The information security domain consists of many concepts and definitions. Besides, information security initiatives in an organization will have many policies, procedures, as well as technology components. In order to have an effective security posture within the organization, it is important that people or personnel are aware of security requirements, organization-specific security policies and procedures, and most importantly, particular personnel-specific roles and responsibilities pertaining to security.
Security awareness and training is one of the core components of the risk management program in any organization. The objective is to ensure that the personnel are aware of the security requirements and are trained to handle day-to-day security events.
National Institute of Standards and Technology (NIST) publication 800-14 - Generally Accepted Principles and Practices for Securing Information Technology Systems, recommends seven steps for a security awareness and training program. The standard groups the best practices into three broad areas, which are identification, management, and the evaluation of training and awareness programs.
- In the identification phase, an organization would establish scope, goals and objectives, training staff identification, and the audience.
- In managing the program, an organization would motivate the management and employees, manage administration, and maintain the training and awareness programs.
- Periodically, an organization will evaluate the program for its effectiveness.
The international standard ISO/IEC27002 Information technology - Security techniques-code of practice for information security management is an acknowledged International Standard that provides some of the best practices in various domains of information security. The standard defines the following good practices a security professional should be aware of pertaining to Security Awareness and Training:
- Based on their job function, the standard emphasizes that all employees and, where relevant, contractors and third-party users should be provided with appropriate awareness training as well as regular updates in organizational policies and procedures.
- The induction program should consist of awareness training that covers the organization's security policies and the security expectations. The personnel should undergo such training before any access to information or services are granted to them.
- The training program should contain the security requirements of the organization, legal responsibilities, business controls and, most importantly, correct usage instructions that relate to information processing facilities.
- Procedures related to log-on, appropriate usage of systems, networks, software packages, and the explanation of disciplinary processes in case of policy or procedure violations should be part of the training.
- The training should also focus on known threats and enhance the awareness of security incidents and problems and the way to respond to them based on the personnel's role.