Industry View

Industry View: Security Training With Style

Perimeter eSecurity VP Jason Miceli offers some tips on how to give employees a true understanding of security

By Jason Miceli

Page 2

An effective program offers much more than just training material and a follow-up mastery test. The framework of the LMS must allow for additional features and flexibility in order to become widely adopted and used on a regular basis. Here are some functions that can help to create a more complete LMS:

Welcome page: When employees/students log into the LMS, rather than landing at a menu system listing all the required courses, offer them a warm welcome. This page can have a few brief paragraphs explaining the goals and importance of the program. It should also display a clear endorsement from the highest level of the company - a letter from your CEO and your CEO's signature at the bottom of the page are ideal.

Policy affirmation: Similar to the notion of training courses, your LMS should give you the ability to upload corporate policy documents, employee handbooks, or other required reading materials. Once students have downloaded and reviewed these documents, require them to return to the LMS to affirm that they have read and understood the policies.

Policy engine: A good LMS gives you the ability to establish groups of students to whom you can assign the various courses and policy documents. You should be able to set optional recurrence requirements, such as requiring a group to become re-certified or reaffirm policy documents on a regular basis.

Monthly security reminders: To keep all forms of security training in one common system, an LMS will have a facility to enable regular security reminders. These reminders would be emailed to the entire employee base or specific groups. They should update employees on various topics relevant to information security and current day threats. This is an excellent form of learning reinforcement that contributes to the initial and ongoing education of your employee base.

Reporting: No LMS would be complete without reporting capabilities. Managers should be able to quickly see which employees are in compliance with the corporate training policy. These reports also should have the ability to sort by employee, group, course and policy, etc. An automated report should detail which employees are up for certification renewal so that reminders can be sent is also helpful.

Corporate policy enforcement: Consider the advantages of tying key network access privileges, such as remote user VPN and Web browsing, to each user's certification status. For example, when an employee becomes certified in "Remote Access Best Practices" that person's VPN account becomes activated. This same control could apply to web browsing and other network resources. Where this integration is not supported, a simple system may be employed to notify an administrator when an uncertified employee has performed some activity. Because of implementation complexities, these features have not yet been widely adopted. However, many companies have expressed interest in this type of functionality.