S 3.5 Training on security safeguards

Initiation responsibility: IT Security Officer, Supervisor

Implementation responsibility: Supervisor, IT Security Officer

As shown by numerous concrete examples such as the damage statistics from electronic insurance companies, damage often simply results from a lack of knowledge of elementary security safeguards. To prevent such damage, every single employee must be trained in the proper handling of the IT systems and business-related information, and must also be motivated to handle them with care. It is only possible to arouse the understanding of the employees for the information security safeguards required when they are educated accordingly.

The following presents the core topics to be covered in a training programme for security safeguards. Detailed descriptions of the training content for specific target groups can be found in S 3.45 Planning training contents on information security.

• Building IT security awareness
  
  The importance of security issues must be emphasised to every employee. A suitable introduction to awareness-raising is to point out the dependency of the government agency or company (and therefore of their jobs) on the smooth operation of the business processes. Furthermore, the value of information in terms of its confidentiality, integrity, and availability must be identified. These awareness-raising measures must be repeated at regular intervals.
• Staff-Related IT Safeguards
  
  This topic should cover the security safeguards worked out in an information security concept that needs to be implemented by the individual employees. Depending on the business process or specialised task, there may be other values that need to be protected or that have a different protection requirement. The employees should be informed how important certain information or other objects are for the organisation and what they need to bear in mind when handling this information or these objects. This part of the training programme is very important because many security safeguards can only be implemented effectively after the employees have been correspondingly trained and motivated.
• Product-related IT safeguards
  
  This topic should cover the security safeguards inherent to a product such as an IT system, for example, and which are often already supplied with the product. This could include login passwords, for example, but also features for encrypting documents or data fields. For example, instructions and recommendations for structuring and organising files can considerably reduce the amount of time and effort required to back up data.
• Procedures in the event of malware
  
  The employees should be instructed in how to handle computer viruses or other malware. Possible contents of this training topic include (see S 6.23 Procedures in the event of malware):
  
  • Detecting computer virus infections
  • Mode of action and types of computer viruses
  • Immediate action to be taken when virus infection is suspected
  • Action required to eradicate the computer virus
  • Preventive measures
• Authentication
  
  Employees should be able to handle the existing authentication mechanisms and the authentication resources required by these mechanisms (such as passwords or tokens) correctly. For example, they should be explained the importance of passwords to information security and which general prerequisites need to be fulfilled in order for the use of passwords to be effective in the first place (see also S 2.11 Provisions governing the use of passwords).
• Importance of having and generating data backups
  
  Backing up the data regularly is one of the most important security safeguards for any information system. The employees should be informed of the data backup policy (see module M 1.4 Data Backup Policy) of the government agency or company and the data backup tasks to be performed by all users. This is especially important for departments in which the users themselves are required to back up the data.
• Handling personal data
  
  Special requirements must be placed on the handling of personal data. Employees who work with personal data must be trained in the security safeguards required by law. This applies, for example, to the handling of requests for information, requests for changes and improvements from those affected, legally prescribed deadlines for deleting data, the protection of the data's confidentiality, and the transmission of the data.
• Instruction in emergency measures
  
  All employees must be instructed on the existing emergency measures. This includes explaining the escape routes, how to respond in case of a fire or other emergencies, how to handle fire extinguishers, and the emergency reporting paths (who should be informed first).
• Prevention of social engineering attacks
  
  The employees should be informed of the danger of social engineering. They should be informed of the typical patterns followed by such attacks to obtain confidential information through eavesdropping as well as of the methods used to protect against such attacks. Since social engineering attacks are often conducted by assuming a false identity, employees should be informed regularly that they need to check the identity of the person they are talking to, and in particular that they should never pass on confidential information over the telephone.

When training the employees, it must always be taken into account that it is not enough just to train an employee once during the entire time of his employment. It is true for almost all forms of training, and especially for front desk training, that the participants have to deal with large amounts of new information. Only a small percentage of this information will actually be retained in long-term memory, while 80% of the information provided will generally have been forgotten by the time the training programme is over.

For this reason, employees should receive regular training in the topics relating to information security, and awareness-raising measures should also be performed regularly. This can be done during the following, for example:

• In brief presentations on recent security issues
• In the framework of regular events such as department meetings
• Through interactive training programmes that are available to all employees

Review questions:

• Do the employees receive training on all topics relating to the information security safeguards?
• Are the employees informed how important certain information or other objects are and what they need to bear in mind when handling this information or these objects?
• Are employees who work with personal data trained in the security safeguards required by law.?
• Do the employees receive regular training in the topics relating to information security and are awareness-raising measures performed regularly?