|
Text Size: A+| A-| A   |   Text Only Site   |   Accessibility
Information Security Resource Center

18 Best Practices in Security Awareness Training
In 2006, the State of Oregon comissioned a study to determine the best way to deliver security awareness training to state employees, and to develop a plan for its implementation. As part of that study, a list of security awareness best practices was developed based on a definition given by Dr. John Nugent of the University of Dallas Center of Information Assurance:

Best Practices are those documented, accessible, effective, appropriate, and widely accepted strategies, plans, tactics, processes, methodologies, activities, and approaches developed by knowledgeable bodies and carried out by adequately trained personnel which are in compliance with existing laws and regulations and that have been shown over time through research, evaluation, and practice to be effective at providing reasonable assurance of desired outcomes, and which are continually reviewed and improved upon as circumstances dictate.
The study therefore looked for established training practices that met all of the following criteria:
  1. Documented.
  2. Widely accepted.
  3. Developed by knowledgeable bodies.
  4. In compliance with existing laws and regulations.
  5. Effective at providing reasonable assurance of desired outcomes.
  6. Continually reviewed and improved upon.
with particular emphasis on IT and business standards, laws and regulations, and official guidance documents such as:
  • ISO 17799
  • COBIT 4.0
  • HIPAA (Privacy & Security Rules)
  • GLB-A
  • PCI Data Security Standard
  • FISMA
  • NIST SP 800-16
  • NIST SP 800-50
  • Section 508 of the Rehabilitation Act
  • Oregon Accessibility Policy
Here are the 18 best practices that were identified in the study.

Strategy & Planning
1. Mandatory Security Awareness Security awareness training is mandatory for all staff (including management).
2. Training for Third Parties All third parties with access to an organization's information receive the same security awareness training, or training to an equivalent level.
3. Training is Required Before Access is Granted Security awareness training commences with a formal induction process designed to introduce the organization's security policies and expectations before access to information or services is granted.
4. Staff Must Acknowledge Policy Staff are required to acknowledge that they have read and understood the organization's information security policy.
5. Training at Least Annually All staff (and third parties) are exposed to security awareness training at least once per year.
6. Periodic Security Reminders All staff are provided with periodic reminders about information security.
7. Management Support Management supports and (where appropriate) attends security awareness sessions.
Program Design & Development
8. Common Level of Security Literacy A "Common Level" of security training applicable to all staff in this and other organizations has been identified.
9. Role-Based Training In addition to the "Common Level", training for staff is segmented based on roles and tailored accordingly.
10. Training Content Security awareness training includes:
  • Information on known threats.
  • Security requirements.
  • Legal responsibilities.
  • Business controls.
  • Information on the disciplinary process.
  • Who to contact for further security advice or to report incidents.
Specific content has been determined based on a needs assessment including consideration of regulatory requirements.
11. References to Security Outside Work Training includes the importance of security to the individual's life outside of work.
12. External References External training experts are leveraged, and benchmarks are used for guidance in developing the program.
13. Multiple Delivery Modes Where possible, multiple delivery modes are used to suit different learning modes.
14. Accessibility for Staff with Disabilities Where practical, all training materials should be made accessible to staff with disabilities. Where this is not possible, alternative forms of training are provided.
Delivery & Administration
15. Multiple Points of Contact Where possible, multiple points of contact (e.g. IT, HR) are used to stress the importance of the program.
16. IT is Leveraged to Provide Training Information technology is used in an optimized manner to automate training, and to provide tools for the training and education program.
17. Record Keeping Records of staff training are kept in personnel records, or in a compliance-tracking tool/database.
18. Metrics Both qualitative and quantitative metrics are used to obtain feedback, and to measure the effectiveness of the training program.

 
Page updated: September 24, 2007

Text Only | State Directories | Agencies A to Z | Site Map | About Oregon.gov | Oregon.gov|
File Formats | Oregon Administrative Rules | Oregon Revised Statutes | Privacy Policy | Web Site Feedback|

Get Adobe Acrobat ReaderAdobe Reader is required to view PDF files. Click the "Get Adobe Reader" image to get a free download of the reader from Adobe.