security-awareness-training.com

Articles
  - Recent
  - By Date
  - By Category

Related Sites
  - Cosaint External Link
  - LM-Light External Link

More Information
  - About the Author
  - Contact
  - Copyright

Best Practices for Security Awareness Training

Posted: 10 April 2008

I recently completed a security training needs assessment for one of the states here on the West Coast. Part of the study was to identify a list of accepted "best practices" in security awareness training. To do this, I started from a definition given by Dr. John Nugent of the University of Dallas Center of Information Assurance:

Best Practices are those documented, accessible, effective, appropriate, and widely accepted strategies, plans, tactics, processes, methodologies, activities, and approaches developed by knowledgeable bodies and carried out by adequately trained personnel which are in compliance with existing laws and regulations and that have been shown over time through research, evaluation, and practice to be effective at providing reasonable assurance of desired outcomes, and which are continually reviewed and improved upon as circumstances dictate.

Ref: http://gsmweb.udallas.edu/info_assurance/pdf/ABA_Best_Practices.pdf

Then, I looked for established training practices that met the following criteria:

  • Documented.
  • Widely accepted.
  • Developed by knowledgeable bodies.
  • In compliance with existing laws and regulations.
  • Effective at providing reasonable assurance of desired outcomes.
  • Continually reviewed and improved upon.

I looked closely at IT and business standards, laws and regulations, and official guidance documents such as:

  • ISO 17799
  • COBIT 4.0
  • HIPAA (Privacy & Security Rules)
  • GLB-A
  • PCI Data Security Standard
  • OMB Circular A-130
  • FISMA
  • NIST SP 800-16
  • NIST SP 800-50
  • Section 508 of the Rehabilitation Act

Here are 17 of the best practices that were identified as a result of the study cross-referenced against the sources.

STRATEGY & PLANNING
1

Mandatory Security Awareness
Security awareness training is mandatory for all staff (including management). 		ISO 17799
COBIT 4.0
HIPAA Security Rule
BITS FISAP
FISMA

2

Training for Third Parties
All third parties with access to an organization’s information receive the same security awareness training, or training to an equivalent level. 		ISO 17799
PCI Data Security Std.
FISMA
OMB Circular A-130

3

Training is Required Before Access is Granted
Security awareness training commences with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted. 		ISO 17799
OMB Circular A-130

4

Staff Must Acknowledge Policy
Staff are required to acknowledge that they have read and understood the organization’s information security policy. 		PCI Data Security Std.
GLB-A

5

Training at Least Annually
All staff (and third parties) are exposed to security awareness training at least once per year. 		NIST SP 800-50

6

Periodic Security Reminders
All staff are provided with periodic reminders about information security. 		HIPAA Security Rule
NIST SP 800-50
GLB-A
OMB Circular A-130

7

Management Support
Management supports and (where appropriate) attends security awareness sessions. 		COBIT 4.0
BITS Critical Success Factors

8

Multiple Points of Contact
Where possible, multiple points of contact (e.g. IT, HR) are used to stress the importance of the program. 		BITS Critical Success Factors

 
PROGRAM DESIGN & DEVELOPMENT

9

Common Level of Security Literacy
A "Common Level" of security training applicable to all staff in this and other organizations has been identified. 		NIST SP 800-16
NIST SP 800-50

10

Role-Based Training
In addition to the "Common Level", training for staff is segmented based on roles and tailored accordingly. 		NIST SP 800-16
BITS Critical Success Factors

11

Training Content
Security awareness training includes:

  • Information on known threats, including discussion of malicious software.
  • Security requirements including the good password practice, and the importance of monitoring login failure.
  • Legal responsibilities.
  • Business controls.
  • Information on the disciplinary process.
  • Who to contact for further security advice or to report incidents.

Specific content has been determined based on a needs assessment including consideration of regulatory requirements.

NIST SP 800-50
ISO 17799
PCI Data Security Std.
HIPAA Security Rule
GLB-A

12

References to Security Outside Work
Training includes the importance of security to the individual’s life outside of work. 		NIST SP 800-50
BITS Critical Success Factors

 
DELIVERY & ADMINISTRATION

13

Multiple Delivery Modes
Where possible, multiple delivery modes are used to suit different learning modes. 		NIST SP 800-50
BITS Critical Success Factors

14

IT is Leveraged to Provide Training
Information technology is used in an optimized manner to automate training, and to provide tools for the training and education program. 		COBIT 4.0

15

Accessibility for Staff with Disabilities
Where practical, all training materials should be made accessible to staff with disabilities. Where this is not possible, alternative forms of training are provided. 		Section 508

16

Record Keeping
Records of staff training are kept in personnel records, or in a compliance-tracking tool/database. 		NIST SP 800-50
BITS FISAP
HIPAA Security Rule

17

Metrics
Both qualitative and quantitative metrics are used to obtain feedback, and to measure the effectiveness of the training program. 		NIST SP 800-50
BITS Critical Success Factors

 

 

The copyrights in all materials in this website are owned by the author unless otherwise noted.