Outline for training and awareness plan
This document describes the security training and awareness activities. The organization recognizes it is essential to have well trained users and support staff in order to achieve safe and secure operations of the infrastructure and the data on the infrastructure.
(maybe something on confidentiality, integrity and availability?).
The aim of security training and security awareness is to make sure that everyone involved with the acquisition, design, development, use and management of the infrastructure has actual and accurate knowledge about security, security techniques, rules, regulations and knows how to apply this in day-to-day operations and in emergency situations. Security training and awareness is crafted for a role or a function and can even be crafted on individual persons when they have specialized tasks.
Security awareness is a recurring effort. After initial training anyone involved with the infrastructure, and the data on it, will have to keep knowledge and experience with security up-to-date. Different subjects apply to different kind of users. This document defines the different training targets groups and what subjects they need to be trained on. It also gives an outline of a training schedule that can be used to adapt for different target groups.
Training Schedule
A typical training schedule has several types of trainings and looks like this:
- Initial security training: getting acquaintanced with rules and regulations. Initital training will be specific for a role or function.
- Repeat security training: on a regular basis repeat parts of the initial training and get more indepth training on specific subjects, related to a specific role or function.
- Regular security awareness training: repeated security awareness activities on several generic and actual subjects, a mix of high- end low-intensity
Most of the trainings will be held according to a pre-determined schedule. However the schedule should not be to tight: As a result of incidents there can be a necessity for ad hoc additional or repeated training.
Initial training
When someone start in a new function, a new role of starts using of managing a new system there should be an initial security training. This initial training gives all security details about the security aspects of the new role or function. It will make the new person acquaintance with rules and regulations, processes and procedures for both day-to-day operations and for emergency situations. This applies for both usage of systems and for acquiring, designing, developing and managing systems.
Security awareness training
<…>
Maintenance of the training plan
Trainings and the training plan need to be maintained on a regular bases. It is a good practice to set up and review the training plan on a yearly basis. Based upon feedback from training activities trainings you can identify if there is any training module that needs to be updates or replaced, or if there are any subjects missing or new subjects have come up. There also might be new trainings available within the communities or commercial that can be a good or better alternative for existing training modules.