Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.
Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.
Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.
Common problems with local and unstructured data include e.g.:
For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
The security guidelines are specified in connection with the employee's job role. The organization has identified units and roles that require separate guidance and develops its own detailed security guidelines for these.
Examples of units that may require their own guidelines are e.g. customer service, IT and HR. Examples of work roles that require their own instructions are the system administrators and the remote workers.
The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:
Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.
A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.
For each training the documentation should include:
The organization regularly trains staff on the use of utilized malware protection, reporting malware attacks, and recovering from malware attacks.
Ensuring staff security awareness is an important part of protection against malware. Because of this, staff are regularly informed of new types of malware that may threaten them.
The necessary personnel are regularly trained in the use of selected security systems.
The effectiveness of cyber security training is regularly evaluated. The evaluation may include e.g. the following perspectives:
By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.
Security informing may also be referred to as an "awareness program".
Our organization has defined procedures and responsibilities for protecting systems from malware and trains staff to use the protections and to report and recover from malware attacks.