This section of the exam covers all the aspects of ensuring that everybody in your organization is security conscious and familiar with the organization’s policies and procedures. In general, it is most effective to start with an awareness campaign and then provide detailed training. For example, teaching everybody about malware or phishing campaigns before they understand the bigger picture of risk isn’t very effective.
- Methods and techniques to present awareness and training. While the information security team is typically well-versed on security, the rest of the organization often isn’t. As part of having a well-rounded security program, the organization must provide security education, training and awareness to the entire staff. Employees need to understand what to be aware of (types of threats, such as phishing or free USB sticks), understand how to perform their jobs securely (encrypt sensitive data, physically protect valuable assets), and how security plays a role in the big picture (company reputation, profits and losses). Training should be mandatory and provided both to new employees and yearly (at a minimum) for ongoing training. Routine tests of operational security should be performed (such as tailgating at company doors and social engineering tests like phishing campaigns).
- Periodic content reviews. Threats are complex and the training needs to be relevant and interesting to be effective. This means updating training materials and awareness training, and changing out the ways which security is tested and measured. If you always use the same phishing test campaign or send it from the same account on the same day of the year, it isn’t effective. The same applies to other material. Instead of relying on long and detailed security documentation for training and awareness, consider using internal social media tools, videos and interactive campaigns.
- Program effectiveness evaluation. Time and money must be allocated for evaluating the company’s security awareness and training. The company should track key metrics, such as the percentage of employees clicking on a link in a test phishing email. Is the awareness and training bringing the total number of clicks down? If so, the program is effective. If not, you need to re-evaluate it.