S 1.13 Information security awareness and training
Description
In order to effectively implement information security safeguards in a company and/or government agency, the organisation must develop a security culture and an awareness of security issues. The organisation must convince all employees that information security is an essential component of the success of the respective organisation. For this, the organisation must also communicate why certain security safeguards are necessary and useful. Likewise, all employees must know what is expected from them in terms of information security and how they should respond in situations critical to security. This requires long-term changes in the behaviour of the employees in a variety of areas and can only be achieved through a long and continuous process. One-time training or awareness-raising events are not adequate in this case.
Informed and trained employees are a prerequisite for reaching the goals set by the government agency or company. In addition, providing information and training ensures that all employees will be able to judge the effects and consequences of their activities in professional and private environments. The objective of raising awareness of information security is to increase the awareness of the employees for security problems. Training the employees on information security provides them with the skills and knowledge of information security they need to perform their specialised tasks. It must be ensured that all employees are familiar with the workflows and know who to contact when they have security questions or need to resolve security problems.
To ensure the support of the employees for training and awareness-raising measures over the long term, it is important for the management to point out why information security is important. This module is therefore generally recommended to all people responsible for information security in an organisation (regardless of its size).
This module therefore describes how to establish and maintain an effective training and awareness-raising programme for information security.
Threat scenario
The following typical threats to IT-Grundschutz will be examined in this module:
Organisational Shortcomings
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.7 | Unauthorised use of rights |
| T 2.102 | Insufficient awareness of IT security |
| T 2.103 | Insufficient training of employees |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.3 | Non-compliance with IT security measures |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.44 | Carelessness in handling information |
| T 3.77 | Insufficient acceptance of information security |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.9 | Unauthorised use of IT systems |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.42 | Social Engineering |
| T 5.104 | Espionage |
Method recommendation
To secure the information system examined, other modules must be implemented in addition to this module, with these modules being selected based on the results of the IT-Grundschutz modelling process.
To raise awareness of information security throughout an organisation, the organisation should develop a programme for this purpose. The programme could include training measures, training seminars, security campaigns, and other activities. A series of steps must be taken to effectively implement such a programme.
Planning and design
The support of the management is needed for the entire security process. This requires that the management is sufficiently aware of the importance of information security. Safeguard S 3.44 Making management aware of information security issues describes how an organisation can accomplish this.
First, the training and awareness-raising programme must be strategically planned and prepared. The steps necessary for planning and preparation are described in safeguard S 2.312 Design of an information security training and awareness program and explained in more detail in the subsequent safeguards. For this reason, implementation should start with safeguard S 2.312.
The security policies form the foundation of every training programme, and a government agency or company should have general security policies as well as separate security policies for various areas (see S 2.192 Drawing up an information security policy).
Purchasing
Internal or external personnel will be needed to conduct the training and awareness-raising programmes, with these personnel being able to prepare and conduct the awareness-raising and training measures (see S 3.48 Selection of trainers or training providers for more information).
Implementation
Various resources are needed to carry out training and awareness-raising measures, for example personnel for designing and implementing the measures and rooms for training. Special security aspects that need to be taken into account when designing training rooms can be found in module S 2.11 Meeting, event, and training rooms.
The contents of a training programme for information security must be selected appropriately according to the specific target group (see S 3.45 Planning training contents on information security).
Operation, continuous maintenance, and refinement
An essential component of every training programme for information security is training the employees on how to handle IT (see S 3.4 Training before actual use of a program, S 3.11 Training of maintenance and administration staff, S 3.26 Instructing staff members in the secure handling of IT, and other topic-specific safeguards).
When introducing new technologies, the employees should be informed in good time of the changes, made aware of the potential threats of the new technology, and informed of the corresponding security safeguards so that the new technologies are also used properly.
How an organisation can promote the development of information security awareness in the employees is described in S 2.198 Making staff aware of information security issues and S 3.47 Performing simulations on information security.
Suitable contact persons should also be available at all times to answer any security questions (see S 3.46 Contact persons for security questions).
The bundle of safeguards for information security training and awareness-raising is presented in the following. The safeguards presented in other modules are not repeated here.
Planning and design
| S 2.312 | (A) | Design of an information security training and awareness program |
| S 3.44 | (A) | Making management aware of information security issues |
Purchasing
| S 3.48 | (Z) | Selection of trainers or training providers |
Implementation
| S 3.45 | (A) | Planning training contents on information security |
| S 3.46 | (A) | Contact persons for security questions |
| S 3.49 | (B) | Training the IT-Grundschutz methodology |
Operation
| S 2.198 | (A) | Making staff aware of information security issues |
| S 3.4 | (A) | Training before actual use of a program |
| S 3.5 | (A) | Training on security safeguards |
| S 3.11 | (A) | Training of maintenance and administration staff |
| S 3.26 | (A) | Instructing staff members in the secure handling of IT |
| S 3.47 | (Z) | Performing simulations on information security |