In the world of Info Sec we sometimes ask ourselves ‘why do people do such dumb things?’ well let me tell you, if they don’t know what is right, they don’t know it is wrong. For example, when I was about four my Dad had to smack dirt out of my hands before I ate it and say ‘don’t eat that, yuk! Look at what that dog is doing on it over there” that was a good lesson for me.
Now please don’t get all hippy on me about “eating germs is good for the immune system”, whatever! My point is, I had to learn and/or experience that just because it’s brown, doesn’t mean it’s chocolate. I have not researched this, but I am pretty sure some kid out there has got sick eating dirt with dog sprinkles on it … anyway, back to the point.
If people in your business aren’t aware or trained about Information Security specifically related to their role, well… you can be sure that they are eating dirt daily and it’s only a matter of time before your business is dealing with an incident.
Any Information Security management function must have a robust Awareness and Training program. Personally, I think a well defined and implemented program is the cheapest, most effective control to minimise risk and improve the maturity of Information Security.
There are a lot of different approaches to what will work best within any given business, however, what I am attempting to do with this article is give readers a foundation for a simple Information Security Awareness and Training program.
Note: My definition of awareness and training is as follows:
The purpose of awareness is simply to focus attention on general or specific Information Security topics. Awareness presentations or any other associated material are intended to help staff become familiar with Information Security topics and respond accordingly when presented with certain situations.
The purpose of training is to develop a specific Information Security competency to minimise risk and protect information related to a role or function.
The significant difference between training and awareness is that awareness seeks to focus an individuals attention on an issue or set of issues while training seeks to teach skills, practically apply knowledge and perform a specific function in a predictable and security aware manner.
The Program Structure
The program is comprised of three main elements:
- An initial awareness campaign;
- An ongoing awareness campaign, and;
- A training schedule.
Note: For the awareness and training program to remain effective, I recommend applying the tried and tested continual improvement approach used in ISO27001 i.e. the Plan, Do, Check, Act (PDCA) Model. This will ensure the activities are continuously improved.
- Initial Awareness Campaign
The first stage of the program will be to kick off with an initial campaign and set a baseline of knowledge. As part of the initial campaign you will need to gather stakeholder requirements and objectives then develop a general Information Security awareness session that will be applicable to all staff.
This campaign should be measured by collecting various metrics from the participants and stakeholders. Any lessons learnt, gaps or deficiencies should be analysed, and if required serve as an input to the ongoing campaign and/or training schedule.
- Ongoing Awareness Campaign
The ongoing campaign will continually clarify and refine stakeholder requirements and objectives regarding Information Security. Key audience groups should be identified and key messages should be defined for each of them. Tip: use the information in your risk register e.g. information assets and inherent risk profiles, that way there is a direct correlation between key messages and information risk. Get creative with the delivery methods and tailor your approach to ensure the best possible delivery of the key messages e.g. awareness sessions, email reminders, posters, questionnaires, computer based training, etc.
- Training Schedule The training schedule runs in parallel and supports the ongoing campaign. It should be developed on an as needs basis depending on the requirement or situation. Some examples of relevant training that might be identified to mitigate a specific risk:
- An IT security session (delivered by an Information Security Specialist) for system administrators, which would address in detail the operational and technical controls that must be followed to implement and manage infrastructure.
- A ‘how to’ session on access management requirements (delivered by a Team Leader) for an operational team responsible for provisioning and management of access to a critical system.
- A ‘how to’ session (delivered by a Legal representative) with contract managers on identifying relevant security requirements and constructing clauses for master services agreements, and what to do to enforce them.
- A ‘how to’ session (delivered by a Bank representative) with HR staff whom process payroll files through custom portal i.e. how to use the application, what to be aware of, etc.
- Continual Improvement of Ongoing Awareness Campaign and Training Schedule As mentioned above the Ongoing Awareness Campaign and Training Schedule will be continually improved through the application of the Plan, Do, Check, Act (PDCA) Model.
- Plan — Establish the Ongoing Campaign and Training Schedule, objectives, materials and timelines relevant to managing risk and improving Information Security.
- Do — Implement the Ongoing Campaign and Training Schedule
- Check — Assess and, where applicable, measure the performance of the Ongoing Campaign and Training activities against stakeholder objectives, staff experience and report the results to management for review.
- Act — Take corrective and preventive actions, based on the results of the surveys, incidents, internal audits, etc to continually improve the Ongoing Campaign and Training Schedule.