In our last post we discussed the different strategic issues you need to consider before deploying your awareness program, including setting up your Steering Committee and determining your goals.  One of the next points is your security awareness policy.  Specifically, does your security policy have anything about security awareness and education?  If so, what does it cover, does your awareness policy need to be updated?  If not, do you need to create such a policy to ensure your program has the support you need, or is in compliance with management expectations?  Some key points a security awareness policy may include are:
  • Purpose:  What is the purpose of security awareness and education in your organization?
  • Scope: Who needs to take the training, employees, part time staff, contractors?  Is the training required or optional?  If required, how often do they have to take it (annually, twice  a year, every two years, etc).
  • Training:  What is involved in the training?  Is it just online training, or should users expect other methods, such as phishing assessments and surveys?  If there are assessments, who has access to the results?
  • Enforcement: Who is responsible for enforcing the program?  For example, if an employee fails to take the training, or refuses to take it, who is responsible for enforcing the program and what authority do they have?
If you need such a policy, you may or may not need to cover all the points above.  But at least identify that before you go any further.   To help you with your awareness program, you can download an example security awareness policy, and another awareness planning materials, from our resources page.