Learn how to provide security awareness training to employees to meet regulatory compliance requirements.
下载SecOps电子书员工是组织的攻击面之一, 和 ensuring they have the know-how to defend themselves 和 the organization against threats is a critical part of a healthy security program. 如果一个组织需要遵守不同的 政府和行业法规,例如 FISMA, 一种总线标准, HIPAA or 萨班斯-奥克斯利法案, it must provide security awareness training to employees to meet regulatory requirements.
Depending on the internal security resources 和 expertise available at an organization, it might make sense to bring in a third party to assist with security awareness training services. 不管外部援助是否有杠杆作用, an organization’s leaders should underst和 what goes into building a security awareness training program, 参与, 并在整个过程中提供反馈.
Every organization will have a style of training that’s more compatible with its culture. 有很多选择,包括:
在某些情况下,这些组合可能是最好的选择. 安全意识培训不是一劳永逸的. 通过多媒体进行定期的安全培训是理想的, 尤其是如果公司的人员流动率很高的话.
An organization’s unique threat profile should also be factored in when deciding what subjects to cover. 可能的主题包括但不限于:
Having a process in place to measure training effectiveness is essential. 一种方法是通过小测验. Quizzes should be issued before the training is deployed to get a baseline measurement 和 afterwards to see what has changed. 如果钓鱼演习是定期进行的, organizations should keep track of whether employee response to these drills improves (or worsens!),但他们必须接受安全意识训练.
虽然这可能不太科学, organizations can also try to determine the impact of training by looking for trends in the number 和 type of security incidents occurring over time as they add more employees 和 assets to their organization over time. It may also be interesting to have an individual walk around the office looking for exposed passwords, 打开电脑, 和 potential physical security risks a few times before 和 after training to determine whether behavior has changed.
安全性可能是安全团队的首要任务, 但其他团队也有自己的目标. 组织应该尽最大努力尊重这段时间——理想情况下, training should be customized based on an employee’s role to ensure all of the training content is relevant to the individual 和 the work they do.
This allows employees to focus on what matters 和 get back to work as quickly as possible. 它还确保组织中风险较大的用户, 比如域管理员, 接受合适的培训 漏洞和威胁 和他们的工作更相关.
When reviewing policies 和 best practices with employees, it’s important to always explain 为什么 每一个都很重要. Users will be more likely to abide by policies if they underst和 the full context of them 和 believe it’s the right thing to do. 例如, the risks of installing r和om software from the Internet become much more apparent to someone who sees how quickly a well-disguised piece of ransomware 能加密他们工作站上的所有文件吗.
最后, organizations should avoid calling out individual employees or appear condescending if someone struggles with a training exercise. 而不是, team leaders should focus on creating an environment where everyone is comfortable asking questions 和 reporting incidents.
在训练结束时, users should leave feeling empowered to help protect the organization 和 excited to collaborate with other teams to create a more secure environment. Underst和ing your organization's unique needs 和 culture will be critical to making this training a success.