Security Awareness Policy (SAP)

Security awareness training is often the first view a typical user has into information security. It’s often required for all new hires. Think of it as the first impression of management’s view of information security. This is management’s opportunity to set the tone. Most individuals want to do a good job, but they need to know what the rules and expected behavior are. A good security awareness policy has many benefits, including informing workers of the following:

• Basic principles of information security
• Awareness of risk and threats
• How to deal with unexpected risk
• How to report suspicious activity, incidents, and breaches
• How to help build a culture that is security and risk aware

Security policy is not just a good idea—it’s the law! There are many regulations that require security policies and a security awareness program. Many state laws also require security awareness. In most industries, having a security awareness program is considered a best practice. The following list highlights a number of federal mandates that require an organization to have a security awareness program:

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act
• Sarbanes-Oxley Act
• Federal Information Security Management Act (FISMA)
• National Institute of Standards and Technology (NIST) Special Publications 800-53, “Recommended Security Controls for Federal Information Systems”
• 5 Code of Federal Regulations (C.F.R.)
• The NIST Guide for Developing Security Plans for Information Technology Systems
• Office of Management and Budget (OMB) Circular A-130, Appendix III
• The NIST Computer Security Handbook

Laws can outline the frequency and target audience of awareness training. For example, 5 C.F.R. requires security awareness training before an individual can access information. A refresher course must also be taken annually. The following outlines the 5 C.F.R. requirements:

• All users—Security basics
• Executives—Policy level and governance
• Program and functional managers—Security management, planning, and implementation; also risk management and contingency planning
• Chief information officers (CIOs)—Broad training in security planning, system and application security management, risk management, and contingency planning
• IT security program managers—Broad training in security planning, system and application security management, risk management, and contingency planning
• Auditors—Broad training in security planning, system and application security management, risk management, and contingency planning
• IT function management and operations personnel—Broad training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning

For information security policies to deliver value, they must explain how to manage risk and proactively address threats. A well-planned security awareness program can be a cornerstone to accomplish this objective.

Communication of security policy through a security awareness program is vital. Even the best policy is of little use if no one is aware of it. Security awareness changes behavior. Security awareness consists of a series of campaigns aimed at improving understanding of security policies and risks. Security awareness is not a one-time event. It’s a campaign that strives to keep reinforcing the message in different ways.