Effective Security Awareness Program

HIPAA and PCI DSS both ask for Security Awareness Program for organizations that must comply with them. You can find it in section 12.6 (page 104) of PCI DSS v 3.1 or under Security Awareness and Training section in HIPAA Security Standards: Administrative Safeguards (Page 14). 

ISO 27001:2013 is also mentioned the Security Awareness Program (item A.7.2.2, page 11) as a control for all employees and, where relevant, contractors.

An effective Security Awareness Program trains and helps all employees to recognize IS security issues and see IS security as a beneficial concept to make a habit in order to build a more secure environment. An effective program should finally make the staff feel comfortable when they want to report a (potential) security threat which is the most important part of the program. Senior Management should have additional training to understand and support the organization security policy and its requirements. In addition to that, managers of teams or directors of departments who have privileged access need better understanding of InfoSec requirements of their staff, especially the employees who have a special access to sensitive or classified data. 

I found NIST 800-50 as a very good resource to implement such a program. NIST 800-50 describes this program in the following steps: 

1. Select awareness and training topics
2. Find sources of awareness and training material
3. Implement awareness and training material, using a variety of methods
4. Evaluate the effectiveness of the program
5. Update and improve the focus as technology and organizational priorities change

And I would add another step as step 0 which is Assemble the Security Awareness Team. You'd better choose these personnel from different areas/departments of your organization in order to maximize their commitment and contribution. 

Although NIST 800-50 is a well-defined document in this topic, there is another material you can use as reference to develop and implement a successful Security Awareness Program: 

Information Supplement: Best Practices for Implementing a Security Awareness Program by PCI Security Standards Council

One of the challenges in implementing Security Awareness Programs is finding and selecting appropriate training materials. Actually, material selection process depends on your organization and the nature of the business of your organization. You can develop these materials in-house, or you can adapt them from a professional organization. You can also purchase them from a vendor. Vendors delivers their materials in different formats such as newsletters, CBT (Computer Based Training), posters, and so on. Almost all of these materials are very general materials describing different topics like How to avoid social engineering attacks or How to avoid malicious downloads. 

This is an example of the contents in a very general security awareness program:

1. Security awareness policy of the organization
2. A place/person to get additional information on protecting security (i.e. security officers, internal security portal, internal security mailing list, etc.)
3. Impact of the risk of unauthorized access to the information systems
4. How to report a (potential) security incident and who to report it
5. How to protect against different type of attacks like social engineering attacks
6. Secure password practices and importance of choosing a strong passwords
7. Secure email practices as well as browsing practices
8. Secure practices for working remotely
9. Avoiding malicious software i.e. viruses, spyware, adware, ransom-ware, ...
10. Secure use of social media and mobile devices
11. Caller ID Spoofing, email phishing and web spoofing
12. Physical security including shoulder surfing

Such a Security Awareness Program will help you to prevent or mitigate lots of risks including Data Loss (DL), Phishing, Privileged Access Hacks, Social Engineering Attacks or Ransom-ware. 

PCI DSS asks for communication of security awareness in new-hire processes as well (item 12.6.1. on page 104 of version 3.1). Security Awareness Training can be combined with other organizational training like confidentiality or ethics training which is mostly done by HR department. It is also a good idea to treat any role change for existing employees as a kind of new hire so anybody who wants to change his/her role within the organization would get the security training related to his new role. In order to design and develop a security training related to all roles in the company, each position should be identified based on its level of access to sensitive or classified information and other security factors. 

In order to ensure a successful implementation of a security awareness program, InfoSec experts suggest that: 

• Make sure that you obtain senior management support. You should first attempt to obtain such a support, before implementing the program. This support is a key to guaranty that you have enough budget for the proper implementation of the program and also getting support from other departments. Do not forget that to implement an effective program, like any other projects, you need time, budget, and other resources. You should convince the management that awareness efforts provides an ROI that will save the company money in long term. 
• Make sure that you are partnering with other departments. Without support of all departments within your organization the security awareness program would be useless. 
• Make sure that you have some metrics in place to prove that your effort in development and implementation of the program is successful. Surveys are the easiest metrics while some other tools can be more effective such as phishing simulation tools to see how people respond to such a fake incident/attack. Examination of the number of InfoSec incidents, before and after training, could be another useful metric.