Information Security Awareness Guidelines Document Number: OIL-IS-GUD-ISA
Document Details Title Description Version 2.0 Author Classification Information Security Awareness Guidelines Guideline This document provides guidelines for setting up information security awareness across the organization. Information Security Manager Internal Review Date 31.03.2017 Reviewer & Custodian Approved By CISO Release Date 03.04.2017 Owner Information Security Council (ISC) CISO Distribution List Name Internal Distribution Only Version History Version Number Version Date 1.0 04/03/2015 2.0 03.04.2017 Internal Page 2 of 6
Table of Content 1. Purpose... 4 2. Guidelines... 4 2.1. Information Security Awareness Program (ISAP)... 4 2.1.1. Goals and Principles... 4 2.1.2. Assumptions... 5 2.2. Information Security Awareness Campaign (ISAC)... 5 2.2.1. Programs within the ISAC... 5 2.2.2. Project Development... 6 2.3. Information Security Training Program (ISTP)... 6 2.3.1. ISTP Topics... 6 Internal Page 3 of 6
1. Purpose The purpose of this document is to provide guidelines for setting up information security awareness program at the Company. This guideline for Information Security Awareness Program (ISAP) supports the high level policy statements defined in the Company s Information Security Policy. The purpose of the ISAP is to assist all users in becoming more knowledgeable and conscious of their responsibilities in securely generating, using, and maintaining the information assets of the Company. It is the responsibility of the Information Security Manager (ISM) to initiate steps to make all employees aware of those practices, which promote secure and sensible information management. It will provide all employees with the basic knowledge needed to handle data in a secure manner. The ISAP will consist of the following initiatives: Information Security Awareness Campaign (ISAC); and Information Security Training Program (ISTP) Intended Audience All OIL and contract employees will participate in the awareness campaigns and training programs organized by the Information Security Council (ISC). 2. Guidelines 2.1. Information Security Awareness Program (ISAP) 2.1.1. Goals and Principles The goal of this program is to change behavior by changing attitudes. This is a program of education and awareness. The program will develop the user s knowledge, skills and abilities so that the users can perform their jobs more securely. The ultimate goal is to ensure that all Company s employees appropriately handle and protect all Information Assets. In many cases this means changing the information handling behavior of the employees. The ISAP aims to do this through a systematic program of awareness enhancement and education in Internal Page 4 of 6
secure computing and information handling practice(s). This program is designed to make users aware of their own attitudes about such practices, as well as to communicate the most appropriate attitudes. 2.1.2. Assumptions A key consideration for the creation and planning of an ISAP is the time/ resources we will commit to such a program. In formulating this program the following assumptions are made with regards to the availability of the Company s employees and resources needed to execute the program: Resources will be made available as required for the development of Company approved information security training material and training programs; The Company s executive leadership will review and support ISAP. 2.2. Information Security Awareness Campaign (ISAC) In support of the Company s ISAP, an ISAC will be organized and executed through the office of the Information Security Manager. The content and scope of these programs will be developed by the IT Department and then reviewed and approved by the Information Security Manager. 2.2.1. Programs within the ISAC Some of the programs that may be implemented by the ISC for instilling security awareness are: Security Awareness Week A week designated as Security Awareness Week may be announced and observed with every security awareness project possible. Such a week will act as a focus point to initiate or enhance other projects and to raise employee awareness regarding the importance of information security. Electronic Mail Bulletins addressing information security topics may be developed and may include descriptions of security incidents, possible impact of security breaches, and how an effective security posture can act as an enabler for business operations. Posters Posters may be created with Information Security themes and posted at common meeting locations to heighten user awareness of security issues. Screensavers The security awareness project team could develop screensavers to provide and improve information security awareness. Internal Page 5 of 6
2.2.2. Project Development The security awareness program team will staff each of these programs as well as any others that are recommended by the ISM or the Company s management. Each project may be presented to the authorities for all required approvals. It is assumed that resources may need to be designated to facilitate the implementation and to offset the cost required for any of the projects listed above. 2.3. Information Security Training Program (ISTP) In addition to the ISAC, the Company needs more formalized and structured training for users to ensure that they have adequate knowledge necessary to securely perform their duties. In order to provide an effective and efficient ISAP, the Company may institute an ISTP in components targeted at end users. Class-room training sessions on IS are conducted for all the new inductees. These sessions are part of the Management Development Program. Periodic IS Awareness sessions are held targeting different groups of employees of the organization. Dos & Don ts regarding IS are provided as part of the instructions package for every new employee. 2.3.1. ISTP Topics Topics that may be considered for inclusion in ISTP include: Acceptable policies/ guidelines for information technology resources; Electronic mail policies/ guidelines; Internet security issues; and Security incident reporting and handling requirements Internal Page 6 of 6