all right. The next requirement that we look at is awareness and training, and this is a relatively short section. So we'll look at the basic end the derived requirements together. So the basic security requirements we have to, first of all, to ensure that managers
system administrators in users of organizational information systems
are made aware of the security risks associated with their activities and of Apple policies, standards, procedures related to the security of organizational information systems. All that train your people. Make sure that manager system admin DS users.
I know what the threats are associated with the information that they handle,
making sure that they're aware of things like, um, social engineering is a tremendous threat today in many users fall prey to it, making sure they understand the dean dangers of opening an email attachment or off
uh, modifying a document without going through the proper procedures or whatever that may be. But ultimately, what it means is is make sure that your people
manager system madman's users, whoever's gonna have contact with the sea, why make sure that they understand what the procedures are and how to follow those procedures
now, The second basic security requirement is to make sure that all organizational personnel are adequately change, trained to carry out their sign information, security related duties and responsibilities, making sure they understand what's expected of them, making sure that they under this, making sure that they understand the steps involved.
security configurations air huge in sometimes elements we put in place to secure an environment actually calls us a greater vulnerability. You know, for instance, we might put in a firewall the segment a trusted network from an untrusted network, and we may be very confident in that protection.
be a little bit lax and other protections now if we miss configured that firewall or if we did something ridiculous, like leaving administrative accounts unchanged or using default settings, then we've got this false sense of security.
So we want to make sure that the personnel, organizational personnel and again users add men's managers whatever they be.
Whatever they may be, making sure that they understand how to do their job and how they how they should be accessing security related duties, what their responsibilities are now, the derives security requirement means security awareness, training on recognizing and reporting
potential indicators of inside
threat meaning. We want our employees to know Keep your eyes and ears open, as I mentioned earlier when we were talking about access control. One of the benefits to making every single person that's gonna be able to access data being your physical building is that there's the surveillance of other employees.
Well, we have to train our employees to watch,
tell him what to look for and how to go about reporting. You know, one of the things that I do when I do conduct 10 testing, specifically social engineering and physical been testing eyes. I'd like to try to come into a building on somebody else's card. Swipe further that we refer to that as piggybacking.
Well, many, uh, there have been several occasions where someone's told me. No, I'm sorry I can't let you in.
However, the instances of people that say here let me escort you to the security desk so that you can get proper access those air very few and far between. And that's really what should happen here. I am trying to get into a building without authorization. Many times I'll get turned away until I can access the building.
But I'll just wait till the next person comes in
and lets me and lets me in. So we want to make sure that users no, not just how to prevent a security breach, but also how to report that a CZ a matter of fact. The fact If your training is effective, one of the things that you'll notice is an increase in reports of security breaches because people now know what to look for
and how to go that far