefore to assign the staff of an organisation to target groups so that a separate training concept can be prepared for each of them. It is important to ensure here that every employee whose field of work involves IT either directly or indirectly is allocated to one of these groups, that implementation of this concept is verifiable and that evidence that training has taken place is retained. This ensures that training is of the appropriate breadth and depth.

The IT security training concepts must be prepared in close co-ordination with the other training concepts of a company/agency, especially with training courses for IT users. The extent to which it is possible to integrate training topics on IT security into courses for IT users should be considered here. Including IT security within the syllabus of such courses has the advantage that IT security is perceived directly as another aspect of the use of IT. It is essential here that the lecturers demonstrably have the right skills and expertise. In the design of training courses it is critical that the "IT security" component is given sufficient coverage within the overall plan. A brief talk on the subject on a Friday between 1 p.m. and 2 p.m. is definitely not sufficient.

An IT security training concept should contain as a minimum the following points for all IT users:

• Risks and threats in IT use

• Basic terms and basic parameters of IT security

• The organisation-wide Information Security Policy - what does this mean to my everyday work?

• Responsibilities and reporting channels in our organisation (to include introducing the IT Security Officer)

• How can I contribute to IT security?

• How can I tell if a security-relevant incident has occurred and what should I do?

• How can I educate and inform myself in matters of IT security?

Depending on the type and depth of IT use, additional topics should be included for particular target groups, for example:

• secure electronic communication,

• security aspects of particular IT systems and applications,

• secure software development and

• drawing up and audit of IT security concepts.

In each case it is necessary to check which subjects can be handled by in-house staff and which ones would be better dealt with through external courses. External courses are especially necessary for fields of work where IT penetration and complexity are high, and for the training of staff who will be responsible for IT security, whose training is particularly critical.

Due to the speed at which IT changes, knowledge previously acquired rapidly becomes out of date. New IT systems, and also new threats, vulnerabilities and possible defensive measures make it imperative that knowledge of IT security matters is continually refreshed and extended. Training provision on these matters should therefore not be directed solely at new staff but refresher and supplementary courses should be provided at regular intervals for experienced IT users as well. With this in mind, it is important that the training concepts are updated regularly and modified to new circumstances as necessary.

To keep training knowledge constantly updated it is important to closely co-ordinate training courses and measures aimed at promoting awareness of IT security issues (see also S 2.198 Making staff aware of IT security issues). Thus, for example, training courses should refer to existing information sources and especially to the possibilities available for further private study (self-study courses, books etc). An example of a target group-specific training concept will be found on the CD-ROM (see appendix on Additional Aids, in German only).

Additional controls:

• Are written IT and IT security training concepts available for all IT user groups in the organisation?

• Is the IT Security Management Team involved in the planning and delivery of IT training?

• Do update plans exist for training concepts and are these adhered to?