Summarize the process of constructing security training inside an organization. What are at least four resources that should be consulted to make sure the training is adequate and current?

The process of constructing a security training inside an organization involves-

i. Program Scope, Goals, and Objectives5

Security training policies clearly outlining the scope, goals, objectives and enforcements should be written.

ii. Identify Training Staff

Choosing staff from diverse teams – management, security, communications, HR, web applications, media developers etc who are experienced and/or having undergone training – to create the training staff.

iii. Target Audience5

The training programs can have different modules. A generic one for all staff, and specialized fine-grained ones for specific groups.

iv. Motivate Management and Employees

The upper management needs to be “in” with the plan so that it can effectively be pushed to all employees by either making it mandatory, and/or by allocating regular time-slots for the training. The employees need to be motivated to attend the training.

v. Administer the Program5

The program should have “high visibility.” 5 And the selection of the training topics should be based on the “organization’s needs specific to the targeted audience.” 5

vi. Maintain the Program5

The curriculum should be continually updated. Computer technology changes constantly and “requires that training personnel are briefed and recertified frequently in order to keep up with the pace of rapid change in their fields of study.” 5

vii. Evaluate the Program
Evaluating the users’ knowledge and testing training effectiveness is important. The program should also invite feedback. It serves as crucial input for the next cycle of training.
Four resources that can be consulted to ensure the training material is adequate and current are-

  1. SANS Securing The Human:
  2. US-CERT:
  3. Wombat Security Technologies:
  4. SOPHOS: