Communication and Training
Disseminate security approaches, policies, and other relevant information to develop security awareness and skills.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Communication and Training at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Start to establish information security training and awareness in IT and start to communicate to key stakeholders.
- Outcome
- There is increased understanding of the role and value of information security; and increased application of security in IT activities.
- Metric
- # of training activities available; # and % total of IT staff who have attended information security training
- 3Intermediate
- Practice
- Develop generic security awareness for IT and some business units and provide on-demand training for security practitioners. Update training to reflect emerging security issues.
- Outcome
- There is an opportunity to supplement scarce security resources and improve security on a more timely basis.
- Metric
- # of training courses available # and %total of IT staff who have attended information security training # of issues relating to training and awareness identified in audit reports and post incident reviews
- 4Advanced
- Practice
- Establish dedicated and tailored security training organization wide and test to ensure understanding and effectiveness.
- Outcome
- Security is improved resulting from tailored versus generic security activities.
- Metric
- % of IT budget spent on ISM training. Stakeholder feedback on value of training # and % total of Employees overdue refresher training # of training courses available # and %total of IT staff who have attended information security training # of issues relating to training and awareness identified in audit reports and post incident reviews
- 5Optimized
- Practice
- Evaluate and optimize security-related training and communication regularly across the business ecosystem.
- Outcome
- There is consistent and up-to-date understanding of security requirements and expectations.
- Metric
- # of audit findings related to non-compliance with security policies and procedures