Categories Topics
Description
Security Awareness and Training

Overview
Information Security Awareness is the process of training or making individuals aware of and understand security best practices as well as the organization's policies, standards and procedures. The main objective is to increase security awareness in order protect the organization's information from unauthorized disclosure.

Guidelines
Security Awareness program should start with published policies that employees, contractors and third parties must follow to meet the organization's business objectives and information protection. Awareness Training should then be made available to personnel, performed annually and recorded for historical audit trail and for accountability.

The training can be conducted in a variety of ways to include online web format, in-person training, e-mail newsletters, or communication of new policies to name a few. The most cost effective would be web-based training that includes content from each of the organization's policy areas (e.g. Data Classification and Protection, Acceptable Use, etc.). Each section should also have at least one or two questions that pertain to the policy or subject. Each employee would need to answer questions to test their understanding of the material and final results would be graded and recorded for audit purposes. Some organizations may wish to have employees re-take the training if a minimum test score is not achieved to ensure understanding of the organization's policies and procedures.

Live training may be most effective for new employee hires or for more specialized security or technical training. Awareness training can be incorporated into broader new-hire training to include HR, Compliance or other rules new hires should be aware of when first joining the organization.

More technical training is recommended for technical personnel or security professionals that manage information systems. Examples can include Windows/UNIX system security training/certifications, Identity and Access Management, Secure Application Development, or CISSP/GIAC.  Organizations such as SANS can be leveraged for training courses that may include single day to a full week of instructor-led training.

Security Awareness program should also include periodic e-mail communication to personnel of new policies, standards or procedures so they are aware of changes to security requirements and objectives. Newsletters or announcements of new threats that may impact the organization may also be effective and timely so that employees will be better prepared (e.g. an announcement from the CISO or CIO of a new pfishing threat targeting employees to download malware).

Topic Category
Compliance
 
News Articles
London Police Launch New Cybersecurity Initiative for Local Businesseswww.tripwire.com5/1/2018
New awareness study reveals what you need for the best security programswww.zdnet.com5/30/2017
Gov-funded boot camp for cyber-security entrepreneurs graduates first intakewww.scmagazine.com9/19/2016
Facebook Now Warns Users of State-Sponsored Attackswww.wired.com10/19/2015
Over 90 percent of data breaches in first half of 2014 were preventablewww.zdnet.com1/21/2015
DIY Training on Phishing Detection Backfires for Armywww.securitywatch.pcmag.com3/18/2014
How SMB employees feel about their tech resourceswww.zdnet.com12/20/2013
What To Expect After the Target Card Data Breachsecuritywatch.pcmag.com12/19/2013
The top ten scams to watch out for this Christmaswww.zdnet.com11/15/2013
Spread the Word! October Is Cyber Security Awareness Monthsecuritywatch.pcmag.com9/27/2013
UK's Get Safe Online? 'No one cares' - run the blockbuster ads insteadwww.theregister.co.uk9/25/2013
Announcing the IBM X-Force 2013 Mid-Year Trend and Risk Reportsecurityintelligence.com9/24/2013
People the weakest link in security: Aussie IT professionalswww.zdnet.com9/10/2013
Not so Hack-tastic: Cyber Scams Cost Banks, and You, Millionsblogs.mcafee.com8/2/2013
A new place to chat about security threatsnakedsecurity.sophos.com7/25/2013
Penetration testing employees' social media to improve policywww.zdnet.com6/25/2013
How to keep your business safe – the one checklist all SMBs should haveblogs.mcafee.com6/24/2013
Home Office launches £4m cyber security awareness schemewww.theregister.co.uk6/24/2013
Symantec report: Mistakes cause most security breaches -- not hackerswww.zdnet.com6/5/2013
‘Value of a Hacked PC’ Graphic Goes Globalkrebsonsecurity.com1/8/2013
The greatest violators of IT cloud security policies: top executiveswww.zdnet.com1/3/2013
Israel launches cyber warfare training programwww.zdnet.com1/2/2013
Changes to Mozilla Security Program Foster Open Source Security Tool Developmentthreatpost.com12/28/2012
Specialization in non-security fields key to fighting cyberthreatswww.zdnet.com12/21/2012
Internships alone insufficient for cybersecurity educationwww.zdnet.com12/19/2012
All Banks Should Display A Warning Like Thiskrebsonsecurity.com11/27/2012
Monitoring To Detect The Persistent Enemieswww.darkreading.com10/26/2012
The snapshot of rising cybercrimewww.zdnet.com10/24/2012
The Scrap Value of a Hacked PC, Revisitedkrebsonsecurity.com10/15/2012
Secretary Napolitano Participates in Meeting with Members of the HSAC Cyberskills Task Forcewww.dhs.gov10/2/2012
Social engineering threat affects allwww.zdnet.com8/14/2012
Skype: Nearly half of adults don't install software updateswww.theregister.co.uk7/23/2012
Alaska agency must pay $1.7m after 500-person breachwww.scmagazine.com6/29/2012
Feds recommend jail, fines for Scarlett Johansson hackerwww.scmagazine.com6/27/2012
Feds Arrest 24 in Global Carding Ring Bustwww.wired.com6/26/2012
Advanced persistent threats can be beaten, says expertwww.csoonline.com6/25/2012
How to Break Into Security, Ptacek Editionkrebsonsecurity.com6/25/2012
Google to Warn Possible Victims of State-Sponsored Spyingwww.wired.com6/5/2012
Wikipedia: If you see ads on our site, you have malwarewww.zdnet.com5/15/2012
The new wave: Modern security educationwww.scmagazine.com1/3/2012
Cyber Threat to Power Grid Puts Utility Investors at Riskwww.forbes.com12/27/2011
Cyber training no longer basicfcw.com11/18/2011
10 Massive Security Breacheswww.informationweek.com3/12/2011
White Papers
Cyberskills Task Force Report Fall 2012www.dhs.gov10/2/2012
Policies
Information Security Training Policy
Standards
NIST DRAFT Information Security Training Requirements: A Role and Performance-Based ModelNIST3/14/2014
NIST Building an Information Technology Security Awareness and Training ProgramNIST10/1/2003