---------- Forwarded message ----------
From: Vivek Chudgar <vchudgar (at) gmail (dot) com [email concealed]>
Date: Aug 23, 2006 11:06 AM
Subject: Re: bs7799 Digest 23 Aug 2006 14:09:48 -0000 Issue 86
To: bs7799 (at) securityfocus (dot) com [email concealed]
You are right - it's easy to get confused between awareness and
training. The difference between them is quite significant though.
Awareness refers to the efforts to make the users *aware* of security
related company policies and guidelines, explain why it is necessary,
consequences of not complying with company policies and make them
aware of their security related responsibilities.
Training refers to teaching the users the correct use of information
processing and security related technologies e.g. how to encrypt
files/email, how to use SecureID, how to scan a file for virus
manually, how to deal with a security related incident etc. for IT
staff it would also cover teaching them how to configure HIDS, manage
firewalls, perform server hardening etc.
It's likely that a single training session may cover awareness and
training - but awareness can be spread also thru
posters/e-mails/booklets etc where as training is mostly given in a
classroom kind of an environment.
Hope this clarifies.
- Vivek
> From: "iso 27000" <is27001 (at) gmail (dot) com [email concealed]>
> To: bs7799 (at) securityfocus (dot) com [email concealed]
> Date: Tue, 22 Aug 2006 10:02:43 +0530
> Subject: Training
> Hi,
>
> Is training and awareness the same thing ? I hear people using the
> word interchangeably.
>
> From ISO27001 point of view - what should be done under training and
> what should be done for awareness?
From: Vivek Chudgar <vchudgar (at) gmail (dot) com [email concealed]>
Date: Aug 23, 2006 11:06 AM
Subject: Re: bs7799 Digest 23 Aug 2006 14:09:48 -0000 Issue 86
To: bs7799 (at) securityfocus (dot) com [email concealed]
You are right - it's easy to get confused between awareness and
training. The difference between them is quite significant though.
Awareness refers to the efforts to make the users *aware* of security
related company policies and guidelines, explain why it is necessary,
consequences of not complying with company policies and make them
aware of their security related responsibilities.
Training refers to teaching the users the correct use of information
processing and security related technologies e.g. how to encrypt
files/email, how to use SecureID, how to scan a file for virus
manually, how to deal with a security related incident etc. for IT
staff it would also cover teaching them how to configure HIDS, manage
firewalls, perform server hardening etc.
It's likely that a single training session may cover awareness and
training - but awareness can be spread also thru
posters/e-mails/booklets etc where as training is mostly given in a
classroom kind of an environment.
Hope this clarifies.
- Vivek
> From: "iso 27000" <is27001 (at) gmail (dot) com [email concealed]>
> To: bs7799 (at) securityfocus (dot) com [email concealed]
> Date: Tue, 22 Aug 2006 10:02:43 +0530
> Subject: Training
> Hi,
>
> Is training and awareness the same thing ? I hear people using the
> word interchangeably.
>
> From ISO27001 point of view - what should be done under training and
> what should be done for awareness?
[ reply ]