A well-trained workforce is a valuable asset in any access control system, especially when it comes to defeating social engineering tactics. Employees cannot be expected to respond appropriately to security situations if they have not been trained in the proper way to handle them.
Simply handing a new hire the employee handbook and expecting him or her to read the sections on security policy is not enough. A good security awareness program should:
What should employees learn about security? Two common policies, the acceptable use policy and the security awareness policy, cover the common security information most employees need. Neither of these policies is a one-size-fits-all solution. Each organization will have its own version.
An acceptable use policy (AUP) defines how employees may use the IT infrastructure supplied by an organization. In general, an acceptable use policy specifies whether employees may use organization resources such as networks, Internet connections, and email accounts for personal use. It may also define whether employees may download files from the Internet, forward humorous or chain letters via email, or engage in sending spam. An acceptable use policy generally forbids any activity that is prohibited by federal, state, or local laws or that violates regulatory compliance. Common elements in an acceptable use policy are:
Most acceptable use policies go into more depth; however, these are some common items found in every acceptable use policy.
A security awareness policy specifies what individual employees are responsible for in terms of information security. It also defines the responsibilities of managers and information owners. Because security is an ever-changing field, many security awareness policies do not lay out specific procedures, but rather, refer employees to another resource for up-to-date information, such as a page on the organization’s Intranet.
In general, employees must agree to read and follow security procedures. Managers are responsible for providing training and security resources for those under their supervision, and information owners are responsible for classifying their information and taking appropriate steps to safeguard it. Some common elements in a security awareness policy include:
Many security awareness policies also include references to other documents, both internal policies and external resources, to which employees can refer if they are unsure of whether a given situation constitutes a security threat.