Security awareness focuses on educating employees about security best practices, such as recognising phishing attacks, handling sensitive data, and understanding organisational security policies. The aim is to build a culture of security within the workplace, ensuring that employees are knowledgeable and vigilant in protecting the organisation’s systems and data. By promoting security awareness, organisations can reduce the risk of security breaches caused by human error and improve their overall security posture. This also helps employees understand their role in maintaining the security of the organisation’s assets and responding to potential threats.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 2.1: Conduct Basic Security Awareness Training for All Employees

Does your enterprise provide basic security awareness training to all employees to educate them on recognising common threats, such as phishing, malware, and social engineering?
Example: Conduct a simple training session or provide an online course that covers the basics of security, such as recognising phishing emails, using strong passwords, and following organisational security policies.

Measure 2.2: Establish Clear Security Policies for Employees

Does your enterprise have simple and clear security policies that all employees must follow, such as password management, data handling, and acceptable use policies?
Example: Create a short, easy-to-understand document that outlines the dos and don’ts of data security, such as not sharing passwords, securing devices, and reporting suspicious activities.

Measure 2.3: Regularly Reinforce Security Practices Through Communication

Does your enterprise regularly remind employees of key security practices through internal communication?
Example: Send monthly email reminders or post security tips on the company intranet to keep security practices fresh in employees’ minds.

Measure 2.4: Educate Employees About Social Engineering Threats

Does your enterprise educate employees about common social engineering tactics, such as pretexting and baiting, to help them avoid falling victim to such scams?
Example: Provide examples of social engineering attacks and discuss the warning signs during staff meetings or training sessions to ensure employees can identify and report suspicious behaviour.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 2.5: Provide Role-Specific Security Training

Does your enterprise offer role-specific security training based on the access and responsibilities of each employee?
Example: Offer additional training for employees with access to sensitive data or critical systems, such as data encryption, secure file sharing, and handling confidential information.

Measure 2.6: Conduct Regular Phishing Simulations

Does your enterprise conduct regular phishing simulations to test employees’ ability to identify phishing attempts and provide feedback?
Example: Run quarterly simulated phishing attacks and assess the responses of employees, followed by a debrief session to explain the tactics used and reinforce correct behaviours.

Measure 2.7: Promote Secure Data Handling Practices

Does your enterprise actively promote and enforce secure data handling practices among employees?
Example: Provide training on how to store, share, and dispose of sensitive data securely, such as using encryption for email attachments and locking computers when unattended.

Measure 2.8: Establish a Reporting Mechanism for Security Concerns

Does your enterprise have a clear, easy-to-use system for employees to report security concerns or suspicious activity?
Example: Create a dedicated email address, phone line, or digital reporting tool where employees can quickly report phishing attempts, security incidents, or other concerns.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 2.9: Provide Advanced Security Awareness Training for Key Staff

Does your enterprise provide advanced security training for key employees, such as IT staff, system administrators, or senior management, covering advanced threats and secure system administration practices?
Example: Offer in-depth training on topics such as secure network configuration, advanced malware detection, and incident response protocols for employees who are responsible for managing enterprise security systems.

Measure 2.10: Implement Continuous Security Education Programs

Does your enterprise provide ongoing security education and training opportunities, including updates on new security trends, tools, and threats?
Example: Offer annual or semi-annual security training sessions, workshops, or certifications on topics such as cloud security, secure coding, or privacy regulations, ensuring employees stay current on best practices.

Measure 2.11: Measure Employee Security Awareness and Performance
Does your enterprise regularly measure employees’ security awareness and performance to ensure they retain key information and act on it appropriately?
Example: Use surveys or quizzes to gauge employees’ understanding of security policies and practices, and monitor how effectively they follow security protocols in their day-to-day activities.

Measure 2.12: Integrate Security Awareness into Corporate Culture
Does your enterprise embed security awareness into the organisation’s culture, ensuring it is a continuous and natural part of everyday activities?
Example: Incorporate security best practices into performance reviews, make security a regular topic in team meetings, and reward employees for reporting security incidents or implementing strong security measures.

———————————————————————————————————