M3.4.1 - AWARENESS CAMPAIGN Implementation Guidance

Back to M3.4.1 - P2 - AWARENESS CAMPAIGN

Through awareness campaigns, the entity promotes a culture of security. Security awareness programs typically focus on broad topics, such as security threats that could be mitigated through good practice, the choice and usage of passwords, good practice for using a personal computer, sharing of account information, report incidents.

Entities determine the appropriate content of security awareness based on the specific organizational requirements and the information systems to which personnel have authorized access. Specific training methods may include:

• A. Mandatory annual awareness training
• B. Targeted, role-based training
• C. Internal security awareness websites
• D. Manuals, guides, and handbooks
• E. Seminars and slide presentations
• F. Events (e.g., security awareness week or month)
• G. Posters and brochures
• H. Email messages to all employees and contractors

Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

Back to M3.4.1 - P2 - AWARENESS CAMPAIGN