A Security Awareness and Training Policy Checklist
Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
Your organization may already have security training and awareness (STA) program, or (this is less likely nowadays) you may have to build one from scratch.
This is a checklist of the policies that should underpin a successful STA program. When building up a team (or virtual team) to meet requirements, it can be useful to identify the types of skills needed to help meet objectives. So where possible, I have identified the professions I believe would be most useful to help with each step.
Check legislation, check regulation
Unless you work for a rare (or a government) organization that simply sees security awareness and training as a must-have, the most likely a reason for having an STA is because legislation requires it. Depending on your business, these might typically be HIPAA, FISMA, SOX and GLBA. If your organization is under any of these compulsions, then congratulations: complying with legal requirements is usually a more persuasive argument than having to beg security compliance for its own sake.
Your organization may be committed to other security-based regulations (not necessarily laws) that require STA compliance, e.g. ISO 27001 and PCI DSS (if you have business in the states of Minnesota, Nevada and Washington, then PCI DSS will also be referenced in the applicable State law). If this is the case, the chances are your organization is already committed to the wider security framework that your STA program will support.
Last – but not to be overlooked – your organization may have special policies of its own that might not be required by legislation or external regulation. For example, it may be seeking a competitive advantage by seeking out customer confidence in its security approach, perhaps by a public pledge upon the use and disposal of data that is over and above legal or regulatory requirements. Such organizational security policies are rarer, but should not be overlooked when producing a STA policy and supporting materials.
The skilled individual who could be the best advisor for this aspect is: the legal officer
Threat assessment check
Any corporate STA policy must relate to the organization’s security threats and be able to respond promptly to any changes in them. This can be hard to co-ordinate. Inevitably, there is a certain amount of automation with STA processes that can make them slow and complex to update key messages for everyone. However, the importance of new threats can normally be assessed on a risk-managed basis and, where necessary, new guidance can be showcased before being subsumed in regular STA materials. For example, if a new threat emerges from a hacker group that has direct access to the company’s private database through a software exploit, then special effort may have to be made for all affected staff to be told immediately. If I were a security auditor, this would be the basis of some questions were I presented with otherwise flawless-looking awareness and training policy – how effective is it in responding to sudden changes of threat?
Corporate policy check
As security experts, we are often asked to illuminate the dark paths of cyber and information security for others who are less knowledgeable. Occasionally this leads to security being highlighted as a special feature and although this can help our brand recognition, it makes it harder to incorporate security into the everyday training and awareness. This is why it is important wherever possible to embed security inside of mainstream corporate policies. Ideally, there would be no security policies that could not be subsumed under the headings of human resources management (e.g. personal conduct), systems operations (e.g. media handling) and occupational safety & health (e.g. business continuity). In any case, it is worth ensuring that your STA is not headed for conflict with any other corporate policies and (ideally) can be subsumed into a range of other awareness and training issues.
The skilled individual who could be the best advisor for this aspect is a corporate compliance officer/internal auditor.
Not all members of an organization have to know all the same things to do their jobs securely. There is a risk that employees delivering services might get overloaded with too much security detail that is not really intended for them, and which they could likely do without with no adverse effect. For example, an associate who checks forms for accuracy and completeness probably won’t need to know the full details of any security breach handling process, but just know what to do in the event of a security incident. Similarly, managers with specific security responsibilities need to focus upon them. Depending on the size of an organization, it is useful to check whether security instructions can be broken down effectively into specific areas of responsibility. This can also help with delivery: for larger organizations, there are tie-in opportunities here with the RACI-type models used to identify roles and responsibilities.
The skilled individual who could be the best advisor for this aspect is an HRM professional
Check the medium
Nowadays there are many options for presenting awareness and training beyond old-fashioned sets of instructions or auditorium presentations. Some awareness lends itself to presentation (and increasingly effective productions can be cheaply made, even by small organizations, on a variety of platforms). Given these new flexibilities, it can be useful to apply some sort of cost/benefits analysis whenever large amounts of dollars have been proposed to deliver security messages and programs. There are a number of companies who specialize in producing security materials, but these can come at costs that might be a challenge to have approved. For more formal requirements, such as the need to obtain formal sign-off from associates, reading materials may be the right medium. The larger an organization is, the more messages and rules it will need to present and the wider variety of delivery mediums there should be. This is a rich mix that needs to be responsive to any change of employee expectations on how they get instructions or are made aware of important messages.
The skilled individual who could be the best advisor for this aspect is a classroom teacher
Information security can be complex. It is a challenging subject to get across to a general audience who are not specialists and can prove quick to dismiss complex messages as too technical. This can mean a lot of effort is lost whenever security is put in terms of complex-sounding ideas that audiences cannot easily retain. For this reason it is worth spending more time checking the impact of the policy presentations on an audience before going live, and ensuring that someone who has the magical, sought-after touch of rendering complex ideas simple to proof-read (if not write) the material.
Identifying the right person for this can be difficult, but of the many cyber-voices on the internet there are some great examples, usually writers for popular newspapers, who can be used as models for the ‘right’ type of language in security.
Check out the head of the organization
It might be that an organization chief is not used to getting personally involved in endorsing policy for employees. But for security, given its linkage to both legal and safety issues, a personal endorsement from the head will encourage participation. It might also provide the necessary assurance that security requirements are firmly set within corporate policy. This is important with frameworks like ISO 27001, where top management endorsement of security is a requirement of compliance. Another useful side effect will be in strengthening the organization’s hand when any legal issues arise, i.e. by being able to demonstrate good corporate governance.
Check out measurability
Metrics are a requirement of security delivery, too. It is not satisfactory to say that, for instance, the absence of any security events proves how good the organization’s security training and awareness policy is! It might be that the absence of metrics could open the future of such a program to challenges.