These security awareness and training materials concerns conceptual or architectural frameworks, standards, methods and good practices in the area of information risk and security – ‘security frameworks’ or ‘frameworks’ for short.
Both the organization and individual workers are obliged to comply with various rules concerning information security. Some rules are imposed on us by external authorities in the form of laws and regulations, others we impose on ourselves through corporate policies and procedures, contracts etc. There are numerous laws and regulations relating to information security, far too many for us to cover in detail. We can only talk in general terms.
We face a similar practical constraint with corporate security policies, procedures etc.: we are not familiar with your policies, or with your current internal compliance challenges.
Nevertheless, we sincerely hope that this awareness module provides a sound platform or starting point. While you may use the generic content ‘straight out of the box’, you will get more traction on security compliance if you customize it to reflect your specific situation.
The module is intended to:
- Introduce the topic, explaining what security frameworks are and why they are both relevant and valuable to the organization;
- Outline legal and regulatory compliance obligations relevant to information security;
- Outline a variety of public security frameworks such as the ISO27k and NIST SP800 series standards, ITIL, OWASP, CSA, CSF and others;
- Promote the adoption of good security practices from a variety of sources;
- Promote the use of structured and systematic methods and approaches to information risk and security management, secure systems development, business process engineering etc. in general, blending corporate with public frameworks where appropriate;
- Stimulate people to think - and most of all act - more securely.
Consider your learning objectives in relation to this topic. Given your organizational context and business situation, how is your approach to information security best structured?
Awareness and training materials promoting the use of published security standards, methods and approaches, coupled with the organization's policies and procedures - a powerful combination.