Security awareness training is an important practice to strengthen your organisational security posture. Information security is only as strong as the weakest link!
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
Security and privacy awareness training is one of the 24 specific information security requirements to be completed by all personnel supporting the CDR environment.
Most security breaches have a human element from your own employees; deliberate or accidental. Security for your organisation is like a chain that’s only as effective as the weakest link, which is often employees. The objective of this training is closest linked with the Acceptable Use Policy - they often go hand in hand.
Outsourcing security awareness training is often a good approach as you can leverage security experts and specialists in the latest threats and best practices. The downside of this approach is it’s generally less directly aligned to your specific security requirements and environment. In-house training is often developed by your security lead or CTO and goes hand in hand with your own Acceptable Use Policy to educate on the threats facing your organisation, security and privacy commitments and requirements, and the associated security practices required of all of your employees.
The purpose of security awareness training is to create a secure culture and behaviours in your employees. In order to really meet that purpose, it’s helpful to support this training with leadership, buy-in from senior management, and the mandate and tracking of completion. Typically making the training more interactive and experiential will also benefit the outcomes in contrast to online modules that tend to encourage completion without much engagement or attentive focus.
If you're wondering what this looks like "on paper" - get in touch with our team <firstname.lastname@example.org>. We're happy to share examples, connect you to partners that provide these services, and guide you through how this may look for your business.
The CDR Perspective
Security and privacy training should include at a minimum:
- personnel's responsibilities towards securing data and meeting their privacy obligations;
- the organisation's expectations of personnel in interacting with systems and data within the CDR data environment and and what is acceptable usage;
- common security threats (e.g. email scams, malware, phishing, social engineering) and how to identify and address them;
- physical security and clean desk requirements.
AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.