Category: Periodic, Corporate Security
Effort: 5 hours, 1 hour per employee
Based on: BSI IT Grundschutz M 2.312 / M 2.331 / M 2.332 / M 2.557
Since it is impossible to prevent events relating to information security it is important that every employee in the company (also the founders, freelancers and trainees) know how to deal with such an event. Therefore it’s necessary to work on the awareness of employees by doing regular trainings, providing well-designed information and sending regular news and warning messages about current threats.
The following approach should be an example:
1) Create training material and an emergency process
Before employees can be trained the information security responsible(s) should think about their target audience and what they want to communicate to the staff. Based on those thoughts training material should be created and also made available to everyone in the company.
In measures of this guide there are recommendations to
- Create a place where all information about security is stored
- Establish information security incident management procedures
Like it’s advisable to store the emergency instructions and checklists in a central IT-Security directory, it is also advisable to store training materials there as well (or at least a link to them if trainings are managed globally).
It is necessary to differentiate between the emergency procedures of employees and those for the information security responsibles. While the IT-Security responsibles may need checklists for documentation, preservation of evidences, restoring servers and databases, etc. employees only need to do the following:
- Document what happened
- Inform the information security responsibles
- Disconnect the computer from the internet/network
More details can be found in chapter measure 15
2) Perform annual trainings
Each employee needs to know
- what kind of basic threats there are,
- what kind of symptoms they show,
- how they can be recognized and
- what he or she needs to do in case of an emergency or in a suspected case.
Because not everyone in a company studied informatics or information security it is necessary to train people on these topics. This should at least be done once for new employees. But it’s also good to iterate this kind of information spreading. This could be done periodically in team meetings or in explicit annual brush-up trainings.
3) Establish additional information channels (each month or quarter)
In most cases a training once a year is not enough to sensitize everyone within a company. People need to be reminded and confronted with the topic information security, so that everyone is aware of the threats and how to deal with them.
The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.