As ISO I put together trainig material as part of security awaress for staff and customers. I am in the proces of creating an information security training presentation for individuals, outside the IT department, who have administrative responsibilities for internal applications and web portals. (don't ask) These are not necessarily extremely technical people, so it is a high level presentation that will require some additional support from IT staff as well. Below is a list of topics I'm planning on covering. Any others you can suggest would be greatly appreciated:

General responsibilities as an admin (privileged access, become familiar with security controls, stronger requirements for account passwords and expirations, point out application weaknesses and suggest ways to mitigate)

How to perform entitlement reviews(identify users and "need to know", periodic review of users, minimize number of admin users, etc)

How to review reports and application logs

Documentation/procedures for creating, deleting, and modifying accounts)

I have also developed a checklist that includes questions like: is the application accessible from non private networks, password and account requirements, bcp documentation, backup of data, dormant account reviews, session timeouts, etc)

thanks for the feedback

happy security awareness month!!

[ reply ]