Next: 3.1.10 User-level security policy
Up: 3.1 Local Network: Security
Previous: 3.1.8 Personnel security
Most information resource security problems involve people. Problems
can usually be identified in their earliest stages by people who are
attuned to the importance of information protection issues. A strong
training program will yield large benefits in prevention and early
detection of problems and losses. To be most effective, training should
be tailored to the particular audience being addressed.
Most employees want to do the right thing, if company expectations are
clearly communicated. Internal policies can be enforced only if staff
have been made aware of their individual responsibilities. All
personnel who access company computer systems should be aware of their
responsibilities under company policy, as well as obligations under the
law. Disciplinary actions and legal penalties should be communicated.