NoticeBored information security awareness Security awareness & training policy

Information security policy
Information security awareness and training
Policy summary
This policy specifies an information security awareness and training program to inform and
motivate all workers on their obligations towards information security.
This policy applies throughout the organization as part of the corporate governance framework. It
is relevant to all employees and applies also to third parties acting in a similar capacity to our
employees whether they are e!plicitly bound "e.g. by contractual terms and conditions# or implicitly
bound "e.g. by generally held standards of ethics and acceptable behavior# to comply with our
information security policies "collectively $workers%#. It applies regardless of whether or not
workers use the computer systems and networks since workers are e!pected to protect all forms
of information asset including computer data written materials&paperwork and intangible forms of
knowledge and e!perience.
Policy detail
Technical $IT security% controls are a vital part of our information security framework but are not in
themselves sufficient to secure all our information assets. 'ffective information security also
re(uires the awareness and proactive support of all workers supplementing and making full use of
the technical security controls. This is obvious in the case of social engineering attacks for
e!ample which specifically target vulnerable humans rather than IT and network systems.
)acking an ade(uate level of awareness concerning information security workers are less likely to
recognize or react appropriately to information security threats attacks and incidents and are
more likely to place valuable information assets in danger through ignorance and carelessness.
*hereas +awareness, implies a basic level of understanding about a broad range of information
security matters +training, generally implies more narrowly focused and detailed attention to one or
more specific topics. Training tends to be delivered through classroom or online courses while
awareness tends to be delivered by multiple communications methods such as seminars case
studies written briefing and reference materials posters and conversations. -wareness typically
provides the foundation level of knowledge for training. In other words awareness and training are
complementary approaches.
Policy axiom (guiding principle)
In order to protect information assets all workers must be informed about relevant and topical
information security matters and motivated to fulfill their information security obligations.
.opyright / 0122 IsecT )td. 3age 2 of 4
NoticeBored information security awareness Security awareness & training policy
Detailed policy requirements
2. The information security awareness program should ensure that all workers achieve and
maintain a basic level of understanding on a broad range of information security matters
including their obligations under various information security policies standards procedures
guidelines laws regulations contractual terms and plus generally held standards of ethics
and acceptable behavior.
0. -dditional training is appropriate for workers with specific obligations towards information
security that are not satisfied by basic security awareness for e!ample Information Security
5anagement Security -dministration Site Security and IT&Network 6perations personnel.
Such training re(uirements must be identified in workers, personal training plans and funded
accordingly. The particular training re(uirements will reflect workers, relevant prior
e!perience training and&or professional (ualifications as well as anticipated 7ob needs.
4. Security awareness and training activities should commence as soon as practicable after
workers 7oin the organization ideally starting with an information security induction&orientation
session. The awareness activities should continue on a continuous&rolling basis thereafter in
order to maintain a reasonably consistent level of awareness.
8. *here necessary and practicable security awareness and training materials should suit their
intended audiences in terms of their styles formats comple!ity technical content etc. 9or
e!ample some people prefer to read written descriptions and instructions while others prefer
to be shown things or have them demonstrated. Some like to read words others prefer
diagrams and pictures. Non:technical workers are unlikely to understand or appreciate highly
technical awareness content while their technical colleagues may well need the full details in
order to understand e!actly what they are being asked to do. 'veryone needs to know why
information security is so important but the motivators may be different for workers
concerned only about their own personal situations or managers with broader responsibilities
to the organization and their staff.
;. Information Security,s intranet $Security <one% is the focal point for security awareness
materials and is intended to provide information and guidance on a wide variety of
information security matters. It is the definitive source of current information security policies
standards procedures and guidelines. =owever workers with limited or no intranet access
must also be kept informed by other means such as seminars posters newsletters briefings
and courses.
>. Suitable compliance measures must be undertaken to achieve widespread compliance with
the information security obligations. *hile the details vary according to the specific nature of
those obligations and the risks associated with non:compliance it involves a combination of
routine periodic and ad hoc compliance activities in addition to the use of suitable metrics for
e!ample measuring the effectiveness of the security awareness and training activities.
Responsibilities and accountabilities
• The !ief Information "ecurity #fficer$Information "ecurity %anager is accountable for
the information security awareness and training program that informs and motivates workers
on information security matters.
• Information "ecurity is responsible for developing and maintaining a comprehensive suite
of information security policies "including this one# standards procedures and guidelines that
are to be mandated and&or endorsed by management where applicable. *orking in
con7unction with other corporate functions it is also responsible for running suitable
awareness training and educational activities to raise awareness and aide understanding of
workers, responsibilities identified in applicable policies laws regulations contracts etc.
.opyright / 0122 IsecT )td. 3age 0 of 4
NoticeBored information security awareness Security awareness & training policy
• I& 'elp$"er(ice Desk is responsible for helping workers on basic information security
matters liaising with e!perts from functions such as Information Security 5anagement Site
Security =uman ?esources ?isk 5anagement )egal and .ompliance where necessary.
• %anagers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness training and educational activities where
• )orkers are personally accountable for complying with mandatory information security
obligations under all applicable corporate policies standards procedures and guidelines plus
all applicable laws regulations contractual and ethical obligations at all times. *orkers are
responsible for maintaining an ade(uate level of information security for all information in their
care and should participate in information security awareness and training activities in order
to keep abreast of the field.
• Internal Audit is authorized to assess compliance with this and other corporate policies at
any time.
Related policies* standards* procedures and guidelines
Item Rele(ance
Information security
policy manual
@efines the overarching set of information security controls reflecting
IS6&I'. 0A110 the international standard code of practice for information
security management
Information security
procedures and
These amplify and e!plain the information security policies providing
greater detail on particular topics and&or pragmatic advice for particular
audiences. *hile the word $guideline% might be taken to imply that they
merely provide optional guidance in fact many of the matters discussed in
these materials relate to mandatory obligations and responsibilities.
6ther information
security awareness
and training
- broad range of information security awareness and training materials is
available from Information Security covering both general security matters
and more specific security topics. The materials are proactively
maintained to maintain relevant to the ever:changing information security
risk and control landscape.
9or further information about this policy or general advice on information security contact the IT
=elp&Service @esk. Security standards procedures guidelines and other materials are available
from the Security <one. The Information Security 5anager can advise on more specific issues.
.opyright / 0122 IsecT )td. 3age 4 of 4
Important note from Isec& +td,
&!is policy is unlikely to be entirely sufficient or suitable for you wit!out customi-ation.
This is a generic model or template policy incorporating a selection of common controls in this
area derived from our knowledge of good security practices and international standards. It does
not necessarily reflect your organization,s specific re(uirements. *e are not familiar with your
particular circumstances and cannot offer tailored guidance. It is not legal advice. It is meant to
be considered by management as part of the security awareness program ideally as part of the
regular review and update of your information security policies.