One of the most critical components of any information security program is the people. Humans are what makes or breaks security. This means having an effective awareness program. Like all things, this is something that needs to be assessed.
The following are a few questions that may be asked in order to assess an awareness program.
- Is a current information security awareness program in place to ensure all individuals who use information technology resources or have access to these resources are aware of their security responsibilities and how to fulfill them?
- Is the program approved by senior management?
- Does the process specify timeframes and re-training requirements?
- Is it fully documented?
- Are new employees trained within 30 days of being hired?
- Do all employees sign that they have understood and accept the training and organizational policies?
- How often is refresher training provided?
- Does your staff know what's expected of them in their role regarding security for the organization, and your division?
- When did you last attend a security workshop for staff provided by the Security Division?
- Is our contract is included in security awareness sessions?
- What areas do the awareness training cover (e.g. password practices, use of anti-malware)?