Adequate training of all personnel is critical to the effective implementation of information security. Security awareness and training activities should be ongoing to further demonstrate management’s commitment to information security.
Information security policies and procedures are of little use unless they are understood and observed by the personnel who are affected by them. The agency must be proactive in communicating its expectations and requirements to its personnel, as well as in prescribing disciplinary action for non-compliance. ICT is not sufficient to publish policies and assume that personnel are aware of them, will read them and will adhere to them.
The agency must foster the development of a pervasive information security culture and personalize the issue so that all personnel are aware of their own responsibilities.
Personnel should be made aware of the importance of the information processes, the associated threats, vulnerabilities and risks and understand why controls are needed.
Personnel should be appropriately trained to perform their tasks, prior to access to systems and information being granted. Different levels of training may be required to match the requirements of their jobs. Security officers may require specialized security training or education.
Disciplinary measures that may be invoked for deliberate breaches of security should be publicized.
Periodic information security awareness seminars for all personnel should be conducted to advise of industry developments in information security and of new security initiatives within the agency, to present case studies, and to reinforce the need for security and for complying with the policies and procedures.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment