Educate and Train Staff

Security training is crucial to ensuring that all related parties understand the security risks, and accept and adopt good security practices. No protection procedure is effective without proper execution by well-trained staff. You must ensure that your staff possess the necessary skill sets.

Planning

• Get a good trainer. You may consider to find an appropriate training institute or train one of your staff to become the trainer.
• Different people, roles and posts require different scopes, types and levels of training. Plan for the different training needs of staff.
• Consider periodically using posters or issuing reminders to your staff about the importance of information security.
• Consider providing training under the following scenarios:
  • When a new employee joins your team, he/she is informed about the security policies of your company by briefing or orientation.
  • Work to improve the security knowledge of all staff.
  • Refreshment training should be conducted at least once a year.

Fundamental Information Security Training

The following topics are proposed:

• Company information security policies
• Fundamental training in protecting your information assets e.g.
  • when and how to login and logout of your system
    
  • when and how to change your password
    
  • how to call for technical support
  • how and when to report suspicious activities
• Basic security threats such as viruses and malicious code, phishing, technology crime etc.
• Protect your computer
  • getting the latest system and application updates
  • how to install and enable a firewall
  • how to prevent virus and malicious code infections
  • how to physically dispose an old computer securely
• How to recognise fraud
• How to handle user accounts and passwords
• Related ordinances