Employees shall be trained as appropriate.
Guidance
- Employees include all users and managers of the ICT/OT systems, and they should be trained
immediately when hired and regularly thereafter about the company’s information security policies
and what they will be expected to do to protect company’s business information and technology.
- Training should be continually updated and reinforced by awareness campaigns.
The organization shall incorporate insider threat recognition and reporting into security
awareness training.
Guidance
Consider to:
- Communicate and discuss regularly to ensure that everyone is aware of their responsibilities.
- Develop an outreach program by gathering in a document the messages you want to convey to your
staff (topics, audiences, objectives, etc.) and your communication rhythm on a calendar (weekly,
monthly, one-time, etc.). Communicate continuously and in an engaging way, involving management,
IT colleagues, the ICT service provider and HR and Communication managers.
- Cover topics such as: recognition of fraud attempts, phishing, management of sensitive information,
incidents, etc. The goal is for all employees to understand ways to protect company information.
- Discuss with your management, your ICT colleagues, or your ICT service provider some practice
scenarios (e.g. what to do if a virus alert is triggered, if a storm cuts off the power, if data is blocked,
if an account is hacked, etc.), determine what behaviours to adopt, document and communicate
them to all your staff. The central point of contact in the event of an incident should be known to all.
- Organize a simulation of a scenario to test your knowledge. Consider performing the exercise for
example at least once a year.
The organization shall implement an evaluation method to measure the effectiveness of the
awareness trainings.
Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.
For each training the documentation should include:
Before granting access rights to data systems with confidential information employees have:
By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.
Security informing may also be referred to as an "awareness program".
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
