Security awareness
Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.
Topics covered in security awareness training include:
- The nature of sensitive material and physical assets they may come in contact with, such as trade secrets, privacy concerns and government classified information
- Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements
- Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
- Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication
- Other computer security concerns, including malware, phishing, social engineering, etc.
- Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc.
- Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties
Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.
According to the European Network and Information Security Agency, 'Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.'
'The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business.'
[edit] See also
- Access control
- Physical Security
- Security
- Security controls
- Security management
- ISO/IEC 27002
- Winn Schwartau
- MindfulSecurity.com: The Free Information Security Awareness Resource
- "InfragardAwarenss Security Awareness Training"
- Free Security Awareness Resources
- Security Awareness Training Demos
- The Security Awareness Company: One of the country's leading security awareness training companies. Several free pieces of security art as well as sample newsletters and free articles
- Humanisec: Employee Data Security Awareness, Training and Compliance
- Security Awareness Training Blog
- NIST 800-50: Security Awareness and Training Program
- ENISA: A Users’ Guide: How to Raise Information Security Awareness
- Zero Flaws: articles that promote security awareness and understanding for non-technical people
- Microsoft: Free security awareness materials from Microsoft including templates, posters and presentations
- MSU Information Security Awareness Center: has links to dozens of free resources that might be useful to those creating a security awareness program
- Examples of the latest in online video awareness training
- Why Awareness? (Video short)
- Terranova Information Security Awareness
- Security Awareness Posters
