NoticeBored information security awareness Security awareness & training policy
Information security policy
Information security awareness and training Policy summary This policy specifies an information security awareness and training program to inform and motivate all workers on their obligations towards information security. Applicability This policy applies throughout the organization as part of the corporate governance framework. It is relevant to all employees and applies also to third parties acting in a similar capacity to our employees whether they are e!plicitly bound "e.g. by contractual terms and conditions# or implicitly bound "e.g. by generally held standards of ethics and acceptable behavior# to comply with our information security policies "collectively $workers%#. It applies regardless of whether or not workers use the computer systems and networks since workers are e!pected to protect all forms of information asset including computer data written materials&paperwork and intangible forms of knowledge and e!perience. Policy detail Background Technical $IT security% controls are a vital part of our information security framework but are not in themselves sufficient to secure all our information assets. 'ffective information security also re(uires the awareness and proactive support of all workers supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks for e!ample which specifically target vulnerable humans rather than IT and network systems. )acking an ade(uate level of awareness concerning information security workers are less likely to recognize or react appropriately to information security threats attacks and incidents and are more likely to place valuable information assets in danger through ignorance and carelessness. *hereas +awareness, implies a basic level of understanding about a broad range of information security matters +training, generally implies more narrowly focused and detailed attention to one or more specific topics. Training tends to be delivered through classroom or online courses while awareness tends to be delivered by multiple communications methods such as seminars case studies written briefing and reference materials posters and conversations. -wareness typically provides the foundation level of knowledge for training. In other words awareness and training are complementary approaches. Policy axiom (guiding principle) In order to protect information assets all workers must be informed about relevant and topical information security matters and motivated to fulfill their information security obligations. .opyright / 0122 IsecT )td. 3age 2 of 4 NoticeBored information security awareness Security awareness & training policy Detailed policy requirements 2. The information security awareness program should ensure that all workers achieve and maintain a basic level of understanding on a broad range of information security matters including their obligations under various information security policies standards procedures guidelines laws regulations contractual terms and plus generally held standards of ethics and acceptable behavior. 0. -dditional training is appropriate for workers with specific obligations towards information security that are not satisfied by basic security awareness for e!ample Information Security 5anagement Security -dministration Site Security and IT&Network 6perations personnel. Such training re(uirements must be identified in workers, personal training plans and funded accordingly. The particular training re(uirements will reflect workers, relevant prior e!perience training and&or professional (ualifications as well as anticipated 7ob needs. 4. Security awareness and training activities should commence as soon as practicable after workers 7oin the organization ideally starting with an information security induction&orientation session. The awareness activities should continue on a continuous&rolling basis thereafter in order to maintain a reasonably consistent level of awareness. 8. *here necessary and practicable security awareness and training materials should suit their intended audiences in terms of their styles formats comple!ity technical content etc. 9or e!ample some people prefer to read written descriptions and instructions while others prefer to be shown things or have them demonstrated. Some like to read words others prefer diagrams and pictures. Non:technical workers are unlikely to understand or appreciate highly technical awareness content while their technical colleagues may well need the full details in order to understand e!actly what they are being asked to do. 'veryone needs to know why information security is so important but the motivators may be different for workers concerned only about their own personal situations or managers with broader responsibilities to the organization and their staff. ;. Information Security,s intranet $Security <one% is the focal point for security awareness materials and is intended to provide information and guidance on a wide variety of information security matters. It is the definitive source of current information security policies standards procedures and guidelines. =owever workers with limited or no intranet access must also be kept informed by other means such as seminars posters newsletters briefings and courses. >. Suitable compliance measures must be undertaken to achieve widespread compliance with the information security obligations. *hile the details vary according to the specific nature of those obligations and the risks associated with non:compliance it involves a combination of routine periodic and ad hoc compliance activities in addition to the use of suitable metrics for e!ample measuring the effectiveness of the security awareness and training activities. Responsibilities and accountabilities The !ief Information "ecurity #fficer$Information "ecurity %anager is accountable for the information security awareness and training program that informs and motivates workers on information security matters. Information "ecurity is responsible for developing and maintaining a comprehensive suite of information security policies "including this one# standards procedures and guidelines that are to be mandated and&or endorsed by management where applicable. *orking in con7unction with other corporate functions it is also responsible for running suitable awareness training and educational activities to raise awareness and aide understanding of workers, responsibilities identified in applicable policies laws regulations contracts etc. .opyright / 0122 IsecT )td. 3age 0 of 4 NoticeBored information security awareness Security awareness & training policy I& 'elp$"er(ice Desk is responsible for helping workers on basic information security matters liaising with e!perts from functions such as Information Security 5anagement Site Security =uman ?esources ?isk 5anagement )egal and .ompliance where necessary. %anagers are responsible for ensuring that their staff and other workers within their remit participate in the information security awareness training and educational activities where appropriate. )orkers are personally accountable for complying with mandatory information security obligations under all applicable corporate policies standards procedures and guidelines plus all applicable laws regulations contractual and ethical obligations at all times. *orkers are responsible for maintaining an ade(uate level of information security for all information in their care and should participate in information security awareness and training activities in order to keep abreast of the field. Internal Audit is authorized to assess compliance with this and other corporate policies at any time. Related policies* standards* procedures and guidelines Item Rele(ance Information security policy manual @efines the overarching set of information security controls reflecting IS6&I'. 0A110 the international standard code of practice for information security management Information security standards procedures and guidelines These amplify and e!plain the information security policies providing greater detail on particular topics and&or pragmatic advice for particular audiences. *hile the word $guideline% might be taken to imply that they merely provide optional guidance in fact many of the matters discussed in these materials relate to mandatory obligations and responsibilities. 6ther information security awareness and training materials - broad range of information security awareness and training materials is available from Information Security covering both general security matters and more specific security topics. The materials are proactively maintained to maintain relevant to the ever:changing information security risk and control landscape. ontacts 9or further information about this policy or general advice on information security contact the IT =elp&Service @esk. Security standards procedures guidelines and other materials are available from the Security <one. The Information Security 5anager can advise on more specific issues. .opyright / 0122 IsecT )td. 3age 4 of 4 Important note from Isec& +td, &!is policy is unlikely to be entirely sufficient or suitable for you wit!out customi-ation. This is a generic model or template policy incorporating a selection of common controls in this area derived from our knowledge of good security practices and international standards. It does not necessarily reflect your organization,s specific re(uirements. *e are not familiar with your particular circumstances and cannot offer tailored guidance. It is not legal advice. It is meant to be considered by management as part of the security awareness program ideally as part of the regular review and update of your information security policies.
Hacking With Kali Linux : A Comprehensive, Step-By-Step Beginner's Guide to Learn Ethical Hacking With Practical Examples to Computer Hacking, Wireless Network, Cybersecurity and Penetration Testing