Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  719

                    An added benefit of informing users about when upgrades to software and hard-
                 ware will occur, is that they can provide information on problems that occur after-
                 wards.At times, service packs and patches to software on a server can result in
                 unexpected problems. If users are unaware that these changes have occurred, or if
                 they are unaware of the need to report possible problems, the administrator may
                 think that the update was successful and without incident, when in effect it was not.

                 Education

                 Educating users is the primary method of promoting user awareness and improving
                 the skills and abilities of employees.When users are taught how and why certain
                 activities need to be performed, they are generally more willing and better able to
                 perform those tasks. In addition to enhancing work performance, education also
                 provides the added benefit of lowering support costs, as users who are able to fix
                 simple problems will not be as likely to call the help desk for assistance.
                    In terms of security, users who know how to perform certain tasks properly are
                 less likely to unknowingly put security at risk. Users who have an understanding of
                 confidentiality and non-disclosure policies will not be as likely to reveal sensitive
                 information, transmit classified data over the Internet, or provide access to unau-
                 thorized users. In addition, users who know how to change their passwords
                 monthly, know that they should not use previously used passwords, and understand
                 how to create strong passwords that will make the system more secure. Because
                 users are often the largest, least controlled variable in network security, education
                 makes this variable more stable so that they are less likely to perform actions that
                 compromise security.
                    Educating users is commonly done through training sessions.This can be done
                 in a classroom setting or one-on-one. In many other situations, training handouts
                 are given to new hires that detail how certain actions are performed, and proce-
                 dures that should be followed.These handouts can be referred to when needed, but
                 may prove disastrous if this material falls into the wrong hands. In either case, a des-
                 ignated trainer or member of the IT staff teaches users the proper methods and
                 techniques that should be used to perform their jobs.As will be seen in the next
                 section, online resources can also be a practical approach to educating users.













                                                                              www.syngress.com