15.10 USER TRAINING

Security is not a one-time project, but rather an ongoing, cyclical business process that requires continuous consideration from all levels of the organization. Every individual, including users, executives, third parties, etc., that makes use of information assets must also understand his/her responsibilities for protecting those assets. To achieve this, user responsibilities for protecting information assets and maintaining information confidentiality should be defined by policy and effectively communicated through ongoing security awareness training. This training should reach all levels of the organization. Training should be given before initial information access is granted, and then updated and delivered annually. This training should strive to make security a part of the organization's culture and normal business. Topics to include in security awareness training include:

Updates to the organization's security policies and procedures
Incident identification and reporting procedures
Individual protection responsibilities
Legal requirements
Secure use of the organization's information assets

In addition to general security awareness training, the organization should investigate the specific training requirements for individuals that have security responsibilities, a development role or a high level of privileged/activities access.