Control of the Week #12
This week’s control involves Security Awareness Training. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juithani (Senior Manager, IS Risk & Compliance), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why regularly training your employees on your policies and security practices can be be vital to your audit.
Why this control is important
AT2 – Information Security Awareness Training – Employees are required to complete an information security and awareness training annually.
“Employees are both an organizations’ biggest asset, and its weakest link when it comes to security,” says Jose Costa as he and the Tugboat Labs team walked us through this week’s control. People are the most unpredictable pieces to your security puzzle. Mistakes, negligence, eagerness to help or simply a lack of training can all be risks for your organization if employees are not aware of how to detect what needs to be detected, or fail to follow through on procedures. Security awareness is all encompassing for your organization and its key to maintaining the proper policies to keep your information and assets safe.
Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.
This control will ensure that if employees are not aware of security practices, they will be informed about them. If an employee is already aware of security practices, these controls will outline the consequences for breaching those policies. Overall, you want to eliminate ignorance as a reason for failure to maintain your organization’s security policies. If an incident happens, you will at least have records stating that training was given to your employees.
How to implement this control for your audits
Plenty of strategies for training and awareness are available to you! These programs can be as simple as posting flyers in a break room (a little less common in the Covid Age; I know!) or as complicated as a multi-day program to ensure your employees are updated on your organization’s policies and best practices. Smaller organizations may have a more causal approach while larger ones will have much more formal programs. Much of what is done will depend on your Training Plan (which was discussed in Control of the Week 11).
This control is required to be fulfilled at least annually and when there are significant changes to the organization’s policies. Some organizations choose to perform them quarterly depending on their specific needs. There are also many ways to handle this training, but like many other controls, the key is to do it, and to do it regularly. It will be up to your organization to ensure that you have proof of its completion and that it encompasses all the security procedures in place.
Some strategies for low-budget ways to improve security awareness training can be found in another one of our blogs!
Overall, auditors will be looking for:
- Whether a Training plan exists (see CoW 11) where relevant training needs for employees/departments are identified.
- Records that prove training has been carried out annually at a minimum.
- All employees have completed the training and acknowledged that it has been completed (e.g. with a statement or a signature).
- Records of onboarding training.
- Last but not least, your company’s compliance to a defined training plan.