Security Awareness Program

Security awareness should be ongoing within the organization; hence a security plan is necessary. A security plan should outline all the methods, trainings, and activities that promote a security culture (e.g. social engineering exercises, security courses, etc.). The plan should typically be for a year, should be reviewed at the end of the year, and signed-off by Executives. 

Control Objective

  • Program is documented, followed, reviewed, and updated regularly
  • Includes annual information security course for employees
  • Educate users on common threats and impacts to business such as not sharing credentials, not clicking on suspicious links and attachments, reporting security incidents, maintaining clean desk, locking inactive systems, and concealing valuables
  • Should be tailored for the employee roles
  • Annual signoff of the plan

Annual security course for government is coming – will be mandatory – doesn’t enforce pass rate today

Resources

Security Awareness Template (XLSX)

ISB Information Security Awareness