PPPR-11

Do you have an information security awareness program?

Explanation

This question is asking whether your organization has a formal program to educate employees about information security risks, best practices, and their responsibilities in protecting data and systems. An information security awareness program is a structured approach to ensuring that all employees understand security threats, recognize potential risks, and know how to respond appropriately. This typically includes regular training sessions, communications, and activities designed to keep security top-of-mind. Why this is asked in security assessments: 1. Human error is one of the leading causes of security breaches - even the best technical controls can be undermined by uninformed users 2. Regulatory requirements (like GDPR, HIPAA, PCI DSS) often mandate security awareness training 3. Assessors want to know if your organization has a culture of security that extends beyond just technical controls 4. It demonstrates organizational commitment to security at all levels To best answer this question, you should: - Describe your formal security awareness program - Mention the frequency of training (initial onboarding and regular refreshers) - Outline key topics covered (phishing, password security, data handling, etc.) - Explain how you measure effectiveness (tests, simulations, metrics) - Note any specialized training for roles with higher security responsibilities

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive information security awareness program All employees complete mandatory security training during onboarding and annual refresher courses thereafter Our program includes monthly phishing simulations with targeted follow-up training for those who fail tests, quarterly security newsletters, and role-based training for employees handling sensitive data Topics covered include password security, phishing recognition, secure data handling, physical security, incident reporting, and compliance requirements We track completion rates (currently at 98%) and measure effectiveness through simulated attacks and knowledge assessments Our security team also conducts lunch-and-learn sessions on emerging threats quarterly.

Example Response 2

Yes, we implement a multi-faceted security awareness program that combines formal training with continuous reinforcement New hires complete a security fundamentals course during their first week, and all staff participate in mandatory annual security certification Our program features interactive online modules, in-person workshops for specialized teams, and regular communication through our internal channels We conduct bi-monthly phishing simulations and provide immediate feedback and additional training to those who fail Our program covers social engineering, secure remote work practices, data classification, incident reporting procedures, and compliance requirements Program effectiveness is measured through pre/post assessments, simulation results, and a reduction in security incidents attributed to human error, which has decreased by 47% since program implementation.

Example Response 3

No, we currently do not have a formal information security awareness program While we do mention basic security practices during employee onboarding and occasionally send emails about specific threats like phishing, we haven't established a structured, ongoing program with regular training and assessments Our IT team handles security incidents as they arise and provides guidance when requested, but we recognize this reactive approach is insufficient We are currently developing a formal security awareness program that we plan to implement within the next quarter, which will include regular training sessions, simulated phishing exercises, and effectiveness measurements.

Context

Tab: Organization
Category: Policies, Processes, and Procedures