The SANS Institute which describes itself as a “cooperative research and education organization”[1] is a leading resource for information security training, certification, and research.
In one of its white papers “Security Awareness Training and Privacy”[2], it outlines the following guidelines for conducting employee Security Awareness and Training-
- educating on password health
- creating a strong password
- changing the password periodically
- not using the same password for multiple sites and logins
- not sharing/revealing passwords
- not writing passwords down
- do’s and don’ts for maintaining workstations
- keeping workstations locked when not in use
- logging in as “Admin” only when needed
- regularly updating anti-virus and OS upgrades
- back up work regularly into designated file servers
- informing users of email and Internet access policies
- no personal email of the official email-id
- no clicking on unknown links
- verify that sender email-id is genuine, and when in doubt report to supervisor/security team
- establishing clear employee responsibility for computer security
- reporting procedures – whom to report to and how
- emergency procedures – (in case of ransomware lock-down, virus attack, data breach etc)
- how to identify social engineering tactics
- email spoofing
- telephone spoofing
- social media contacts
- awareness on importance and need for security – and how establishing and enforcing security policies can impact the “bottom line” (limiting system downtime, protecting business-critical information, etc.)
References:
1. About. (n.d.). Retrieved from https://www.sans.org/about/
2. Johnston, M. (n.d.). Security Awareness Training and Privacy. Retrieved from https://www.sans.org/reading-room/whitepapers/awareness/security-awareness-training-privacy-394