Cyber Security Awareness Program (CSAP) for Organizations



CSAP: An inevitable task for an every organization

How much employees in your organization are aware of cyber security. The big question is threatening every organization in this age is security of their cerebral property. On one side, cyber crime is stepping quickly in our daily life. Organization and web users are still not aware about this rising risk of the Cyber Crime. How organizations can fight against rising cyber crime? The simple answer is bringing security awareness in every department of organizations. Conduct a security awareness program for the entire organization and provide security training for selected employees according to business requirements.

When employees fall into a cyber culprit?

Employees innocently access to malicious websites or download software that contains malware or virus. They click on spam emails or phishing emails, which can redirect them to a phishing site to steal their information or money. Sometime employees share their password to an unknown person or transfer data with plugging infected USB drives, which can lead them into trouble.

What should include Cyber security Awareness Program?

CSAP – Cyber Security Awareness Program is essential part of organization. Oregon Government has approved a plan in 2006 to implement security awareness training. The security awareness should obey the following IT standards, laws and regulations, and official guidance documents as:
  • ISO 17799
  • COBIT 4.0
  • HIPAA (Privacy & Security Rules)
  • GLB-A
  • PCI Data Security Standard
  • FISMA
  • NIST SP 800-16
  • NIST SP 800-50
  • Section 508 of the Rehabilitation Act
  • Oregon Accessibility Policy

Best Practices for Security Awareness Program:

The Best Practices identified by the Oregon Government for security program are as follows:
  • Security awareness program is compulsory for the entire staff.
  • All third parties who have access to the organization's information should participate in the security program.
  • The program should start with the introduction of an organization's security policy and expectations.
  • The entire staff must recognize about the organization's information security policy.
  • At least once per year, the entire staff should have security training.
  • Periodic reminder should be sent to all the employees.
  • Management leaders must attend a security program.
  • Security awareness must be given according to the base of roles and responsibility of employees.
  • Common level of security training should be given to all staff.
  • Security awareness program should comprise information of known threats, security needs, legal liabilities, business controls, contact person for incident reporting.
  • Employees should be advised about the importance of security in their personal life.
  • Take a help of external training experts and benchmark for further guidance.
  • IT tools should be used to automate training session.
  • Records of staff training should be kept in staff records.
  • Use qualitative and quantitative metrics for getting feedback and check the effectiveness of the program.
It is clear that a proper strategy and planning is required to implement effective security awareness programs. However, before building a security training program, there are a few recommendations on which I would like to focus.

Few DON'Ts:

  • Do not ignore Training content Update:
  • Do not stick with old training program and keep it updated. It should be relevant, precise, and interesting for the employees.
  • Do not rely on only White paper Training:
  • Make some interesting video and PowerPoint for training program purpose instead of printed white paper. Run a training video contest for the user that fills employees with excitement and energy.
  • Do not puzzle between cyber security awareness and security training:
  • Cyber security awareness changes the behavior of individuals that strengthens security culture while security training provides knowledge about different security aspects.
  • Do not ignore anyone:
  • Set a security awareness program for every employee of the organization. This is the best way to mitigate security risk in an organization.
  • Do not focus only on security compliances:
  • Security awareness is a continuous process therefore, cover every topic, and keep updating it according to business and technology changes.

Few DOs:

  • Take Support of top Management Executives:
  • Compel top executives and middle managers to attend the security awareness program to make other employees aware about their experience.
  • Conduct Program in an interesting way:
  • Add competition or learning techniques in security program to make the entire program effective and interactive.
  • Use different sources of information:
  • Always use images, newsletters, and blogs to provide refreshing security information to keep trainees updated.
  • Focus on awareness material:
  • Make a useful and flexible awareness material that employees can use it outside the work premise and can share with family / friends to spread security awareness.
  • Get feedback and measure success:
  • Get the feedback of employee's like and dislike, effectiveness of the program, and take suggestions to make a better awareness program.
In Addition, employees should be permitted to read security material periodically. Few online materials should be provided by organization, for example; ClickSSL regularly publishes Weekly Infosec Snipper on their blog. Therefore, Employees should be permitted to read such security updates on first day of every week.


 
Return to top of page ClickSSL - Start your E-Business with SSL Certificates