Question

*Goal: Design a Security Awareness Training module for privileged users.

-You need to document what will go into it, and explain how it will be enforced/monitored/administered.

-talk about the components specific for Privileged Users and how the company will ensure they have proper training on how to use/access/safeguard their credentials.

-Talk about what the dangers are associated with Privileged users. Why would it be different than how a company needs to address regular user credentials?

**This is a tabletop excercise.

Look into Privileged Identity Credential Management.

Answer 1

The answer to the above problem is as follows:

SECURITY AWARENESS TRAINING PROGRAM:

First of all, we need to understand the importance as well as risk associated with privelged users. Privileged users are those that have access to that have access to every nook and corner of organisation's network, resources, devices and servers. While this may be an inevitable need for modern organisations we can never ignore how much risk is associated with this.

Privileged users pose a great threat to the company. They have access to all the users accounts and sensitive client information which is what cyber criminals crave for in order to breach the organisation's network.Many of the researches have found that more than 80% of cyber criminal activities in huge organisations have taken place due to privileged users.

This is largely due to unawareness of the responsibility by the privileged users. Yes we do have technical solutions like few tools here and there to keep a check on the access, but to uproot the issue, the awaress of privileged user has to be instilled within everyone. That is why this module has been created. And the awarenss program must include what is a privileged user, the threats posed by an insider, actions that must be condemed and prohibited, managing the access power of privileged users and the consequence of not complying with the rules.

The awareness program can be enforece/monitored/administered by-

Having a tailor made training for different set of end user of the company like the employee end users, the top tier management or executive team, the team of IT and cyber security professinals, and temporary workers. Their methodology and set of work is different and as such it becomes imperative to have customized training for all of them.

We need to assemble the team, determine the roles for security awareness by identifying the level of responsibilty,establish the minimum requirement for awareness and content of training required by their level of work. Also training has to be mandatory for all and it should be regulated from time to time.