Annual Security Compliance Training

  • The training is probably more about legal procedure, having each employee acknowledge that they've been informed of specific security policies. For example, there is no reason for someone to plead ignorance about copying down classified documents to a USB drive, download apps from the web to their work PC, or "outsource" their telecommute job by giving their login account credentials to someone else.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Many of you are missing the business point. The annual security refresher is for avoiding lawsuits by showing due diligence. It also makes it easy to fire people for noncompliance. If you think the annual training is about *you*, you miss the boat.

  • I work for a school, so for us it isn't SOX et al but FERPA. We have several annual training computer courses (video+quiz) that everyone has to complete usually in late July, followed by "read and sign" for the employee manual and campus digital surveillance system. Plus passing a CPR/First Aid course at least once, and a safe driver course every 2-3 years.

    I actually enjoyed the computer courses: I watched all sorts of cool stuff after I finished the required courses and learned about safe driving in snow, first aid, sanitizing kitchen equipment and school shootings. Yes, I work for a school and have received no direct training on what to do if there's a shooting.

    Computer security? Not a whisper. Do people know how to use the keyboard combination of Windows Key + L to lock their computer? Not a chance. We have a good firewall for filtering inbound, but no system is perfect.

    @eric, talking about smartphone owners being Linux sysadmins whether they know it or not: yep. Cybercrooks have such an easy time because a majority of computer users are totally ignorant when it comes to security.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • It's really too bad if the security training is more about legal garbage than about teaching people how to do things properly. Maybe, just maybe, if it were about teaching developers how to inject-proof their code, there wouldn't be so many data breaches in the news where millions of people get their information stolen.

    Perhaps the mandatory "training" should seize the opportunity to teach people something.

  • Ed Wagner (8/21/2015)


    It's really too bad if the security training is more about legal garbage than about teaching people how to do things properly. Maybe, just maybe, if it were about teaching developers how to inject-proof their code, there wouldn't be so many data breaches in the news where millions of people get their information stolen.

    Perhaps the mandatory "training" should seize the opportunity to teach people something.

    +1000!

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • I'm just becoming involved in this area, both security and privacy. It scares me.

  • Jeff Moden (8/21/2015)


    The "training" is ridiculous for some of us. There needs to be two versions... one for people that don't work with security every day and a MUCH shorter version for those that do. Think "refresher/new requirements" for those that do rather than the "Ok... you're an idiot and know nothing about security" version.

    Sounds like a good idea, thanks.

  • You can find plenty of articles on SQLServerCentral or YouTube videos explaining how to write secure code. It would be easy for an organization to provide their developers with relevent links, and then have them take an online certification exam to prove they know the material.

    SQLServerCentral or RedGate should consider going into the business of providing mini certification exams on narrow topics like database security or analyzing execution plans.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • George, its definitely about diligence, but it can be check the box diligence or the kind that does some good.

  • Employ good trustworthy people that have an interest in the domain and the technology and encourage them to be responsible and empowered. Occasionally swap them out to give a chance for others to learn and review.

    Setting procedures for security in my experience is always 10 steps behind the trouble.

    cloudydatablog.net

  • Eric, PCI requires annual training for developers that includes the OWASP Top 10 in addition to all the standard compliance stuff. Gotta think it helps some.

  • Dalkeith (8/24/2015)


    Employ good trustworthy people that have an interest in the domain and the technology and encourage them to be responsible and empowered. Occasionally swap them out to give a chance for others to learn and review.

    Setting procedures for security in my experience is always 10 steps behind the trouble.

    The problem is that even if you do due diligence, people of questionable character still slip through. When I worked for the police department, we were going to hire another programmer. He'd gotten through our hiring process: polygraph, background investigation, interviews, fingerprinting, FBI records check, etc. Pretty extensive, not extensive as sworn law enforcement, but still fairly tough. Our IT director had lunch with a peer, mentioned that X was about to start. His peer replied "X? We fired his butt! He was caught [engaging in an act of self-gratification] in his cubicle!" We withdrew the offer to hire him.

    You can hire people whom you think are trustworthy, but what constitutes trustworthy? I think that's something that can only be evaluated by watching someone's behavior over years, and then it's still easy to overlook something that could blow-up in your face. People's situations change, illness happens, sudden debts, drug use, and stealing/selling confidential information becomes much more tempting.

    Treat your people well, pay them decently, make the work place a comfortable and pleasant place, and hope for the best. But you're still likely to have failures, it almost becomes a statistical certainty.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Iwas Bornready (8/24/2015)


    I'm just becoming involved in this area, both security and privacy. It scares me.

    I regularly read Krebs On Security blog[/url] and keep half an eye on Bruce Schneier[/url]. It's not a losing battle, it's a lost battle. Do the best you can and accept that you'll probably still be compromised at some point.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Wayne West (8/24/2015)


    I regularly read Krebs On Security blog[/url] and keep half an eye on Bruce Schneier[/url].

    Another useful blog is http://www.troyhunt.com/

  • Most of our training seems to be common sense type things. Depending on the topic, I will skim the materials (for unfamiliar things) or just click NEXT as fast as I can (for familiar topics) so that I can take the quiz. I'm sure there is value for people unfamiliar with security, fraud, etc. For me, it is just to keep compliance and internal auditors happy.

Viewing 15 posts - 16 through 30 (of 32 total)

You must be logged in to reply to this topic. Login to reply