An effective training and awareness program is necessary to ensure successful implementation of your information security program. A training and awareness program will be the primary mechanism used to communicate organizational user roles and responsibilities from an information security perspective:

• Secondary media products:
  • This includes things like giveaways (squeezy balls), alert notifications, posters, or social media.
  • These serve to remind users about information security principles that you are communicating through other mechanisms.
  • The key here is to keep information brief and manageable. If you need to read for more than ten seconds, it is too long.
• Primary media products:
  • This includes things such as email newsletters, websites, and inclusions in corporate magazines.
  • These have more contact and are distributed on a periodic basis.
  • The key here is to not overwhelm the user. If you send out an email newsletter every week, you may find your newsletter in the spam folder.
• Yearly information security awareness training:
  • This is training provided every year, where you communicate all of your information security requirements for the user into a single presentation
  • The preferred method for implementing this training is computer-based, through a learning management system:
    • This helps you to easily record users that have completed training and their scores
  • This training should include a mechanism to test the users' understanding:
    • The test should not be an information security vocabulary test:
      • The user should know not to click on URLs and attachments they do not trust
      • The user does not need to be test on the difference between phishing or spear phishing
  • Use the yearly training as an opportunity to have your users validate or revalidate their acceptance of your organization's acceptable use policy:
    • The training should cover every aspect of the Acceptable Use Policy
• Events:
  • This includes lunch time presentations, webinars, and presenting at corporate, divisional, or team meetings
  • It is very important to deliver the information security message to your organization in person where possible:
    • Webinars are useful in geographically-distributed organizations
  • Getting 15 minutes to speak at the finance or HR teams quarterly meeting is a great way to answer questions that an entire group may have

For example, payroll and benefit processors may have questions on PII handling and protections.

References:

• More information on the ISO 27001 standard is available at: https://www.iso.org/isoiec-27001-information-security.html
• More information on NIST Cybersecurity Framework is available at: https://www.nist.gov/cyberframework
• More information on the Health Insurance Portability and Accountability Act is available at: https://www.hhs.gov/hipaa/
• More information on the Payment Card Industry Data Security Standard is available at: https://www.pcisecuritystandards.org/