Security Awareness is a key challenge in Implementing information security. Many organizations find it difficult to provide the right information security awareness to its staff and thus have less support from its staff in implementing the information security measures.
It is important to tailor the security awareness program to cover the potential threats and risks of the organization.
The first item in the security awareness should be about the password security. The password security awareness should cover topics such as:
- What is the password policy of the organization
- How to build secure but easy to passwords in compliance with the password policy
- Possible tools for password storage and how to use them securely
- Now writing down of passwords in excel or paper or sickies
- How the Password sharing is dangerous to the staff in specific and the organization in general
- Importance of having a clean workplace from a security perspective
- Potential confidentiality issues when the critical documents are in the eyes of those who are not supposed to have access
- Importance of shredding of documents when they are no more required
- Keeping the printer and fax trays empty all the time
Information Handling and Classification
Classification guidelines and information on how to handle the information should be part of this discussion. this should cover topics such as:
- Classification labels and when and how to use them
- Precautions to take when sending or receiving such information
Visitor Control is another area, which can be part of information security awareness. Checkout this cartoon on Physical & Information Security Awareness, it can be part of the security awareness materials.
Key things include (1) questioning the visitors without a badge or who looks suspicious (2) accompanying the visitors to confidential areas such as datacentre (3) about piggybacking etc…
Another Physical Security control is about the protection of laptops and other mobile computing devices. It is often the laptops, smart phones, or removable devices which are getting lost. Protection of these devices are critical in information security. Many times we have heard about data leakage through lost or stolen devices
Another key area to include is Incident Reporting and Management. This should cover the types of incidents to be reported, whom to be reported, means of reporting etc…
Phishing & Social Engineering is another key topic which can be included. This will help the staff not to become a victim of such attacks by malicious internal or external entities. Cover the possibility of email and phone channels for social engineering.
Social Networking and its threats are another set of topic which can be covered within the security awareness session. Topics like what to post in the social media and what not, who represents the company in social media and things like that.
Bring Your Own Device or BYOD and use of the personal device usage within the organization. What are the restriction related to BYOD including the removable media
Acceptable use of the IT environment such as Internet and Email, Desktop systems etc…
Desktop security including the use of antivirus, locking or logging of the system when not in use.
Importance of data backups. Corporate process on backups. Is it allowed to backup only to the file servers? Or can the user backup to a USB or CD.
Critical Success Factors of an Information Security Awareness session
- Engaging with the staff interactively
- Quoting real life examples. It would be helpful to include News items on related contents
- Having good humour included in the topics
- References to the corporate security policies is a key item to be included in the related topics
- Choose the right topics for the right group of audience. Social engineering, desktop security etc might be a topic for all groups.
Your board members or senior management may not want to undergo one hour awareness sessions and thus, the topics should be carefully opted when designing the materials for them - Have a test or a quiz at the end of the session. It will give an opportunity to understand the effectiveness of the awareness sessions
The above list gives a number of topics useful for a typical information security awareness session.