Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.
For each training the documentation should include:
The organisation should have a procedure for training and guidance of its personnel. These procedures should include and cover at least the following topics:
The training program should identify specific groups of employees who require this training, such as administrators, those with access to customer networks, and manufacturing personnel.
The training concept must be approved by responsible management. Conduct training and awareness programs regularly and in response to specific events. Ensure that employees know who to contact for information security concerns.
The organization must have a training program defined for personnel regarding data protection. The trainings should take into account the protection need of data when determining the scope, frequency and content of the training.
Personnel who work in critical areas (e.g. IT administrators) must be trained and instructed taking into account their work. They should have specific training courses and instructions.
The top management and the people responsible for the risk management system of the organization must take appropriate cyber security training. The training ensures that their skills and knowledge are sufficient for determining the risks, assessing the cyber security management practices and overall governing and leading the process.
The management body should undergo training at least every two years to keep their knowledge and skills relevant and up-to-date. The training should reflect the organizational needs and be kept in line with the organizational cyber security policies.
The organization needs to remind employees of their roles and security responsibilities. The reminder reinforces staff security awareness, safe practices and compliance with guidelines and legal requirements related to their job role.
Before granting access rights to data systems with confidential information employees have:
The effectiveness of cyber security training is regularly evaluated. The evaluation may include e.g. the following perspectives:
By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.
Security informing may also be referred to as an "awareness program".
Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.
Our organization has defined procedures and responsibilities for protecting systems from malware and trains staff to use the protections and to report and recover from malware attacks.
The organization should use real-life scenarios of security incidents in its training materials to train staff and raise awareness. By simulating actual events, employees can better understand potential risks, identify vulnerabilities, and respond more efficiently during real incidents.