S 3.45 Planning training contents on information security
Initiation responsibility: IT Security Officer, Head of Personnel
Implementation responsibility: IT Security Officer, PBX System Manager, Personnel Department
All employees should possess sound expert knowledge of their workplaces and should also be familiar with issues relating to information security in this context.
To ensure this, there should be training courses on information security tailored to the different target groups, for example for employees from the various specialised areas, supervisors, people responsible for information security, people responsible for IT, administrators, etc.
At the beginning of a training course, the level of qualification of the employees and their training requirements must be analysed. The following facts should be obtained from the employees for this purpose:
- training qualifications
- professional experience, advanced training, additional skills and knowledge
- tasks and roles of the employees in their organisational unit
The contents of the training course should be divided into modules so that each target group can be trained sufficiently and to the extent required. Important contents of various training modules are described in the following that must be selected and prepared according to the roles assumed by the respective groups of people. This overview is intended to help select the appropriate contents when conducting internal training events or to decide which external training programmes to select. In addition, all modules in the IT-Grundschutz Catalogues that are relevant for the respective information system should be examined to check if the necessary safeguards were not only ordered, but employees have also been trained in them.
The modules described here should be assigned to the target groups as shown in the following sample matrix. In the matrix, an "X" indicates that the particular module is recommended for the corresponding role. Optional training modules are marked with an "O", i.e. it is necessary to decide on a case-by-case basis if the contents of the particular training module are required for the corresponding role.
Training modules
Module 1: Basic concepts of information security
Module 2: Information security at the workplace
Module 3: Laws and regulations
Module 4: The organisation's security concept
Module 5: Risk management
Module 6: Information security management
Module 7: IT system
Module 8: Operational area
Module 9: Technical implementation of security safeguards
Module 10: Contingency planning/emergency planning
Module 11: New developments in the IT sector
Module 12: The business side of information security
Module 13: Infrastructure security
| Module / Role | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Supervisor | X | X | X | X | O | X | |||||||
| Security Management | X | X | X | X | X | X | X | X | X | X | X | X | X |
| Data Protection Officer | X | X | X | X | X | O | |||||||
| Person responsible for infrastructure | X | X | X | X | X | O | X | X | |||||
| User | X | X | |||||||||||
| Administrators | X | X | X | X | X | X | X | X | X | O |
Table: Suggested training modules for each role
Modules 1 and 2 both serve as basic training for all employees. Module 3 and the modules following thereafter specify which areas of specialisation need to be taught additionally for each specialised task.
Depending on the type of organisation, it may make sense to define additional target groups and corresponding training goals for each group, for example administration employees or security service personnel, with particular focus on the tasks of each role and on their basic knowledge of IT. During IT security training, it is important not to forget the personnel that are not directly associated with IT such as security guards and cleaning personnel. However, complex training modules are generally not necessary for such personnel.
Module 1: Basic concepts of information security
In view of the considerable benefits of sensible IT usage and how it makes routine work so much easier, the serious risks that can be incurred by the all too careless or even negligent handling of this technology must not be forgotten. Therefore, one of the most important tasks of the training concept is to raise the awareness of the employees for the topic of information security. The training concept should include the following subjects, amongst other things:
- Motivation
- statistics on information security
- sample cases of threats and risks
- studies on information security
- Explanation of the basic principles of information security
- confidentiality, integrity, and availability as basic principles
- the difference between security and safety
- Reasons for attacks on information security
- corporate espionage
- official investigations
- curiosity, or possibly just for the challenge
- criminal reasons
- The organisation's security structures
- tasks and goals of the organisation
- use of IT
- policies and specifications of the organisation
- goals and contents of the organisation's security concept
- tasks and duties of the individual employees
- Essential security rules for employees
- overview of the internal security regulations
- use of passwords
- use of email and the internet
- virus protection and data backups
Module 2: Information security at the workplace
Employees can often contribute significantly to preventing damage just by taking simple precautionary measures. The module addressing the implementation of information security at the workplace should focus primarily on the following subjects, amongst other things:
- Raising the awareness of users
- Motivation and pointing out typical user errors:
- careless handling of passwords
- not using encryption
- not protecting information properly
- a lack of healthy distrust
- laptop theft
- Organisation and security
- the security policies of the organisation and their meaning for the daily work routine
- responsibilities and reporting paths in the organisation (including personally introducing the IT Security Officers)
- System and data access protection
- Technical security
- E-mail and internet security
- Malware
- Security aspects of relevant IT systems and applications
- Legal aspects
- Response to security incidents
- detecting and reporting security incidents
- reporting paths and contact persons
- escalation strategy
The subjects specified above are just a selection. An "information security at the workplace" training module should always be adapted to the individual requirements of the corresponding organisation.
Module 3: Laws and regulations
This training module should outline the legal framework in which all people bearing responsibility in the IT department act. In many cases, the promise made by the employees to follow all relevant laws, regulations, and policies is just a formality that is usually performed when they start working at an organisation. However, it is not only important to oblige all employees to follow such rules, but also to inform them of the corresponding regulations, why they exist, and what effects they have.
The module should provide a general overview of the laws and provisions that may affect IT operations and/or information security. The applicable laws and provisions may differ greatly depending on the industry and country the organisation operates in. In addition, the standards and policies for IT usage and for information security the employees need to follow in their organisation should be presented.
This includes, for example:
- Data protection in the company or government agency
- role and task of the Data Protection Officer
- data protection laws
- organisational duties
- legal situation with respect to log files
- Labour and industrial safety regulations
- role of the Industrial Safety Officer
- regulations relating to workstations
- Laws and standards for the IT infrastructure
- fire control
- secure cabling, etc.
- Legal liability risks and IT usage
- liability for online content
- liability risks when employees access illegal online content
- passing on digital data
- legal situation when hosting
- external liability of the company
- general terms and conditions of business (GTCB)
- use of telecommunication services (such as a PBX)
- liability in the case of the private use of IT components
- legal problems relating to the monitoring of employees
- Responsibilities
- allocation of liability in a company or government agency
- responsibilities for contingency planning
- antivirus protection
- fault of the organisation in case of problems with viruses
- liability to recourse for any damages caused by viruses
- Legal business regulations
- export regulations for IT products
- license rights and copyrights for software
- Control and Transparency in Business Act (KonTraG)
- Authentication
- assignment of liability
- law of evidence in the field of authentication
- Network and server security
- requirements for access
- data protection in the network
- Anti-hacker laws
- limits of the laws in the area of hacking
- self-defence
- indirect hacker attacks
- prosecuting hackers
- Contract law in the network
- duties to inform
- digital signatures and their legal status
Module 4: The organisation's security concept
This training module serves to provide more in-depth knowledge of the introductory subjects addressed in the corresponding basic module "Information security at the workplace". Furthermore, it is intended to enable the persons responsible for systems and tasks to contribute to the continuous updating and - due to new technical, organisational, or legal developments - adaptation processes of the security concept.
This subject area includes the following contents, amongst other things:
- overview of the security concept of the organisation
- specific regulations resulting from the security concept for the management, organisation, infrastructure, and IT operations areas
- adaptation of these regulations to new technical, organisational, and legal conditions
- changes and updates to the security concept
Module 5: Risk management
This training module is intended to point out the basic threats posed for the information system to the persons in charge and to enable them to assess the risk to the organisation resulting from them. This subject area includes the following contents, amongst other things:
- Definitions and examples of the following terms: risk, threat, basic threat, vulnerability, security gap, security objective
- Typical threats and basic threats:
- force majeure: fire, water, explosions, storms, atmospheric discharges, strikes, protests, etc.
- organisational shortcomings: lacking or insufficient, rules, granting inappropriate rights, uncontrolled use of IT systems, etc.
- human error: lack of proper care, improper handling, lack of knowledge, etc.
- technical failure: power failures, air conditioning failures, overvoltage, failure of switching elements or circuits, mechanical or electrical malfunctions, etc.
- deliberate acts: viruses, worms, Trojan horses, theft, sabotage, espionage, manipulation of data, including a comparison of the types of attackers and their motivations, e.g. insiders or attackers from the outside
- Risk analysis: Risk analysis strategies, assessing a basic threat according to its probability of occurrence and the extent of the potential damage
- Specification of protection goals: Degree of acceptance of the various risks, definition of unacceptable risks
- Safeguard catalogue to eliminate unacceptable risks
Module 6: Security Management
This training module points out the basic principles to persons in charge of information security in order to implement information security in the organisation. This subject area includes the following contents, amongst other things:
- Security management
- structure and tasks of security management
- the security process, security objectives, and security strategies
- organisation and responsibilities
- standards for security management such as ISO/IEC 27001, ISO/IEC 27002 (17799), IT-Grundschutz, ITIL
- Security concept
- goals and contents of a security concept
- designing a security concept
- obligation of the employees and the people responsible for systems and tasks to implement the security concept
- system-specific and application-specific security policies
- Authorisation management
- authorisation concepts, designing a rights assignment scheme
- assigning access rights to system resources and applying a time limit to such accesses
- authentication (e.g. strength and selection of mechanisms)
- remote access (e.g. for telecommuting)
- Training and awareness-raising of information security
- specification of security training programs for the different roles and positions
- development of a security culture
- Evaluation and certification in the field of information security
- product/system certification (e.g. according to ITSEC, Common Criteria, etc.)
- certification of the IT environment and security management (according to IT-Grundschutz, for example)
- expert certificates (e.g. TISP, CISA, CISSP, IT Security Coordinator, Security+, etc.)
- special problems in information security
- cost problems
- acceptance problems
Module 7: IT system
This training module describes the control instruments that ensure compliance with the security standards in the various phases of the life cycle of IT systems.
This subject area includes the following contents, amongst other things:
- Security safeguards in the phases of the life cycle
- planning
- purchasing/development
- testing and evaluation
- implementation and/or installation
- productive operation
- taking an IT system out of operation
- Security planning for system operation
- determination of the purpose and benefits of using a certain IT system
- specification of safeguards for this system
- appointing a person to be responsible for the operation of the system
- installation and configuration of the security mechanisms necessary in each phase of the life cycle
- Specification of the configuration and change management system based on the security objectives
- Specification of the prerequisites to be fulfilled for release for production operation
- Testing and approving the security mechanisms
Module 8: Operational area
This training module describes the procedures and safeguards that protect the systems and applications operated and used daily.
This subject area includes the following contents, amongst other things:
- Infrastructural safeguards
- site access controls, plant security, alarm systems, etc.
- building services, energy and water supplies, etc.
- fire protection equipment
- air conditioning
- Organisational safeguards
- documentation of systems and configurations, applications, software, hardware inventory, etc.
- regular evaluation of log files
- rules for data backups
- rules for exchanging data media
- license management and version control for standard software
- Safeguards in the area of personnel
- selection, initial training, and additional training of employees
- regulated procedure for when employees leave the organisation
- functions and responsibilities
- separation of functions and assigning rights according to the function
- substitution arrangements
- commitment of staff members to compliance with relevant laws, regulations and provisions
- Safeguards in the area of hardware and software
- basic principles of operating system security
- secure configuration of hardware and software
- virus protection, protection against spam, patch management
- use of the security functions available in the hardware or application programs
- implementation of additional security functions
- rights administration
- logging
- Safeguards in the area of communication
- secure configuration of PBX systems
- secure configuration of network services
- firewall concepts, IDS systems, penetration tests
- email and internet security
- shielding external remote accesses
- virtual private networks (VPNs)
- secure use of mobile IT systems and wireless communication
- information on security gaps (e.g. from CERTs) and handling security incidents
Module 9: Technical implementation of security safeguards
This training module conveys knowledge about the technical implementation options for the control and monitoring instruments described abstractly in modules 6 to 8.
This subject area includes the following contents, amongst other things:
- Basic knowledge of cryptography
- distinguishing between problems with confidentiality, integrity, and authenticity
- basic terminology such as plain text, cipher text, keys
- symmetric and asymmetric encryption
- public key infrastructures
- digital signatures
- list of known "good" and "bad" algorithms
- Identification and authentication, e.g.
- definition of terms (knowledge, ownership, property)
- authentication using knowledge: passwords, one-time passwords, challenge/response procedures, digital signatures
- authentication by ownership: tokens, chip cards, magnetic strip cards
- biometric procedures: fingerprint identification, iris recognition, facial recognition, etc.
- single sign-on
- authorisation management
- Logging and monitoring, e.g.
- technical capabilities of transaction logging
- Intrusion Detection Systems (IDS): differences between active and passive systems
- forced logging of all administrator activities
- data protection guidelines
- Overview of administration tools
- tools that can be used to implement and control security policies
- additional products to supplement or improve the security functions offered by operating systems (hardened operating systems)
- network management software
- remote management software
- Firewalls
- internet technology (OSI model, TCP/IP)
- forms of implementation (static packet filters, stateful inspection, application level gateways)
- content security
- high-availability firewalls
- Protection of the confidentiality: cryptographic procedures and products, data access protection, e.g. using hard drive encryption, cryptography in the various layers of the OSI model:
- protocols for layers 1 and 2 (ISDN encryption, ECP and CHAP, Wireless LAN, Bluetooth)
- protocols for layer 3 (IPsec, IKE, SINA)
- protocols for layer 4 (SSL, TLS, WTLS)
- email cryptography (GnuPG, PGP, S/MIME)
- cryptography in the browser (HTTPS, code signing, form signing)
- Protection of the availability
- organisational safeguards to increase the availability (SLAs, change management, avoiding SPOFs)
- data backup, data restoration
- storage technologies
- network configurations to increase availability
- infrastructural safeguards to increase availability
- availability of the clients
- availability at the application level
- availability of the servers (server standby, failover)
- methods for replicating data
- disaster recovery
- Technical capabilities for protecting telecommunication systems
- protection against eavesdropping
- protection of data lines, for example using lead-sealed cable ducts monitored by an alarm system, secured distributors (nodes), message encryption, etc.
- establishment of connections only via call-back
- preventing call charges fraud, securing the data media containing the call charge data
- securing maintenance, remote maintenance, and administrator accesses
- logging every system access, write-protection of the log files
- Detection of vulnerabilities in your own systems using penetration tests
- Hacker methods; web site hacking; protection against: sniffers, scanners, password crackers, etc.
Module 10: Contingency planning/emergency planning
This training module is intended to convey the basic principles needed to create a contingency and recovery plan. It is an advanced module addressing the same material as module 5 "Risk management".
This subject area includes the following contents, amongst other things:
- Overview of contingency planning, incident handling, business continuity
- Structure of a contingency organisation
- definition of an emergency
- definition of responsibilities
- creation of the crisis teams: main crisis team, operative teams, support teams
- creation of alarm and escalation plans
- specification of the minimum requirements for emergency operation
- planning to relocate critical work areas to alternate sites
- replacement procurement plan
- signing service contracts with recovery service providers
- recovery planning
- creation of a plan for regular emergency drills
- Documents for the business continuity plan
- business continuity handbook
- flow charts for the alarm and reporting plans
- checklists for various emergency scenarios
- documentation of hardware and software, system configurations, data resources, data backups, etc.
- list of manufacturers and suppliers
Module 11: New developments in the IT sector
The rapid developments in the field of IT must also be taken into account in the training concept. This training module is therefore intended to inform IT system operators of new innovations in their field. To stay up-to-date, this seminar should be attended at regular intervals, for example once every 2 years.
This subject area includes the following contents, amongst other things:
- New developments in the fields of
- hardware/software, system environment, system architectures
- hardware types
- operating systems
- service programs
- application software
- system planning
- workflow
- new basic threats and vulnerabilities associated with new developments
- Computer networks
- network switching elements
- network architecture
- monitoring
- data access control
- cryptography
- network separation
- new basic threats and vulnerabilities associated with new developments
- Storage and archive environments
- storage technologies (DAS, NAS, SAN, IP Storage, etc.)
- archiving technologies (systems, media, software)
- Electronic communication and internet technologies
Module 12: The business side of information security
This training module is intended especially for management and decision-makers to integrate information security throughout the business planning process.
This subject area includes the following contents, amongst other things:
- Economic advantages of information security
- risk minimisation
- faster processing
- reduction in time and expense
- increased profit
- opening up new areas of business
- other benefits
- Calculation of the investments made in information security
- creation of an overview of the costs
- separation from operating and updating costs
- hidden costs
- Calculation for an investment in information security
- investment calculation
- arguments to be submitted to management
- Integrating security safeguards in a company
- taking into consideration the business processes and the business transactions in the security safeguards
- areas of influence and responsibility, typical obstacles
- information security when purchasing IT and in IT projects
- Factors contributing to the success of information security
- how can an information security project be successful?
- clarifying expectations
- creating security solution concepts
- creating a solution concept
- writing an operating concept
- checking the concepts
- division into subprojects
- implementing the subprojects
- testing the modules and functions
- acceptance and integration testing
- initial operation
- Common mistakes when implementing information security
- mistakes made by the project management
- other typical mistakes
Module 13: Infrastructure security
This module addresses the protection of information technology with the help of structural and technical safeguards. Important items include, amongst other things:
- Building protection
- environment
- fencing
- outside protection
- mechanical protection
- technical monitoring
- device protection
- Site access control
- entrance control service
- locking rooms
- technical site access control
- Power supply
- overvoltage protection
- uninterruptible power supply
- cable trays / cabling
- fire control
- air conditioning
- protection against water
Review questions:
- Are the training measures for information security tailored to different target groups?
- Are the level of qualification and the training requirements of the employees analysed at the beginning of a training measure?
- Are the contents of the training course divided into modules so that each target group can be trained sufficiently and to the extent required?
- Is there documentation detailing which employees (according to their function) participated in which training modules?