The information security domain consists of many concepts and definitions. Besides, information security initiatives in an organization will have many policies, procedures, as well as technology components. In order to have an effective security posture within the organization, it is important that people or personnel are aware of security requirements, organization-specific security policies and procedures, and most importantly, particular personnel-specific roles and responsibilities pertaining to security.
Security awareness and training is one of the core components of the risk management program in any organization. The objective is to ensure that the personnel are aware of the security requirements and are trained to handle day-to-day security events.
National Institute of Standards and Technology (NIST) publication 800-14 - Generally Accepted Principles and Practices for Securing Information Technology Systems, recommends seven steps for a security awareness and training program. The standard groups the best practices into three broad areas, which are identification, management, and the evaluation of training and awareness programs.
The international standard ISO/IEC27002 Information technology - Security techniques-code of practice for information security management is an acknowledged International Standard that provides some of the best practices in various domains of information security. The standard defines the following good practices a security professional should be aware of pertaining to Security Awareness and Training: