Security awareness and training are perhaps the most overlooked parts of your security management program. Why is security awareness and training so important and what constitutes a security awareness and training program?

Your Best Security Stewards

Security awareness and training should be an integral part of your corporate security program. Though many businesses overlook the opportunity to tell their employees how to assist with protecting the corporate infrastructure, security awareness and training is really the first line of defense your company has to protect its valuable corporate assets. Your employees are the stewards of your critical data and information assets, and with the proper training corporations can enlist the assistance of their employees to mitigate risks.

While most employees are likely conscientious, and do their best to perform their duties as expected, your typical information technology employee is a busy person. There are often far more tasks to get through than there is time in a typical day. If the executive management team doesn't make it a priority to emphasize security awareness and training, it's likely employees won't pay it much attention.

However, if your organization institutes even a simple program on a consistent, say quarterly, basis the heightened security awareness may save your valuable assets from an expensive and high impact disaster.

If you are a U.S. federal agency, instituting a security awareness and training program is required by the Federal Information Security Management Act (FISMA) of 2002. While many U.S. federal agencies continue to receive denigrating press about the state of their information security abilities, when it comes to security awareness and training, most U.S. federal agencies are ahead of their U.S. corporate counterparts.

Phases of Awareness & Training

The National Institute of Standards and Technology (NIST) has defined four critical steps that a security awareness and training program should include:

  • Design and planning of awareness and training program;
  • Development of your awareness and training materials;
  • Implementation of your awareness and training program;
  • Measuring effectiveness and updating your program;

    Someone in the corporation, most likely the CIO, should be held accountable for ensuring that all four of these phases occur according to a well-thought-out schedule. Security awareness and training involves assigning security responsibilities to the information stewards of your corporation, and the CIO, or a comparable manager, needs to be held accountable for making sure this happens.

    This article was first published on IntranetJournal.com. To read the full article, click here.