S 3.5 Education on IT security measures

Initiation responsibility: Superiors, IT Security Management

Implementation responsibility: Superiors, IT Security Management

In the majority of cases, damage in the IT field is caused by negligence. In order to prevent this, everybody must be motivated to exercise care in the use of information technology. In addition, rules of conduct must be provided which help the individuals concerned to better understand IT safeguards. In particular, the following subjects are to be included in training on IT safeguards:

• Building IT Security Awareness

Every staff member must be made aware of the need for IT security. A suitable first step to initiate the staff into the subject-matter is to make them aware of the dependence of the agency/company, and thus of their jobs, on the smooth functioning of IT systems. In addition, the value of information should be highlighted, especially with regard to confidentiality, integrity and availability. These awareness-building activities should be periodically repeated, possibly also by providing practical information, e.g. through in-house circulars.

• Staff-Related IT Safeguards

Under this heading, information should be provided on all safeguards which have been developed within the framework of an IT security policy and which are to be implemented by the various staff members. This part of the training effort is very important since many IT safeguards can be applied effectively only after adequate education and motivation.

• Product-related IT safeguards

Under this heading, information is provided on IT safeguards inherent in a particular product and already present when the product is supplied. These can, for example, be registration passwords, screensavers, or encryption features for documents or data fields. Recommendations regarding the structure and organisation of files containing transaction data can facilitate the granting of access rights and considerably reduce the work involved in data protection.

• Conduct in Case of the Presence of a Computer Virus in a PC

Here, staff members should be instructed on how to handle computer viruses. Such training might cover the following (cf. S 6.23 Procedure in case of computer virus infestation):

• - detection of any computer infection ;

• - action and types of computer viruses;

• - immediate response when virus infection is suspected;

• - measures to eradicate the computer virus;

• - preventive measures.

• Proper Use of Passwords

In this context, the importance of a password for IT security and the overall prerequisites for ensuring effectual use of passwords should be explained (cf. also S 2.11 Provisions governing the use of passwords).

• The Importance of Data Backup and Its Implementation

Regular data backup is one of the most important IT safeguards in any IT system. Trainees must be instructed in the data backup policy (c.f. Chapter 3.4 Data Backup Policy) of the agency/company and about the data backup tasks to be carried out by each individual. This is of particular significance for PC uses where data backup is incumbent on each user individually.

• Handling of Person Related Data

Person related data require particularly careful handling. Staff members having to deal with person related data (both in IT systems and in written records) must be trained in the legally stipulated safeguards required. Subjects to be covered are: handling of information requests, modification and rectification requested by the data subjects, legally stipulated deletion deadlines, protection of privacy, and communication of data.

• Briefing on Emergency Measures

All staff members (including persons not directly concerned with IT, e.g. entrance control staff or guards) must be briefed on the established emergency measures. This includes information on emergency exits/escape routes, rules of conduct in case of fire, handling of fire extinguishers, the emergency reporting system (who must be notified first by what means) and use of the Emergency Procedure Manual.

• Prevention against social engineering

Staff should be informed of the dangers of social engineering. The typical examples of attempts to gain confidential information by sounding out certain persons should be explained, as well as the relevant methods of protection. As social engineering often involves the pretence of a false identity, the staff should be regularly instructed to check the identity of communication partners and not to provide confidential information by telephone, in particular.

Additional controls:

• Which subjects regarding IT safeguards have already been covered by training activities?

• Are new staff members adequately briefed on the respective IT safeguards?

• What training is offered at what intervals?

• Does the subject-matter of the training activities cover all required areas?