Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.
For each training the documentation should include:
Before granting access rights to data systems with confidential information employees have:
By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.
Security informing may also be referred to as an "awareness program".