Security Policy Training and Procedures – CompTIA Security+ SY0-401: 2.6

Your security policies won’t be very useful if your user community isn’t trained. In this video, you’ll learn some techniques for training your users on your organization’s security policies.

<< Previous Video: Incident Damage and Loss ControlNext: Personally Identifiable Information >>


You’ve spent hours and hours putting together your formal security policies. Now it’s time to tell everyone all of the policies and make them aware of the things that are important to keep your organization secure. And what better place to put all of this information but in a central repository that everyone can access? And that would probably be your intranet pages. Unfortunately, just putting this information on the intranet pages is not going to make people read it. Fact, they usually will not read the information that’s on the intranet, so we have to think of other ways to get this information into the hands of the users.

One good way to do this is with training classes. In the case of the internet and network security, it’s probably going to be mandatory training classes. It’s best if you can fit this into someone’s normal training. Maybe you get some time before or after a normal group meeting that occurs every week or every month. But this does get everybody to see you, to meet you, to understand some of the challenges that your organization has with security, and you get to answer questions from them. Some of the things you would probably talk to your end users about deal with basic security. How to deal with viruses. How to watch for people that are coming in as visitors. You want to make people comfortable with approaching strangers in your building and asking them for a visitor badge.

Or make sure that everybody is aware of the policies. Maybe in your organization there’s a policy that everyone must be escorted at all times if there is a visitor, so if anybody sees anyone walking around by themselves, you know something is not quite right. And by empowering your users, they may be more comfortable approaching someone and asking them for their visitor badge or their company employee badge.

You might also want to have specific training for people that have unique security challenges. If someone is getting a new set of laptops, some new tablets, some new mobile devices, maybe you would like to customize some security training around that so that they are really understanding the security challenges specific to those devices. And that way, they’ll be more comfortable with the devices, and you’ll know that they’re trained now to look out for things that are very specific to this new technology.

It would be good if we could customize this training for the specific role that a person might have in the organization. For example, someone in the accounting department probably has different security requirements than somebody in shipping and receiving. But just by looking at a list of everyone’s name in the organization, you really can’t tell what those differences might be. What is the difference between someone who has a manager role and a vice president role? How does the data access differ for those people? This may take a little bit of research to really determine the type of training specific for those people.

We want to go through and look at all of the different employees, and maybe group them together. Maybe it’s not by manager or vice president, but maybe it’s by different departments, and the entire department gets a certain type of security training. Every organization is going to be a little bit different in how that role-based training will be rolled out. You’ll probably want to have different levels of training, as well. Some people will just be at the beginner level for understanding security challenges. Other people may need more advanced training, especially if they’re dealing with very sensitive data or they’re using equipment that is very important to keep secure. If you’re in the IT department, you’re probably going to need a completely different kind of training, since a lot of the requirements for security are very specific in IT. You’re in charge of the entire organization’s data, so it’s important that you get the training that’s going to protect not just the IT department, but the entire organization as a whole.