a) be updated regularly with information security messages using a broad range of communication methods (eg email, instant messaging, smartphones (texts), e-book readers, media players and intranets)
b) confi rm their compliance with the information security policy (and other related policies) on a regular basis (eg by selecting a confi rmation dialogue box as part of the login process for their computer, when starting business applications or upon accessing the organisation’s intranet)
c) be tested on their knowledge of information security throughout the year (eg using questionnaires, computer- based training (CBT) and interviews).
CF2.2.6
The effectiveness of the security awareness programme should be monitored by: a) measuring the level of information security awareness of staff
b) reviewing the level of information security awareness regularly
c) measuring the benefi ts of security awareness activities (eg by measuring the amount of confi dential waste produced, comparing the number of security-related calls to the information security helpdesk or equivalent, testing the strength of passwords or monitoring the frequency and magnitude of information security incidents experienced)
d) obtaining feedback from users (ie what worked well and what needs to be improved).
Related areas / topics
CF1.1 Information Security Policy CF2.3 Security Awareness Messages
ISF resources
Effective Security Awareness: Workshop Report
The Evolution of Security Awareness: Overview
Protecting Information in the End User Environment
Beyond the clear desk policy: Releasing untapped potential in your staff
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF2.3 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF2.3
Security Awareness Messages
Principle
Individuals who have access to the information and systems of the organisation should havetailored and appropriate security messages communicated to them on a regular basis.
Objective
To ensure individuals remain aware of the importance and need for information security on anongoing basis, and maintain a security-positive culture throughout the organisation.
CF2.3.1
Individuals who have access to information and systems should be made aware of:
a) the meaning of information security (ie the protection of the confi dentiality, integrity and availability of information)
b) why information security is needed to protect information and systems
c) the common types of threat the organisation faces (eg identity theft, mobile malware, hacking, information leakage and insider threat)
d) the importance of complying with information security policies and applying associated standards / procedures e) their personal responsibilities for information security (eg protecting privacy-related information and reporting
actual and suspected information security incidents).
CF2.3.2
Security awareness communications should incorporate key messages, including the:
a) defi nition of the information lifecycle (ie creation, processing, storage, transmission and destruction) and the risks of handling the different formats of information at different stages of its lifecycle (eg electronic fi les, emails and paper-based documents)
b) difference between critical information, which needs to be available and have integrity (eg prices / exchange rates, manufacturing information and medical records) and confi dential information, which can only be disclosed to authorised individuals (eg product designs, merger and acquisition plans, medical records and business strategy information)
c) threats associated with users, the technology they use and the physical location(s) of the local environment, such as information leakage as a result of blogging, social engineering attacks and corruption of information in desktop applications
d) actions and behaviour required of users to help address these threats (including rules on the use of blogging and social networking websites and being aware of social engineering attacks)
e) control areas that have been assessed as weak
f) security arrangements requiring proactive steps by the user, for example when handling information beyond the control of the organisation (eg when working at home or travelling)
g) need to comply with policies such as those for ‘clear desk’ initiatives and logging off or locking systems when leaving a mobile device unattended.
CF2.3.3
Individuals who have access to and use electronic communication technologies (eg email messages, instant messages, social network blogs (web logs) and messages posted on collaboration websites) should be made aware:
a) of appropriate behaviour (eg only attaching fi les to emails when necessary and avoiding the sharing of email threads)
b) of the security features provided with electronic communications (eg digitally signing emails and encrypting instant messages)
c) that the content of messages may be legally and contractually binding d) that electronic communication may be monitored.
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF2.3
FUNDAMENTAL
CF2.3
Security Awareness Messages
(continued)CF2.3.4
Individuals who use computer systems to communicate should be made aware that they are prohibited from: a) making sexual, racist or other statements that may be offensive (eg when using email, instant messaging,
collaboration software, the Internet, or the telephone)
b) making obscene, discriminatory or harassing statements, which may be illegal (eg when using email, instant messaging, collaboration software, the Internet, or the telephone)
c) downloading illegal material (eg with obscene or discriminatory content or which breaches copyright) d) opening attachments from unknown or untrusted sources
e) sending messages to unknown recipients.
CF2.3.5
Individuals who have access to information and systems should be made aware that they are prohibited from: a) unauthorised use of the organisation’s information or systems
b) using information and systems for purposes that are not work-related
c) using unauthorised information facilities or equipment (eg unauthorised external party software, USB sticks or modems)
d) unauthorised copying of information or software
e) disclosing confi dential information (eg customer records, product designs and pricing policies) to unauthorised individuals
f) compromising passwords (eg by writing them down or disclosing them to others)
g) using personally identifi able information (ie information that can be used to identify an individual person) unless explicitly authorised
h) moving information or equipment off-site without authorisation (or when unencrypted)
i) failing to protect computer equipment when using them in remote environments (eg when travelling or working from home).
CF2.3.6
Individuals who have access to information / systems should be made aware of the dangers of being overheard when discussing business information over the telephone or in public places (eg train carriages, airport lounges or bars).
Related areas / topics
CF1.1 Information Security Policy CF2.2 Security Awareness Programme
ISF resources
Effective Security Awareness: Workshop Report
The Evolution of Security Awareness: Overview
Protecting Information in the End User Environment
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF2.4 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF2.4
Security Education / Training
Principle
Staff should be educated / trained in how to run systems correctly and how to develop and applyinformation security controls.