Information security awareness, education and training

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.

Common problems with local and unstructured data include e.g.:

• no backups
• no access management
• hard to locate

For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.

Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.

For each training the documentation should include:

• Time
• Topics and duration of the training
• Training method and trainer
• Staff involved in the training

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

• defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
• determining the resources needed to manage security
• communicating the importance of cyber security
• ensuring that the work achieves the desired results
• promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

The security guidelines are specified in connection with the employee's job role. The organization has identified units and roles that require separate guidance and develops its own detailed security guidelines for these.

Examples of units that may require their own guidelines are e.g. customer service, IT and HR. Examples of work roles that require their own instructions are the system administrators and the remote workers.

Personnel under the direction of the entire organization must be aware:

• how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
• the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.

Our organization has defined procedures and responsibilities for protecting systems from malware and trains staff to use the protections and to report and recover from malware attacks.

By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.

Security informing may also be referred to as an "awareness program".

The effectiveness of cyber security training is regularly evaluated. The evaluation may include e.g. the following perspectives:

• Is the competence of the staff deep enough?
• Are the training methods and amounts correct?
• Are different units trained in the right things?
• Is the staff motivated to learn?
• Does the staff understand the reasons for the training (e.g. what kind of negative effects can a cyber security breach have?

The necessary personnel are regularly trained in the use of selected security systems.

Ensuring staff security awareness is an important part of protection against malware. Because of this, staff are regularly informed of new types of malware that may threaten them.

The organization regularly trains staff on the use of utilized malware protection, reporting malware attacks, and recovering from malware attacks.