This is an old revision of the document!
Information security awareness, education and training
| Control type | Information Security Properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventative | * Confidentiality, Integrity Availability | Protect | HR security | Governance and ecosystem |
Definition
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organizations information security policy, topic-specific policies and procedures, as relevant for their job function.
General Guidance
You are going to have to:
- decide what information security training and awareness to do based on organization risk and needs
- plan your training and awareness for the next 12 months
- develop, build and implement your training and awareness materials
- deliver your training and awareness to those that need it
- verify that people understand it
- keep records of all training and awareness
Training requirements
The list to consider including:
- Leadership and management commitment to information security – it is top down after all
- Requirements of relevant laws and regulations
- People’s own accountability and responsibility for information security
- How to report an event of incident
- Where the information security policies are
- Who you speak to if you have a question on information security
When to do information security awareness and training
The guidance is periodically but the best approach is:
- conduct annual awareness training in information security
- conduct annual awareness training in data protection
- conduct initial awareness training either pre employment or as part of the onboarding process
- as things change or new things are introduced make people aware and train them
- in response to incidents and as part of continual improvement you may require additional training or awareness
Approaches to information security training
Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.
It is good practice to consider different types of training, such as
- emails,
- web pages,
- stand up meetings,
- classroom based
most people opt for an off the shelf training package that makes most of the problem go away.
There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.