Staff training

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

Personnel under the direction of the entire organization must be aware:

• how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
• the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

• what qualifications this staff should have
• how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
• how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

The organisation should have a procedure for training and guidance of its personnel. These procedures should include and cover at least the following topics:

• Information security policies.
• Reporting of security incidents.
• Response to malware incidents.
• User account and login information policies (e.g., password policies).
• Compliance with information security regulations.
• Use of non-disclosure agreements (NDAs) when sharing sensitive information.
• Use of external IT services.

The training program should identify specific groups of employees who require this training, such as administrators, those with access to customer networks, and manufacturing personnel.

The training concept must be approved by responsible management. Conduct training and awareness programs regularly and in response to specific events. Ensure that employees know who to contact for information security concerns.

The organization needs to remind employees of their roles and security responsibilities. The reminder reinforces staff security awareness, safe practices and compliance with guidelines and legal requirements related to their job role.

Ensuring staff security awareness is an important part of protection against malware. Because of this, staff are regularly informed of new types of malware that may threaten them.

Before granting access rights to data systems with confidential information employees have:

• received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
• received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
• received information from cyber security contacts who can be asked for more information