Awareness establishes a common baseline or foundation of security understanding across
               the entire organization and focuses on key or basic topics and issues related to security that
               all employees must understand and comprehend.

               Training is teaching employees to perform their work tasks and to comply with the security
               policy. Training is an ongoing activity that must be sustained throughout the lifetime of the
               organization for every employee. It is considered an administrative security control. Education
               is a more detailed endeavor in which students/users learn much more than they actually need
               to know to perform their work tasks.

               A security professional requires extensive knowledge of security and the local environment for
               the entire organization and not just their specific work tasks. Manage the Security Function To
               manage the security function, an organization must implement proper and sufficient security
               governance. The act of measuring and evaluating security metrics is the practice of assessing
               the completeness and effectiveness of the security program.








               Figure 2.6: The six steps of the risk management frameworks




































               Establish and Maintain a Security Awareness, Education, and Training Program


               Summary

                       When planning a security solution, it’s important to consider the fact that humans are
               often the weakest element in organizational security. Regardless of the physical or logical
               ITEC106 – Systems Security                                       Mr. John Mark L. Dula