понедельник, 30 марта 2015 г.

Повышение осведомленности в вопросах информационной безопасности (стандарты и рекомендации)

Человеческий фактор классически является самым важным в вопросах информационной безопасности. Процесс повышения осведомленности позволяет снизить воздействие рисков, связанных с этим фактором. Ниже я собрал наиболее известные стандарты и рекомендации по выстраиванию процесса повышения осведомленности.
Итак, не исчерпывающий перечень:
- NIST Special Publication 800-50 - 10.2003 - немного о документе можно прочитать в посте Андрея Прозорова.
- ISO ГОСТ РИСО/МЭК ТО13335-3—2007 МЕТОДЫ И СРЕДСТВА ОБЕСПЕЧЕНИЯБЕЗОПАСНОСТИ ISO/IEC TR 13335-3:1998 Раздел 10.3 Обучение персонала информационной безопасности 1998/2007
- ISO 27001
- COBIT 5


Кстати, документ от PCI Council достаточно свежий и содержит полезную информацию. Ниже, например, типы ключевой аудитории:

В самом документе в итоге идет отсылка к NIST, COBIT и ISO 27001.
Также предлагается  следующий чеклист (привожу без перевода):
Creating the Security Awareness Program
  • Identify compliance or audit standards that your organization must adhere to.
  • Identify security awareness requirements for those standards.
  • Identify organizational goals, risks, and security policy.
  • Identify stakeholders and get their support.
  • Create a baseline of the organization’s security awareness.
  • Create project charter to establish scope for the security awareness training program.
  • Create steering committee to assist in planning, executing and maintaining the awareness program.
  • Identify who you will be targeting—different roles may require different/additional training (employees, IT personnel, developers, senior leadership).
  • Identify what you will communicate to the different groups (goal is shortest training possible that has the greatest impact).
  • Identify how you will communicate the content—three categories of training: new, annual, and ongoing.

Implementing Security Awareness
  • Develop and/or purchase training materials and content to meet requirements identified during program creation.
  • Document how and when you intend to measure the success of the program.
  • Identify who to communicate results to, when, and how.
  • Deploy security awareness training utilizing different communication methods identified during program creation.
  • Implement tracking mechanisms to record who completes the training and when.

Sustaining Security Awareness
  • Identify when to review your security awareness program each year.
  • Identify new or changing threats or compliance standards and updates needed; include in annual update.
  • Conduct periodic assessments of organization security awareness and compare to baseline.
  • Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility).
  • Maintain management commitment to supporting, endorsing and promoting the program.
Documenting the Security Awareness Program
  • Document security awareness program including all previously listed steps within “Creating the Security Awareness Program,” “Implementing Security Awareness,” and “Sustaining Security Awareness.
Secure your life!