We recently completed a security training needs assessment for one of the states here on the West Coast. Part of the study was to identify a list of accepted “best practices” in security awareness training.
To do this, we started from a definition given by Dr. John Nugent of the University of Dallas Center of Information Assurance:
Best Practices are those documented, accessible, effective, appropriate, and widely accepted strategies, plans, tactics, processes, methodologies, activities, and approaches developed by knowledgeable bodies and carried out by adequately trained personnel which are in compliance with existing laws and regulations and that have been shown over time through research, evaluation, and practice to be effective at providing reasonable assurance of desired outcomes, and which are continually reviewed and improved upon as circumstances dictate.
Then, we looked for established training practices that met the following criteria:
- Documented.
- Widely accepted.
- Developed by knowledgeable bodies.
- In compliance with existing laws and regulations.
- Effective at providing reasonable assurance of desired outcomes.
- Continually reviewed and improved upon.
We looked closely at IT and business standards, laws and regulations, and official guidance documents such as:
- ISO 17799
- COBIT 4.0
- HIPAA (Privacy & Security Rules)
- GLB-A
- PCI Data Security Standard
- OMB Circular A-130
- FISMA
- NIST SP 800-16
- NIST SP 800-50
- Section 508 of the Rehabilitation Act
Here are 17 of the best practices that were identified as a result of the study cross-referenced against the sources.
| STRATEGY & PLANNING |
||
| 1 | Mandatory Security Awareness Security awareness training is mandatory for all staff (including management). |
ISO 17799 COBIT 4.0 HIPAA Security Rule BITS FISAP FISMA |
| 2 | Training for Third Parties All third parties with access to an organization’s information receive the same security awareness training, or training to an equivalent level. |
ISO 17799 PCI Data Security Std. FISMA OMB Circular A-130 |
| 3 | Training is Required Before Access is Granted Security awareness training commences with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted. |
ISO 17799 OMB Circular A-130 |
| 4 | Staff Must Acknowledge Policy Staff are required to acknowledge that they have read and understood the organization’s information security policy. |
PCI Data Security Std. GLB-A |
| 5 | Training at Least Annually All staff (and third parties) are exposed to security awareness training at least once per year. |
NIST SP 800-50 |
| 6 | Periodic Security Reminders All staff are provided with periodic reminders about information security. |
HIPAA Security Rule NIST SP 800-50 GLB-A OMB Circular A-130 |
| 7 | Management Support Management supports and (where appropriate) attends security awareness sessions. |
COBIT 4.0 BITS Critical Success Factors |
| 8 | Multiple Points of Contact Where possible, multiple points of contact (e.g. IT, HR) are used to stress the importance of the program. |
BITS Critical Success Factors |
| PROGRAM DESIGN & DEVELOPMENT
|
||
| 9 | Common Level of Security Literacy A “Common Level” of security training applicable to all staff in this and other organizations has been identified. |
NIST SP 800-16 NIST SP 800-50 |
| 10 | Role-Based Training In addition to the “Common Level”, training for staff is segmented based on roles and tailored accordingly. |
NIST SP 800-16 BITS Critical Success Factors |
| 11 | Training Content Security awareness training includes:
Specific content has been determined based on a needs assessment including consideration of regulatory requirements. |
NIST SP 800-50 ISO 17799 PCI Data Security Std. HIPAA Security Rule GLB-A |
| 12 | References to Security Outside Work Training includes the importance of security to the individual’s life outside of work. |
NIST SP 800-50 BITS Critical Success Factors |
| DELIVERY & ADMINISTRATION
|
||
| 13 | Multiple Delivery Modes Where possible, multiple delivery modes are used to suit different learning modes. |
NIST SP 800-50 BITS Critical Success Factors |
| 14 | IT is Leveraged to Provide Training Information technology is used in an optimized manner to automate training, and to provide tools for the training and education program. |
COBIT 4.0 |
| 15 | Accessibility for Staff with Disabilities Where practical, all training materials should be made accessible to staff with disabilities. Where this is not possible, alternative forms of training are provided. |
Section 508 |
| 16 | Record Keeping Records of staff training are kept in personnel records, or in a compliance-tracking tool/database. |
NIST SP 800-50 BITS FISAP HIPAA Security Rule |
| 17 | Metrics Both qualitative and quantitative metrics are used to obtain feedback, and to measure the effectiveness of the training program. |
NIST SP 800-50 BITS Critical Success Factors |
