Повышение осведомленности в вопросах информационной безопасности (стандарты и рекомендации)

Человеческий фактор классически является самым важным в вопросах информационной безопасности. Процесс повышения осведомленности позволяет снизить воздействие рисков, связанных с этим фактором. Ниже я собрал наиболее известные стандарты и рекомендации по выстраиванию процесса повышения осведомленности.

Итак, не исчерпывающий перечень:

- PCI Council Best Practices for Implementing a Security Awareness Program - 10.2014

- NIST Special Publication 800-50 - 10.2003 - немного о документе можно прочитать в посте Андрея Прозорова.

- ENISA The new users' guide: How to raise information securityawareness - 11.2010

- ISO ГОСТ РИСО/МЭК ТО13335-3—2007 МЕТОДЫ И СРЕДСТВА ОБЕСПЕЧЕНИЯБЕЗОПАСНОСТИ ISO/IEC TR 13335-3:1998 Раздел 10.3 Обучение персонала информационной безопасности 1998/2007

- ISO 27001

- COBIT 5

Кстати, документ от PCI Council достаточно свежий и содержит полезную информацию. Ниже, например, типы ключевой аудитории:

В самом документе в итоге идет отсылка к NIST, COBIT и ISO 27001.

Также предлагается  следующий чеклист (привожу без перевода):

Creating the Security Awareness Program

• Identify compliance or audit standards that your organization must adhere to.
• Identify security awareness requirements for those standards.
• Identify organizational goals, risks, and security policy.
• Identify stakeholders and get their support.
• Create a baseline of the organization’s security awareness.
• Create project charter to establish scope for the security awareness training program.
• Create steering committee to assist in planning, executing and maintaining the awareness program.
• Identify who you will be targeting—different roles may require different/additional training (employees, IT personnel, developers, senior leadership).
• Identify what you will communicate to the different groups (goal is shortest training possible that has the greatest impact).
• Identify how you will communicate the content—three categories of training: new, annual, and ongoing.

Implementing Security Awareness

• Develop and/or purchase training materials and content to meet requirements identified during program creation.
• Document how and when you intend to measure the success of the program.
• Identify who to communicate results to, when, and how.
• Deploy security awareness training utilizing different communication methods identified during program creation.
• Implement tracking mechanisms to record who completes the training and when.

Sustaining Security Awareness

• Identify when to review your security awareness program each year.
• Identify new or changing threats or compliance standards and updates needed; include in annual update.
• Conduct periodic assessments of organization security awareness and compare to baseline.
• Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility).
• Maintain management commitment to supporting, endorsing and promoting the program.

Documenting the Security Awareness Program

• Document security awareness program including all previously listed steps within “Creating the Security Awareness Program,” “Implementing Security Awareness,” and “Sustaining Security Awareness.

Secure your life!