Security awareness training and education, government guidance, training matrix
|
|
- Corey Lee
- 8 years ago
- Views:
Transcription
1 Bulletin of Applied Computing and Information Technology Refereed Article A5: Security Awareness Training and Education in Organisations 05: , Dec Charles Tsui Manukau Institute of Technology, New Zealand Tsui, C. (2007). Security Awareness Training and Education in Organisations. Bulletin of Applied Computing and Information Technology, 5(2). Retrieved June 2, 2015 from Abstract This paper discusses support and guidance provided by governments concerning security awareness training and education. Based on the recommended guidelines by the National Institute of Standards and Technology (NIST)of the USA it investigates what technical and non-technical areas should be covered and how training and education should be done most efficiently. Recommendations about improving the efficiency of the training and education delivery and about evaluating their effectiveness are also provided. Keywords Security awareness training and education, government guidance, training matrix 1. Introduction Dr. Eugene Schultz in the editorial of Computer & Security 2004 (Schultz, 2004) encouraged all writers to submit more papers on the aspect of security awareness, training and education (SATE). He started by asking "Does security awareness training and education yield at least a reasonable return on investment?". When organisation budgeting comes to a critical situation, training and awareness would most possibly be the first areas to be slashed. The main reason behind this is that it is very difficult to determine direct benefits of security awareness training and education, when comparing with other security measures. The effectiveness of training and education is largely dependent on the quality of the adopted training and education programme. A good programme should properly fit the particular needs and structural requirements of the organisation, with tools for measuring and maximising return on investment (ROI) of training and education. Based on a literature review, this paper will identify and discuss what technical and nontechnical areas should be covered in a SATE programme, how a SATE programme may be structured to meet different educational and training requirements, and how security awareness training and education programmes could be delivered most efficiently. Models and frameworks will be considered, including government guidelines. 2. Government Guidance There are examples that with promotion and encouragement from governments, toplevel management of organisations are paying more attention on the importance of computer SATE. Some relevant cases are dscribed below. The USA passed Public Law , "The Computer Security Act of 1987", which mandated that the National Institute of Standards and Technology (NIST, 2005) with the United States Office of Personnel Management (OPM) develop and issue guidelines for federal computer security training. To fulfil the requirements, several guidance documents have been produced such as "Information Technology Security Training
2 Requirements: A Role- and Performance-Based Model" (NIST, 1998), and "Building an Information Technology Security Awareness and Training Program" (NIST, 2003). The two documents are complementary. Whle the first one provides higher level strategic concepts on how to build an information technology SATE (IT SATE) programme the second document describes role-based training details at a lower tactical leve. Although the documents are targeting federal agencies in the USA, they may be used by any other organisation and are not subject to copyright. Other governments provide similar guidance, such as "Information Security: Raising Awareness" prepared by the Treasury Board of Canada Secretariat (2000), and "A Users' Guide: How to Raise Information Security Awareness" published in 2006 by the European Network and Information Security Agency (ENISA). In 2006 The Australia government released the "Australian Government Information and Communications Technology Security Manual". In New Zealand, the Government Communications Security Bureau (GCSB) maintains the New Zealand Security of Information Technology (NZSIT) publications and training programme (GCSB, 2006). All these guidelines promote security awareness to organisations and the public and are supported by government offices and agencies. As They share similar approaches, this paper will concentrate on the guidelines provided by NIST. 3. The Sate Concept Security awareness, training and education are the three parts that make up the IT SATE learning continuum. It starts with raising awareness, develops the programme for training, and then evolves into education (NIST, 1998, p.14). The diagram below illustrates the three-layered structure of the IT security learning continuum recommended by NIST (1998, p.13). The three main layers are Awareness, Training, and Education. The interrelationships shown in Figure 1 may serve as a reference framework for building SATE programmes. Figure 1. IT security learning continuum (Source: NIST, 1998, p.13) Awareness is a wide coverage of security aspect that are communicated to broad audiences. An IT SATE programme aims to raise people's attention to things that they take for granted without being aware of the related security issues. Activities at this particular level are especially targeted at workers who have only recently an information system. The middle layer is more formal and is aimed at enhancing workers' skills and providing security knowledge for daily tasks. This layer places emphasis on role-based training in
3 which programmes can be designed specifically for particular positions of an organisation. Education is at the highest level of integration of the framework where a combination of skills and competences is required for producing security specialists and professionals who are in the position of overseeing the whole information structure of the organisation General Training Areas A comprehensive SATE programme should cover an organisation's entire user population. Following their role-based training methodology NIST divide training into three general areas: Laws and regulations, security Programme, and systems life cycle security. Six generic organizational roles are also identified: Manage, acquire, design and develop, iimplementand operate, review and evaluate, and use (NIST, 1998, pp ). NIST recommend an IT security training matrix model (NIST, 1998, p.44) which relates the three training areas with the six organisational user roles. In the matrix (Figure 2) the numbers in the cells corrrespond tpo the numbered sections of the NIST document describing training requirements. Figure 2. IT security training matrix (Source: NIST 1998, p. 44) The matrix arrangement in Figure 2 is a rather generalised framework that has the "one-programme-fits-all" approach. Researchers may find it similar to Shultz's (2004) idea of "fitting a square peg in a round hole". It may not work effectively for security training, as a SATE programme, as mentioned in earlier sections, must be designed for particular audiences. For example, to build a training programme for a Chief Information Officer using the above matrix, all of the cells 1A, 2.2A, 2.1C, 2.2C, 2.1D 2.1E and 3.4E will be selected. To guide the reader, the documentation developed by NISTprovides a number of examples referring to individual organisational roles featuring a selection matrix, samples of training metrics, and a programme Technical vs Non-technical Training Areas When training technical or professional personnel the materials must be arranged up to the technical level required for that particular position. For example, tests and specific programming guidelines for database applications are required when training database security control. Program code and templates are required when training software developers so that the developers can use and apply them to their daily tasks (Steven & Peterson 2006). However, that does not mean that general security awareness is not necessary as well. SATE programmes should be customised to start with an initial training scheme that all staff must attend to raise their awareness and then form groups for further in-depth technical aspects. Steven and Peterson (2006) suggested a three- tier model for awareness training for
4 software developers. The management aspect can be divided into three tiers, namely: executive, management and development, and security. Tthis concept is somewhat similar to the NIST six role model albeit with a smaller number of roles. The higher level roles focus on vision, goals and objectives. The middle level roles have the task to manage the implementation and validation. The lowest level is where the actual tasks are carried out. Further on the technical aspect, developers can be divided into beginners, intermediate and advanced levels. To compare with the NIST guidlines, this further customisation is moving into the education level for professionals and specialists. Non-technical areas can be classified as public or community level. This is covered by NIST's Security Basics and Literacy (NIST, 1998, pp.23-32). A somewhat controversial example of "Community Security Awareness Training" was reported by Endicott- Popovsky, Orton, Bailey and Frincke (2005). It was a security awareness event in the form of "Google-Hacking Contest". The aim was to alert the general public to the risks of identity theft. The contest gathered groups of attendees, ranging from students to senior professionals in computer security, trying to use the technique of "Google- Hacking" to look for exposed personal identity details. 4. Making Training Efficient COBIT (Control Objective for Information and related Technology) identified ' people' as one of the four IT resources that form the IT organisation (ITGI, 2005, p.12). People are the key players who use skills and technology infrastructure to carry out the set of defined processes to run the business; any faulty actions by people directly affect the organisation. This is the reason why in many reports and papers it is stated that that people are the key, but also are one of the weakest links (NIST, 2003, p.1). Therefore a SATE programme should be designed for the people who work in the targeted organisation. The programme will lose its effectiveness, if materials are overloaded with unnecessary content whcih the audience may find irrelevant to their work. People will lose attention and become bored!. Steven and Peterson (2006) note that "Only when training gives prescriptive design and coding guidance of what to do to resist attack does it stand a chance of sticking in a developer's mind." In fact, not only technical people but also general computer users would prefer a "you do what I do" practical training rather than just sittin and watching a demonstration. The more chances that people get for a ' hands on' training experience, the more deeply they will understand the concepts related to security. Further, the training programme must be related to daily tasks. The closer it resembles a daily task, the more attention it will get from the audience. The "Google-Hacking" event mentioned earlier is an example of a very effective and efficient exercise. The event was highly technical, but the outcome was a surprise to all as millions of highly confidential records were retrieved from the Internet through a wireless network provided by a university. Although it was not an official training programme and only the highly-technical attendees gained most of the benefits, the event served well tor alert the general public and was a very efficient security awareness exercise. It was also cost-effective as the organisers paid for the venue and the wireless network connections while attendees contributed to the cost of labour and the equipment. nd equipment. The event gained high publicity world-wide. 5. Measurements and Improvements Every business or non-business process is measured for its effectiveness, efficiency and ROI, and SATE is nt an exception. ENISA described an "Overall strategy for executive awareness initiatives and programmes" in their users' guide. The strategy is divided into three phases: Plan and assess, execute and adjust, and evaluate and adjust. The document gives guidelines on cost analysis and identifying the benefits, and on establishing a baseline and evaluation. Evaluation and feedback can be done by questionnaires (ENISA, 2006, pp.33-37). However, most of the benefits are non-measurable and intangible, such as "motivated to adopt security practices". Although not measurable, comparisons on certain performance criteria can be carried out. For example, statistical data on security
5 breaches and incidents can be collected before and after the SATE programme and regularly for a number of periods, and analysed. Another example is software application development where a security analyst is normally employed to look into loopholes and bugs in applications. Analysis can be done before and after the SATE programme and comparisons can be made to look for continuous improvement. 6. Conclusion This paper addresses some aspects of security awareness training and education in organisations. A brief review of significant guidance documents provided by governments has been carried out. The concept of the people factor in security awareness training and education is introduced and discussed as a backdrop to the further introduction of ideas on how to formalise, design and measure an efficient and useful SATE programme. A number of examples are used to draw practical recommendations for educators and practitioners in the field, with referencing models and frameworks sourced from the literature reviewed.. Acknowledgements Special thanks to the anonymous reviewers for their constructive comments, and to Krassie Petrova and the members of BACIT editorial board for supporting my work on the article. References Australia Government (2006). Australian Government Information and Communications Technology Security Manual. Retrieved October 18, 2006, from ENISA (2006). A users' guide: How to raise information security awareness. Retrieved October 18, 2006, from Endicott-Popovsky B., Orton I., Bailey K., & Frincke, D. (2005). Community security awareness training. Systems, Man and Cybernetics (SMC) Information Assurance Workshop. Proceedings of the Sixth Annual IEEE, pp, GCSB (2006). The NZ Security of Information Technology (NZSIT) publications and training programme. Retrieved October 18, 2006, from ITGI (2005). COBIT (Control Objective for Information and related Technology) 4.0. Retrieved September 30, 2006, from Section=Downloads3&Template=/MembersOnly.cfm&ContentID=23325 IWS (2006). The Information Warfare Site. Retrieved October 18, 2006, from NIST (2005). National Institute of Standards and Technology. Retrieved October 18, 2006, from NIST (1998). Information technology security training requirements: A role- and performance-based model. Retrieved October 18, 2006, from NIST (2003). Building an information technology security awareness and training program. Retrieved October 18, 2006, from Schultz E. (2004). Security training and awareness Fitting a square peg in a round hole. Computers and Security, 23(1), 1-2 Steven J., & Peterson G. (2006). Essential factors for successful software security awareness training. Security & Privacy Magazine, 4(5), Treasury Board of Canada Secretariat (2000). Information security: Raising awareness. Retrieved October 18, 2006, from Copyright 2007 Tsui, C.
6 The author(s) assign to NACCQ and educational non-profit institutions a non-exclusive licence to use this document for personal use and in courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author(s) also grant a non-exclusive licence to NACCQ to publish this document in full on the World Wide Web (prime sites and mirrors) and in printed form within the Bulletin of Applied Computing and Information Technology. Authors retain their individual intellectual property rights. Copyright 2007 NACCQ. Krassie Petrova, Michael Verhaart, Beryl Plimmer (Eds.) An Open Access Journal, DOAJ # , ( zotero)
The interdisciplinary nature of the skills needed by project managers
Journal of Applied Computing and Information Technology ISSN 2230-4398, Volume 16, Issue 1, 2011-12 Incorporating the NACCQ publications: Bulletin of Applied Computing and Information Technology, ISSN
More information03:01 2005, May. Bulletin of Applied Computing and Information Technology
Bulletin of Applied Computing and Information Technology Free computing courses at tertiary education providers in New Zealand: A summary report 03:01 2005, May Trish Brimblecombe Whitireia Community Polytechnic,
More informationLongitudinal study of Linux networking in NZ industry and ITP education
Journal of Applied Computing and Information Technology ISSN 2230-4398, Volume 12, Issue 1, 2008 Incorporating the NACCQ publications: Bulletin of Applied Computing and Information Technology, ISSN 1176-4120
More informationBulletin of Applied Computing and Information Technology. Information security qualifications in New Zealand 02:03. 2004, Nov
Bulletin of Applied Computing and Information Technology Information security qualifications in New Zealand 02:03 2004, Nov Shaneel S. Narayan UNITEC, New Zealand snarayan@unitec.ac.nz Sheetal Narayan
More informationRole of Awareness and Training for Successful InfoSec Security Program 1
Role of Awareness and Training for Successful InfoSec Security Program 1 Role of Awareness and Training for Successful Information Systems Security Program Venkata Siva, Jose R Velez Saint Leo University
More informationContents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.
iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management
More informationPINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN
PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN Executive Summary Developing and implementing an overall IT Service Management (ITSM) training
More informationGuide for the Development of Results-based Management and Accountability Frameworks
Guide for the Development of Results-based Management and Accountability Frameworks August, 2001 Treasury Board Secretariat TABLE OF CONTENTS Section 1. Introduction to the Results-based Management and
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationFrameworks for IT Management
Frameworks for IT Management Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net 18 ITIL - the IT Infrastructure
More informationSector Development Ageing, Disability and Home Care Department of Family and Community Services (02) 8270 2218
Copyright in the material is owned by the State of New South Wales. Apart from any use as permitted under the Copyright Act 1968 and/or as explicitly permitted below, all other rights are reserved. You
More informationCommunity Security Awareness Training
Community Security Awareness Training Barbara Endicott-Popovsky, Ivan Orton, Kirk Bailey, Deb Frincke, Member, IEEE West Point 1 About the authors.. Barbara Endicott-Popovsky, Lecturer, Seattle University;
More informationQuick Guide: Meeting ISO 55001 Requirements for Asset Management
Supplement to the IIMM 2011 Quick Guide: Meeting ISO 55001 Requirements for Asset Management Using the International Infrastructure Management Manual (IIMM) ISO 55001: What is required IIMM: How to get
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationA STRUCTURED METHODOLOGY FOR MULTIMEDIA PRODUCT AND SYSTEMS DEVELOPMENT
A Structured Methodology for Multimedia Product and Systems Development A STRUCTURED METHODOLOGY FOR MULTIMEDIA PRODUCT AND SYSTEMS DEVELOPMENT Cathie Sherwood and Terry Rout School of Computing and Information
More informationPublication Number: Third Draft Special Publication 800 16 Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training
This (Second) DRAFT of Special Publication 800 16 Revision 1 document has been superceded by the following draft publication: Publication Number: Third Draft Special Publication 800 16 Revision 1 Title:
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationRe: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )
10 October 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Experience with the Framework for Improving Critical Infrastructure
More informationAPPENDIX 13.1 WORLD FEDERATION OF OCCUPATIONAL THERAPISTS ENTRY LEVEL COMPETENCIES FOR OCCUPATIONAL THERAPISTS
APPENDIX 13.1 WORLD FEDERATION OF OCCUPATIONAL THERAPISTS ENTRY LEVEL COMPETENCIES FOR OCCUPATIONAL THERAPISTS APPENDIX 13.1 FORMS PART OF THE APPENDICES FOR THE 28 TH COUNCIL MEETING MINUTES CM2008: Appendix
More informationCourse Outline. Foundation of Business Analysis Course BA30: 4 days Instructor Led
Foundation of Business Analysis Course BA30: 4 days Instructor Led Prerequisites: No prerequisites - This course is suitable for both beginner and intermediate Business Analysts who would like to increase
More informationInvestigating Effective Lead Generation Techniques
Investigating Effective Lead Generation Techniques by BNET Editorial There is always some degree of turnover in any customer base. To keep a business growing, it is essential to generate new prospective
More informationWebsite Usage Monitoring and Evaluation
11 11 WEBSITE USAGE MONITORING AND EVALUATION Website Usage Monitoring and Evaluation Better Practice Checklist Practical guides for effective use of new technologies in Government www.agimo.gov.au/checklists
More informationAustralian Mechanical Engineers: Industries and Attributes
Australian Mechanical Engineers: Industries and Attributes Clive Ferguson Deakin University, Geelong, Australia clive@deakin.edu.au Stuart Palmer Deakin University, Geelong, Australia spalm@deakin.edu.au
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationHow To Improve Security Awareness In Organizations
This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076.html Nov-Dec, 2008 How to create a security culture in your organization: a recent
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationTen Steps to Quality Data and Trusted Information
Ten Steps to Quality Data and Trusted Information ABSTRACT Do these situations sound familiar? Your company is involved in a data integration project such as building a data warehouse or migrating several
More informationPreparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000
Preparation Guide EXIN IT Service Management Associate Bridge based on ISO/IEC 20000 Edition January 2014 Copyright 2014 EXIN All rights reserved. No part of this publication may be published, reproduced,
More informationLaw & Ethics, Policies & Guidelines, and Security Awareness
Law & Ethics, Policies & Guidelines, and Security Awareness Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationITIL v3 Service Manager Bridge
ITIL v3 Service Manager Bridge Course Length: 5 Days Course Overview This 5 day hands on, certification training program enables ITIL Version 2 certified Service Managers to upgrade their Service Manager
More informationCYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
More informationDEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN. Version : 1.0 Date : April 2009 : Pink Elephant
DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN Version : 1.0 Date : April 2009 Author : Pink Elephant Table of Contents 1 Executive Overview... 3 2 Manager Responsibilities... 4 2.1 Before
More informationPrograms, standalone & component projects, and perceptions of scope of project management applicability
Programs, Standalone & Component Programs, standalone & component projects, and perceptions of scope of project management applicability By Alan Stretton ABSTRACT This paper first discusses initiation
More informationBPM 2015: Business Process Management Trends & Observations
BPM 2015: Business Process Management Trends & Observations 1 I BPM 2015: Business Process Management Trends & Observations BPM 2015: Business Process Management Trends & Observations Executive Summary
More informationSecureNinja. SecureNinja. The CyberSecurity Experts
Shakeel The Experts Chief Ninja (CEO) The Experts Washington DC The Experts Pentagon Force Protection Agency US Air Force SecureNinj a America Online JP Cigital General Morgan CompUSA Dynamics Fortify
More informationProject management skills for engineers: industry perceptions and implications for engineering project management course
Project management skills for engineers: industry perceptions and implications for engineering project management course Kriengsak Panuwatwanich Griffith University, Gold Coast, Australia k.panuwatwanich@griffith.edu.au
More informationAUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by
More informationSecurity Awareness Training Policy
Security Awareness Training Policy I. PURPOSE This policy is intended to set the training standard for several key audiences in Salem State University, including, but not limited to: University executives,
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Developing the Security Program Jan 27, 2005 Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationA Framework for Information Systems Management and Governance
A Framework for Information Systems Management and Governance 08/10/2007 Introduction Investment in information systems constitutes a significant proportion of expenditure within higher education institutions
More informationSafeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.
Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security
More informationSelecting a Content Management System
9 9 SELECTING A CONTENT MANAGEMENT SYSTEM Selecting a Content Management System Better Practice Checklist Practical guides for effective use of new technologies in Government www.agimo.gov.au/checklists
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationWhitepaper. Choosing the Right Athlete Electronic Health Record System. Dave Glickman Chief Operating Officer, Presagia.
Whitepaper Choosing the Right Athlete Electronic Health Record System Dave Glickman Chief Operating Officer, Presagia Page 1 of 13 CONTENTS Introduction... 3 What Makes an Athlete EHR Unique... 4 Getting
More informationChallenges in Improving Information Security Practice in Australian General
Research Online Australian Information Security Management Conference Security Research Institute Conferences 2009 Challenges in Improving Information Security Practice in Australian General Donald C.
More informationChief Information Officer
Security manager Job description Job title Security manager Location Wellington Group Organisation Development Business unit / team IT Solutions Grade and salary range Pay Group 1, Pay Band 6 Reports to
More informationHow to Develop a Log Management Strategy
Information Security Services Log Management: How to develop the right strategy for business and compliance The purpose of this whitepaper is to provide the reader with guidance on developing a strategic
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationPeople and Capability (P&C) Intelligence Community Shared Services (ICSS) Chief People Officer (CPO)
Position Description Manager Strategy and Capability Business unit: Responsible to: Position purpose: Direct reports: People and Capability (P&C) Intelligence Community Shared Services (ICSS) Chief People
More informationGuideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013
Public Record Office Victoria Cloud Computing Policy Guideline 1 Cloud Computing Decision Making Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationGuide to the National Safety and Quality Health Service Standards for health service organisation boards
Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian
More informationWEB 2.0 AND SECURITY
WEB 2.0 AND SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationMarket Research. Study. Database Security and Compliance Risks. December, 2009. By Jon Oltsik
Market Research Study Database Security and Compliance Risks By Jon Oltsik December, 2009 An ESG Market Research Study Sponsored by Application Security, Inc. 2009, Enterprise Strategy Group, Inc. All
More informationWHAT IS GRC AND WHERE IS IT HEADING? A BRIEFING PAPER. www.claytonutz.com
WHAT IS GRC AND WHERE IS IT HEADING? A BRIEFING PAPER www.claytonutz.com BACKGROUND Well established governance, risk and compliance functions have for many years formed a key part of management practice
More informationBachelor of Information Technology (Network Security)
Bachelor of Information Technology (Network Security) Course Structure Year 1: Level 100 Foundation knowledge subjects SEMESTER 1 SEMESTER 2 ITICT101A Fundamentals of Computer Organisation ITICT104A Internetworking
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More informationITIL Service Lifecycle Design
ITIL Service Lifecycle Design Course Details Course Code: Duration: Notes: ITILSL-Des 5 days This course syllabus should be used to determine whether the course is appropriate for the students, based on
More informationSatisfaction Survey. Prescriber Update Reader. Survey Outcome Report. Medsafe
Prescriber Update Reader Satisfaction Survey Survey Outcome Report Medsafe July 2016 Contents About Medsafe... 3 Background... 3 Introduction... 3 Survey Questions... 4 Survey Results... 6 Response Rate...
More informationBrixton Live: Web development brief
Brixton Live: Web development brief 1. Context: Project overview and partners Kettle Partnership has been awarded a grant by Arts Council England to deliver Brixton Live, a website and mobile application
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations
More informationISO/IEC/IEEE 29119 The New International Software Testing Standards
ISO/IEC/IEEE 29119 The New International Software Testing Standards Stuart Reid Testing Solutions Group 117 Houndsditch London EC3 UK Tel: 0207 469 1500 Fax: 0207 623 8459 www.testing-solutions.com 1 Stuart
More informationGoogle Analytics as a tool in the development of e-learning artefacts: A case study
Google Analytics as a tool in the development of e-learning artefacts: A case study Damon Ellis Massey University The design, development, and evaluation of e-learning artefacts requires extensive and
More informationStudent reactions to online tools for learning to use the Internet as a study tool: Outside the comfort zone?
Student reactions to online tools for learning to use the Internet as a study tool: Outside the comfort zone? Carol S Bond, David Fevyer and Chris Pitt Institute for Health and Community Studies Bournemouth
More informationThe Importance of Cybersecurity Monitoring for Utilities
The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More information2015 Information Security Awareness Catalogue
Contents 2015 Catalogue Wolfpack Engagement Model 4 Campaign Drivers 6 Offerings 8 Approach 9 Engaging Content 10 Stakeholder Change Management 12 Bundles 13 Content 14 Grey Wolf -Track compliance with
More informationKnowledge Management in Public Administration: Strategies and Tools
Knowledge Management in Public Administration: Strategies and Tools Niall Sinclair Director, KM Initiatives, Institute for Knowledge and Innovation, Bangkok, Thailand March 26 th 2010 Knowledge Matters
More informationBusiness Intelligence
WHITEPAPER Business Intelligence Solution for Clubs This whitepaper at a glance This whitepaper discusses the business value of implementing a business intelligence solution at clubs and provides a brief
More informationThe fourth hurdle system. International HTA agencies. Australian PBAC. Difference between health technology regulatory body and HTA body
* This presentation is prepared by the author in one s personal capacity for the purpose of academic exchange and does not represent the views of his/her organisations on the topic discussed. Local Application
More informationCHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT www.icaew.com/itfac
Chartech Books Management Series Introducing ITSM and ITIL A Guide to IT Service Management www.icaew.com/itfac Introducing ITSM and ITIL A Guide to IT Service Management by Colin Rudd This report is published
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationInnovation & Learning the organisation s intellectual capital both human and non-human
The Reality of Key Performance Indicators Balanced Scorecard Reporting was created by Robert S. Kaplan and David P.Norton and was devised to allow top executives to communicate and implement their key
More informationDrupalGov Canberra 2013 Summary Report. Christopher Skene chris@xtfer.com 3rd March 2014
DrupalGov Canberra 2013 Summary Report Christopher Skene chris@xtfer.com 3rd March 2014 General summary DrupalGov Canberra was run on August 23rd, 2013, at University House, at the Australian National
More informationBusiness Intranet Redesign: Can High Usability Mediate Competitive Advantage?
Business Intranet Redesign: Can High Usability Mediate Competitive Advantage? - Research in Progress - Thomas Acton (Corresponding Author) Dept of Accountancy & Finance National University of Ireland,
More informationAn Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development
An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development Wm. Arthur Conklin University of Houston, College of Technology 312 Technology Bldg, Houston, TX
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Best Practices in IT governance and alignment Steven De Haes Wim Van Grembergen University of Antwerp Management School IT governance is high on the agenda, but many organizations
More informationHP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide
HP Service Manager Software Version: 9.34 For the supported Windows and UNIX operating systems Processes and Best Practices Guide Document Release Date: July 2014 Software Release Date: July 2014 Legal
More informationThe introduction of an online portfolio system in a medical school: what can activity theory tell us?
The introduction of an online portfolio system in a medical school: what can activity theory tell us? Glenn Mason Vicki Langendyk Shaoyu Wang In this paper we discuss innovations in the personal and professional
More informationBusiness Intelligence
Business Intelligence What is it? Why do you need it? This white paper at a glance This whitepaper discusses Professional Advantage s approach to Business Intelligence. It also looks at the business value
More informationRisk Management. Upasna Saluja, PhD Candidate. Dato Dr Norbik Bashah Idris
Risk Management Upasna Saluja, PhD Candidate Dato Dr Norbik Bashah Idris 1. Abstract Information is a key asset for organizations across industries as they seek to use IT as a differentiator and key business
More informationWILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
More informationENISA s ten security awareness good practices July 09
July 09 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European
More informationTHE INFORMATION AUDIT AS A FIRST STEP TOWARDS EFFECTIVE KNOWLEDGE MANAGEMENT: AN OPPORTUNITY FOR THE SPECIAL LIBRARIAN * By Susan Henczel
INSPEL 34(2000)3/4, pp. 210-226 THE INFORMATION AUDIT AS A FIRST STEP TOWARDS EFFECTIVE KNOWLEDGE MANAGEMENT: AN OPPORTUNITY FOR THE SPECIAL LIBRARIAN * By Susan Henczel Introduction Knowledge is universally
More informationStatements of Learning for Information and Communication Technologies (ICT)
Statements of Learning for Information and Communication Technologies (ICT) ISBN-13: 978-1-86366-633-6 ISBN-10: 1 86366 633 8 SCIS order number: 1291673 Full bibliographic details are available from Curriculum
More informationBusiness data services in Europe: growth opportunities and forecasts 2009 2014
Research forecast report Business data services in Europe: growth opportunities and forecasts 2009 2014 Margaret Hopkins June 2009 Contents 2 Contents Slide no. 3. Document map Executive summary 4. Spending
More informationCriticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3
Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3 Outline What is IT Service Management What is ISO 20000 Step by step implementation
More informationCYBER SECURITY FOUNDATION - OUTLINE
CYBER SECURITY FOUNDATION - OUTLINE Cyber security - Foundation - Outline Document Administration Copyright: QT&C Group Ltd, 2014 Document version: 0.2 Author: N R Landman (MD and Principal Consultant)
More informationResponding to the Changing Training Needs of On-site Wastewater Management Professionals
Responding to the Changing Training Needs of On-site Wastewater Management Professionals J H Whitehead 1, P M Geary 2, M Linich 3 & R Patterson 4 1 Centre for Environmental Training, NSW, 2 The University
More informationBT Assure Threat Intelligence
BT Assure Threat Intelligence Providing you with the intelligence to help keep your organisation safe BT Assure. Security that matters At all times, organisations are vulnerable to all kinds of cyber attacks
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationCertification for Information System Security Professional (CISSP)
Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by
More informationProcedures for Assessment and Accreditation of Medical Schools by the Australian Medical Council 2011
Australian Medical Council Limited Procedures for Assessment and Accreditation of Medical Schools by the Australian Medical Council 2011 Medical School Accreditation Committee These procedures were approved
More informationBuilding an Information Technology Security Awareness and Training Program
Building an Information Technology Security Awareness and Training Program Mark Wilson and Joan Hash C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National
More informationBenefits of conducting a Project Management Maturity Assessment with PM Academy:
PROJECT MANAGEMENT MATURITY ASSESSMENT At PM Academy we believe that assessing the maturity of your project is the first step in improving the infrastructure surrounding project management in your organisation.
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Practices in IT Governance and Business/IT Alignment By Steven De Haes, Ph.D., and Wim Van Grembergen, Ph.D. In many organisations, information technology (IT) has become crucial
More informationCONSTRUCTION HEALTH AND SAFETY, AND INJURY PREVENTION Research and develop accident and incident investigation procedures on construction sites
1 of 7 level: 4 credit: 4 planned review date: December 2003 sub-field: purpose: Construction People credited with this unit standard are able to: research accident and/or incident investigation and reporting
More informationISSA Guidelines on Master Data Management in Social Security
ISSA GUIDELINES ON INFORMATION AND COMMUNICATION TECHNOLOGY ISSA Guidelines on Master Data Management in Social Security Dr af t ve rsi on v1 Draft version v1 The ISSA Guidelines for Social Security Administration
More information