The CISO Den
Published in

The CISO Den

Security Awareness Curriculum

Photo by R K on Unsplash

If you run a security awareness program you will probably like your users to get trained on the right actions they can take to improve information security. I don’t believe in expecting users to learn about information security, just like I am not particularly keen to learn about how the finance people do their job, nevertheless I do take actions like for example “keeping receipts” that make their job easier. Focus on actions not making you users knowledgeable about information security and your users will thank you.

Nevertheless, there are some subjects that are unavoidable due to compliance requirements.

What are the subjects that every security awareness training should cover? The list below is a start. Some items are a bit lame and are only necessary if you are planning to become ISO27701 compliant:

Security Awareness Curriculum:

  • where to find security policies and advise to read them, even if no one will.
  • how to report incidents, vulnerabilities and suspicious events
  • what is the acceptable use policy and consequences of non compliance
  • media encryption
  • transfer of physical media
  • how to use VPN
  • screen positioning
  • unattended user equipment
  • clear desk and clear screen policy
  • tailgating
  • paper-fee office
  • removable media ban and exceptions
  • GDPR & Personal Information
  • exporting data in bulk
  • passwords & password Management
  • phishing
  • how to contribute and support information security

Again, tell you users what they can do to improve security, simple and positive actions only, when possible!