This is an example Computer Training Policy. All organizations should have a computer training policy but it is my belief that few of them do. A computer training policy and training of computer users will benefit the organization in both increased productivity but also fewer security incidents. This example computer training policy is a very rough draft and lists some areas that user training would be very beneficial to the organization.
Most organizations do not seem to have much of a computer training program in place for employees. However, given the current state of computer security and the fact that many attacks are directly against the user's web browser or through e-mail, user training is becomming an ever more important part of computer security. User's must be wise to the methods of attack in order to protect themselves in many instances. User training does not need to be extremely technical but should ensure that the user retains basic computer knowledge along with some knowledge about specific computer attacks that they may experience.
1.0 Overview :
This policy defines the minimum training for users on the network to make them aware of basic computer threats to protect both themselves and the network. This policy especially applies to employees with access to sensitive or regulated data.
2.0 Purpose :
This policy is designed to protect the organizational resources on the network and increase employee efficiency by establishing a policy for user training. When users are trained about computer use and security threats, they work more efficiently and are better able to protect organizational resources from unauthorized intrusion or data compromise. This policy will help prevent the loss of data and organizational assets.
3.0 Training Categories :
Training categories will include but not be limited to the following areas:
• Basics :
1. What files are
2. How to set view for details and show extensions for known file types
3. Why not seeing file extensions is a security hazard to you
4. File storage size - how to determine
5. Mail attachments
6. Where to store files
- How to use your network drive
- What your network drive is and what it means to you
7. How to copy files
8. Ways to increase efficiency on the computer such as keyboard shortcuts
• Ways to get malware :
1. Through email
2. Through browser
3. By connecting
4. By installing unapproved programs
• Email viruses :
1. How they spread
2. Spoofing sender
3. Dangerous attachments
• Email SPAM :
1. Protect your email address
2. Filtering spam
• Hoaxes :
1. Phishing
2. Fraud methods
• Email use :
1. How to set up email for remote users or with your ISP with POP3
2. How to set up out of office reply
3. How to set mail filtering rules
4. How to use, import, and export personal folders
5. What an undeliverable response to an email message means
• Use of web browser :
1. Safe browser?
2. Avoid adware and spyware - ignore ads that may compromise your computer or get you to install an illicit program
3. How to change browser settings for better security
4. Products to prevent malware.
• Passwords :
1. Why protect my password?
2. Why do I need to change my password every 30 days
3. How to change your password
4. How to choose strong passwords that you can remember
5. If I log in on a website can someone see my password?
• Other :
1. Reasons for firewall -- worms and others
2. Why worry about malware?
3. What is a vulnerability?
4. Why not run all services?
5. Social engineering
4.0 Training Opportunities :
Basic training as listed in section 3.0 shall be provided internally by the organization and shall include the following opportunities:
1. Scheduled training seminars for 1 to 4 hours per day.
2. Brown bag lunch training for lunch time training for up to 1 hour per day on one or two days per week.
5.0 Requirements :
All organizational staff shall make measurable and continuous progress in the training areas listed in section 3. Each employee manager shall be responsible for ensuring that employees under their supervision make progress in the required training areas. Each employee must retain knowledge about training in areas listed in section 3 within the first year of employment.
6.0 Enforcement :
Since training is very important to the security of the organization, auditing shall be used as a mechanism to be sure the training policy is being followed. Auditors may test employees at random about their knowledge in the areas listed in section 3. If an employee gets malware on their computer, they may be audited