Security Awareness and Training: SANS Guidelines

The SANS Institute which describes itself as a “cooperative research and education organization”[1] is a leading resource for information security training, certification, and research.

In one of its white papers “Security Awareness Training and Privacy”[2], it outlines the following guidelines for conducting employee Security Awareness and Training-

  • educating on password health
    • creating a strong password
    • changing the password periodically
    • not using the same password for multiple sites and logins
    • not sharing/revealing passwords
    • not writing passwords down
  • do’s and don’ts for maintaining workstations
    • keeping workstations locked when not in use
    • logging in as “Admin” only when needed
    • regularly updating anti-virus and OS upgrades
    • back up work regularly into designated file servers
  • informing users of email and Internet access policies
    • no personal email of the official email-id
    • no clicking on unknown links
    • verify that sender email-id is genuine, and when in doubt report to supervisor/security team
  • establishing clear employee responsibility for computer security
  • reporting procedures – whom to report to and how
  • emergency procedures – (in case of ransomware lock-down, virus attack, data breach etc)
  • how to identify social engineering tactics
    • email spoofing
    • telephone spoofing
    • social media contacts
  • awareness on importance and need for security – and how establishing and enforcing security policies can impact the “bottom line” (limiting system downtime, protecting business-critical information, etc.)


1. About. (n.d.). Retrieved from

2. Johnston, M. (n.d.). Security Awareness Training and Privacy. Retrieved from