Your organization should develop, document, and maintain a comprehensive Security Awareness Training Program.

If security awareness training is not provided to all personnel on a regular basis, all of the hard work, time, and resources that go into developing, implementing, and managing a security program for an organization is not likely to produce the desired results. Personnel cannot be expected to comply with security program controls of which they have never been made aware. Security awareness training is paramount to improving the security of daily operations of any organization and it happens to be the focus of pitfall #21 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.

Your organization should develop, document, and maintain a comprehensive Security Awareness Training Program. All personnel should receive appropriate awareness training. This needs to include security control updates made to your organization’s security policies, plans, and procedures that are relevant to their job function. Training should also include information on security best practices. At a minimum, security awareness training should be completed as part of initial training for newly hired personnel and annually thereafter for all personnel. Training should also be provided whenever required by system, security control, or operational changes.

The Security Awareness Training Program should identify and document all personnel that will receive security awareness training, the types of training that are appropriate, and how frequently training is provided. The Security Awareness Training Program should receive frequent updates, at least annually. These updates should address the latest attacks, best practices, and phishing techniques. Training materials should also be provided for all personnel to ensure that protected or sensitive information is safeguarded. Additionally, this mandatory training should include information on recognizing and reporting potential indicators of insider threats, actual instances of social engineering, or social data mining.

Awareness training should begin with a formal process designed to introduce the policies, controls, and expectations of the organization before access to information is granted, or within thirty days of being hired. Training should include information on the correct use of information assets and facilities. Training should include details on how your organization addresses each area of incident response.

To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.