What is Security Awareness Training?

 

Every employee and stakeholder of an organization can be a potential target, and every online activity performed by them carries a degree of risk. Building a strong cybersecurity program is a blend of people, processes, and technology. Within that, people are the soft target who are often exposed to exponential levels of security threats. That is why information security awareness and training should be an organization’s top priority. 

Cyber Security Awareness and Training Program should never be underestimated. The awareness and training program is a process that focuses on educating employees and stakeholders about various security threats prevailing in the industry and ways to deal with them. The program demonstrates the best security practices to be adopted for safeguarding sensitive data and assets of the organization.

The program involves educating employees and providing information related to the tactics adopted by hackers to compromise the security of a company’s client data. Not just that, the program conducted should talk about the organization’s security policies and procedures that should be followed by every employee.

The program should even educate employees about the controls in place that are enforced to safeguard sensitive data.  Security awareness training should include sharing techniques of securing email, techniques to prevent falling prey to phishing, and fake messages, insider threats, securing mobile devices, physical security, malware, social engineering, Wi-Fi security, reporting incidents, whistle blowing, etc. 

What does AICPA say about SOC2 Security Awareness Training?

For organizations to be compliant and achieve SOC2 Attestation, the AICPA has clearly outlined criteria for conducting awareness programs for employees. Common Criteria 2.2 requires organizations to “communicate information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.” There are numerous other controls such as CC 1.1, 1.2, 1.3, 2.3, 5.3, 6.6 etc require that Security Awareness Training has to be provided not just to internal personnel but even contracted employees, outsourced personnel and even senior management.

HR is tasked with the responsibility of setting the process and scheduling the training sessions not just at the time of induction but all through the lifecycle of the personnel in the company. Senior management is where the buck stops and they are required to monitor and to ensure that there are enough resources for effective awareness training across the organization at all levels.  So, that said, conducting regular security awareness and training programs is essential for SOC2.