Security awareness should be ongoing within the organization; hence a security plan is necessary. A security plan should outline all the methods, trainings, and activities that promote a security culture (e.g. social engineering exercises, security courses, etc.). The plan should typically be for a year, should be reviewed at the end of the year, and signed-off by Executives.
Expert Opinion - Security Awareness Program
Control Objective
Program is documented, followed, reviewed, and updated regularly
Includes annual information security course for employees
Educate users on common threats and impacts to business such as not sharing credentials, not clicking on suspicious links and attachments, reporting security incidents, maintaining clean desk, locking inactive systems, and concealing valuables
Should be tailored for the employee roles
Annual signoff of the plan
Annual security course for government is coming – will be mandatory – doesn’t enforce pass rate today