Security Awareness and Training: SANS Guidelines

The SANS Institute which describes itself as a “cooperative research and education organization”[1] is a leading resource for information security training, certification, and research.

In one of its white papers “Security Awareness Training and Privacy”[2], it outlines the following guidelines for conducting employee Security Awareness and Training-

  • educating on password health
    • creating a strong password
    • changing the password periodically
    • not using the same password for multiple sites and logins
    • not sharing/revealing passwords
    • not writing passwords down
  • do’s and don’ts for maintaining workstations
    • keeping workstations locked when not in use
    • logging in as “Admin” only when needed
    • regularly updating anti-virus and OS upgrades
    • back up work regularly into designated file servers

  • informing users of email and Internet access policies
    • no personal email of the official email-id
    • no clicking on unknown links 
    • verify that sender email-id is genuine, and when in doubt report to supervisor/security team
  • establishing clear employee responsibility for computer security
  • reporting procedures – whom to report to and how 
  • emergency procedures – (in case of ransomware lock-down, virus attack, data breach etc)
  • how to identify social engineering tactics
    • email spoofing
    • telephone spoofing
    • social media contacts
  • awareness on importance and need for security – and how establishing and enforcing security policies can impact the “bottom line” (limiting system downtime, protecting business critical information, etc.)


1. About. (n.d.). Retrieved from

2. Johnston, M. (n.d.). Security Awareness Training and Privacy. Retrieved from