Information security is defined as the process or procedures that are implemented to prevent unauthorized access to secure information. Information security involves protection of information by ensuring the information systems are secure. Many organizations provide education and training programs to their employees so as to create awareness on the issue.
There are several methods that can be used to educate the staff on information security. One of the methods used is an ongoing training program. The program starts immediately after hiring where IT employees are introduced to the information system of an organization and the security policies and strategies employed by the company. During the stay at the company, the employees will receive network security training which is meant to ensure that employees are informed on the current methods used by hackers to access information systems. The network security training is also used to reinforce issues already communicated on information security (Sanchez, 2011). Some of these reminders include constant changing of the passwords to ensure that it is not predictable by any unauthorized personnel. The ongoing training may also involve information security tips that are sent to the employees that are sent to their computers.
The second method used to educate staff is making information security personal. System security may appear like a unique idea to workers who aren’t in charge of the organization’s innovation/technology endeavors. It s important to note pretty much the majority of organization’s clients have personal computers by using credit cards to purchase online; the company can utilize that situation to make the organization’s security individual to the workers, this can be done by offering the workforce some assistance with understanding that their data, including insights about their identity, is better secured on the off chance that they take after security strategies to keep the corporate system secured. System security affects everybody who gets to the company’s system, and they have to comprehend that.
The third education strategy is making security easy for the employees. Indeed, even the most thoroughly educated and well-intentioned employee may be enticed to go around the organization’s efforts to establish safety on the off chance that they’re hard to take after; the organization should make it simple for employees or users to take after or follow the information security strategies. For instance, the organization can arrange applications to consequently incite users to change their passwords all the time and ensure the malware protection programming upgrades automatically when it won’t meddle with workers’ workday. Likewise, the organization should not blame employees who report a security situation. An organization needs workers to feel safe so they come to report any potential security hazard. Employees can be rewarded on correct behavior and on their efforts in ensuring information protection.
The fourth education strategy is informing employees what to do and what not to do. Employees should be informed on all the necessary procedures prior to a security incident or during a security incident. Security instructions ought to incorporate details on how workers ought to react to a security occurrence and in addition how to maintain a strategic distance from one (Wilson, Stine & Bowen, 2009). What should employees do in the event that they click on a connection that ends up being malware infected? Do they call the information security personnel for help or would it be a good idea for them to make some quick move with their personal computer all alone? Workers need to know how to react, including whether to quickly close down their program windows or personal computers if important.
The last strategy used to educate the employees is information security support team accessibility. The workforce need to know who to go to on the off chance that they encounter a system security episode or on the off chance that they have questions about security (Herold, 2011), for example, a suspicious email or a peculiar pop-up window. In the event that the organization doesn’t have an information security support team on-site, the organization should ensure that everybody knows how to contact support faculty through the service provider. It’s just as vital that employees comprehend what to do or not to do while sitting tight for response from the organization’s security specialist.
In information security the strategies that are implemented are meant to prevent unauthorized individuals or groups from access, modification, disruption or use. The strategies can be classified according to the purpose or goals they are meant to achieve even though all the strategies are implemented to protect information. The strategies are; physical computer security strategy, and network and data security strategy (contingency and recovery strategy, computer awareness, training strategy, etc).
The physical computer strategy involves measures undertaken to prevent physical reach to where the information systems are. There are many methods that are employed at the physical level to prevent intruders accessing information. The server room is where devices such as routers, servers, switches, cables, etc are kept, this place should be locked at all times. Proper authentication systems such as the biometric scan, smart card and tokens should be utilized in such rooms. Surveillance in form of video cameras is installed in the server room to monitor activities in the room. Organizations ensure that all vulnerable network devices are secured in locked rooms such as the server room. Rack mount servers are used by organizations to lock out unauthorized personnel. Workstations are monitored carefully and unoccupied ones have their computers disconnected, unoccupied offices are kept locked. Entities ensure that the hard drives in the computer systems are also secured, this is done through case locks which require which require a key to operate. The backup information is stored in a safe or in the server room to restrict access (Schou & Hernandez, 2015). Lastly, some organizations disable USB ports and floppy disks to prevent their employees from taking away critical company information.
The data and networking strategies are presented in the form of documents and instructions on how security issues should be managed and controlled. This strategy provides the employees awareness on what they should know about information security and their responsibilities. This strategy provides the security measures employed by the organizations such as the information system architecture, firewalls on the system, multi-layer levels of security, use of passwords, encryptions (Li, Li, Pan & Zhang, 2014). The strategy provides the appropriate measures of using cloud computing within the organization to avoid any security breaches. Information is provided on how company devices should be sanitized or wiped before they are disposed to prevent acquiring of data that may be left in the device. The employees are given guidelines on how to handle organization’s restricted information to prevent unauthorized users from accessing it. Data and networking strategies provides the guidelines on response and incidence reaction and also prevention. If company devices containing company information are stolen, or data is lost from the device, the strategy provides the guidelines of recovering or approach to the situation e.g. tracking stolen computer procedures. The strategy provides the process and procedures of accessing company information remotely and the regulations on mobile computing security. If there are any payments that should be made to the company electronically, the company strategy provides the technical procedures of handling the credit cards to protect consumer privacy. Data and networking strategies outlines the training and education procedures for both new and existing organization employees. The strategy provides a recovery and contingency plan. Lastly, the strategy provides for security forms to gain access to company’s security information.
To transform teaching concerning information and risks an organization should first establish a need for the training, after this, the organization should identify different types of security awareness training, and lastly evaluating the program and give specialized training. For the training programs on information security to be effective, the organization should identify the need and communicate it to the employees. The training programs should answer the questions why, how and what to the employees before the inception of the training. In identifying the need expected responsibilities should be identified and clarified, the employees should be made to understand the importance of information security to the individual and the organization. The training should be tailor made to specific issues and groups. Different types of awareness training should be used to address different issues and groups appropriately. The employees can be classified as management, technical employees and staff. These different categories of employees need to be trained in their own way because as much as they face the same security issues there is a point of departure between the different groups. The different groups should be made to understand their duties, expectations and liabilities. The training should be mandatory and employees required to sign a compliance form to ensure the training lessons are adhered to. Lastly the program should be evaluated by setting appropriate performance standards and adjusting them when necessary. The performance can be appraised with measures such as number of complaints both internally and externally, number of security breaches, etc. the employees should be provided with specialized training on new technologies.
Many of the organizations have made information security training an optional extra; this has weakened the security strategies employed by organizations as employees act as the easy gateway to an organization information base e.g. through clicking on unusual links (Lohrmann, 2014). To reinforce the intention of these strategies, information security training should be made mandatory. Many organizations are strict when it comes to conformity of compliance to the implemented information security strategies; this is not the correct procedure to approach it, rather the organization should focus on culture change in the organization which endeavors to provide constant improvements and adaptation to technological changes. The main goal should be to improve information security culture. Organizations use the same methods over and over again in creating security awareness and using the same policies. Organization should constantly update their strategies to keep up with the changing technological environment.