Text Size:   A+ A- A   •   Text Only
Site Image
18 Best Practices in Security Awareness Training
In 2006, the State of Oregon comissioned a study to determine the best way to deliver security awareness training to state employees, and to develop a plan for its implementation. As part of that study, a list of security awareness best practices was developed based on a definition given by Dr. John Nugent of the University of Dallas Center of Information Assurance:

Best Practices are those documented, accessible, effective, appropriate, and widely accepted strategies, plans, tactics, processes, methodologies, activities, and approaches developed by knowledgeable bodies and carried out by adequately trained personnel which are in compliance with existing laws and regulations and that have been shown over time through research, evaluation, and practice to be effective at providing reasonable assurance of desired outcomes, and which are continually reviewed and improved upon as circumstances dictate.
The study therefore looked for established training practices that met all of the following criteria:
  1. Documented.
  2. Widely accepted.
  3. Developed by knowledgeable bodies.
  4. In compliance with existing laws and regulations.
  5. Effective at providing reasonable assurance of desired outcomes.
  6. Continually reviewed and improved upon.
with particular emphasis on IT and business standards, laws and regulations, and official guidance documents such as:
  • ISO 17799
  • COBIT 4.0
  • HIPAA (Privacy & Security Rules)
  • GLB-A
  • PCI Data Security Standard
  • NIST SP 800-16
  • NIST SP 800-50
  • Section 508 of the Rehabilitation Act
  • Oregon Accessibility Policy
Here are the 18 best practices that were identified in the study.

Strategy & Planning
1. Mandatory Security AwarenessSecurity awareness training is mandatory for all staff (including management).
2. Training for Third PartiesAll third parties with access to an organization's information receive the same security awareness training, or training to an equivalent level.
3. Training is Required Before Access is GrantedSecurity awareness training commences with a formal induction process designed to introduce the organization's security policies and expectations before access to information or services is granted.
4. Staff Must Acknowledge PolicyStaff are required to acknowledge that they have read and understood the organization's information security policy.
5. Training at Least AnnuallyAll staff (and third parties) are exposed to security awareness training at least once per year.
6. Periodic Security RemindersAll staff are provided with periodic reminders about information security.
7. Management SupportManagement supports and (where appropriate) attends security awareness sessions.
Program Design & Development
8. Common Level of Security LiteracyA "Common Level" of security training applicable to all staff in this and other organizations has been identified.
9. Role-Based TrainingIn addition to the "Common Level", training for staff is segmented based on roles and tailored accordingly.
10. Training ContentSecurity awareness training includes:
  • Information on known threats.
  • Security requirements.
  • Legal responsibilities.
  • Business controls.
  • Information on the disciplinary process.
  • Who to contact for further security advice or to report incidents.
Specific content has been determined based on a needs assessment including consideration of regulatory requirements.
11. References to Security Outside WorkTraining includes the importance of security to the individual's life outside of work.
12. External ReferencesExternal training experts are leveraged, and benchmarks are used for guidance in developing the program.
13. Multiple Delivery ModesWhere possible, multiple delivery modes are used to suit different learning modes.
14. Accessibility for Staff with DisabilitiesWhere practical, all training materials should be made accessible to staff with disabilities. Where this is not possible, alternative forms of training are provided.
Delivery & Administration
15. Multiple Points of ContactWhere possible, multiple points of contact (e.g. IT, HR) are used to stress the importance of the program.
16. IT is Leveraged to Provide TrainingInformation technology is used in an optimized manner to automate training, and to provide tools for the training and education program.
17. Record KeepingRecords of staff training are kept in personnel records, or in a compliance-tracking tool/database.
18. MetricsBoth qualitative and quantitative metrics are used to obtain feedback, and to measure the effectiveness of the training program.