Security training for a client

We are doing a security audit/pen test for a client right now. As the security guy I am heavily engaged in the process. At a later point, I am going to have to hold a training session for the employees on security. Is there a standard or any guidelines for this type of stuff? I am aware of some pretty cool standards for the technical side but I've never really heard of anything like that on educating users. I have a rough idea of what it should consist of but I really want to do a good job so if you guys know of a framework I can follow when piecing this together, that would be great.

I'm thinking of doing a cool power point presentation and getting them in a room to talk about not clicking on pdf.exe files and etc.

It is my understanding that this is how people usually do it?

Find more posts tagged with

Comments

colemic

https://www.infragardawareness.com/ Infragard has a free awareness course...

colemic

others I found, don't know how good they are but could be helpful:

Free Security Awareness Training Samples - Videos - Posters

Free Cyber Security Training Resources

Cybersecurity Education, Training and Awareness Online Training Catalog - didn't know DISA made these available to the public

Penn Information Security: Free Presentations for Computer Security Awareness & Training (CSAT)

LionelTeo

From experience. The first thing I would want to says is, know your auidience and cater something useful for them. Security is like pretty huge. If they are system administrators, then cover what you think is useful for system admins (what are the thing to look out for when securing) . If they are regular employees, then cover what you think is useful for regular employees. (social engineers/virus, what to do in event of being infected). The same would go to web developer (XSS,SQL injection) or management (risk, policy, procedures, IH processes)

If pentesting is involved, and your management would want you to show how you penetrate in. Consider GUI options to replicate what you did like Armitage and W3F and walk them through the process using GUI style clicking. The last thing you would want to get is the response of "yeah, only a skill attacker can do that". It would be useful to show them the seriousness that someone could replicate the same thing just by clicking, and also it is more clear than running command line.

Master Of Puppets

Thanks for the helpful input guys.

NightShade03

Just look for "security awareness training" on google. This is standard course offered by every security shop under the sun. Most of the time you can fork lift the topics and high level details off of the website and roll your own (which is how most of them do it).