Training and Awareness

A review of FISMA reveals that there are speci˜c requirements relating to the training of personnel in information security. e chief information security o™cer (CISO) must be aware of these requirements and must ensure that the information security program complies with these mandatory legislative requirements. More important than the compliance aspects, however, is that eœective security training is also simply a good idea in practical terms and just makes good sense. Users play a large role in the protection of information and systems, but are perhaps one of the most overlooked elements of the information security program. Security awareness, training, and education are essential to the ability of system users to perform their security responsibilities. is assertion is based on the in›uence of users on the secure operations of an information system and data. Irrespective of the nature and number of controls that are implemented to reduce the impact that users have on a system, in the end, the user is still there, and the protection of the system and its data has to rely on the right behavior of the common user to a greater or lesser extent. Most practitioners readily accept that the number-one threat to data is trusted users.