ORP.3 Information Security Awareness and Training
Employees are an important success factor for a high level of information security in an institution. It is therefore important that they know the security...
Description
Introduction
Employees are an important success factor for a high level of information security in an institution. It is therefore important that they know the security objectives, that the security measures are comprehensible, and that each individual employee is willing to implement them. This requires a security awareness culture within the institution. In addition, a security culture should be established and brought to life in everyday work.
Employees must be made aware of relevant threats and know how these can affect their institution. They must know what is expected of them with regard to information security and how they should react in security-critical situations.
Objective
This building block describes how an effective information security awareness and training programme can be established and maintained. The aim of the programme is to sharpen employees’ awareness of security risks and to provide them with the knowledge and competencies needed for security-conscious behaviour.
Scope and Modeling
The building block ORP.3 Information Security Awareness and Training MUST be applied once to the information network.
This building block formulates requirements for information security awareness and training that concern the working environment within the institution, the teleworkplace, and mobile working.
The building block ORP.3 Information Security Awareness and Training describes the procedural, technical, methodological, and organisational requirements for information security awareness and training. Further training topics are planned, designed, and delivered by the HR Department or the continuing education management function.
In many of the other IT-Grundschutz building blocks, specific training content on the topics covered therein is described. This building block addresses how a planned approach in the areas of information security awareness and training can be efficiently designed.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance to the building block ORP.3 Information Security Awareness and Training.
Insufficient Knowledge of Regulations
Merely establishing information security regulations does not guarantee that they will be observed. All employees, and in particular those in designated roles, must also be aware of the applicable regulations. In many security incidents, non-compliance with regulations is not the sole cause of the incident, but one contributing factor. Security gaps resulting from insufficient knowledge of regulations can jeopardise the confidentiality, availability, and integrity of the information being processed. This can restrict the fulfilment of tasks and the handling of business processes and specialist tasks.
Insufficient Awareness of Information Security
Experience shows that it is not sufficient merely to mandate security measures. Employees should understand the significance and purpose of the measures, as otherwise they may be ignored in day-to-day work. If employees receive insufficient awareness training on information security topics, the security culture, security objectives, and security strategy of the institution may be at risk.
Ineffective Awareness and Training Activities
The activities carried out for awareness and training purposes are not always as successful as desired. Causes of this may include:
- a lack of management support,
- unclear objectives,
- poor planning,
- insufficient monitoring of success,
- a lack of continuity, and
- insufficient financial or human resources.
If appropriate measures are not taken to ensure the success of the activities carried out, the objective of the respective training activity often cannot be achieved. If the institution carries out inadequate awareness and training activities for employees, aspects of information security may be at risk, which directly restricts the fulfilment of tasks.
Insufficient Training of Employees on Security Functions
Employees frequently do not use newly introduced security programmes and functions because they do not know how to operate them and regard it as too time-consuming to learn how to use them independently during their day-to-day work. Moreover, a lack of training after the introduction of new software can lead employees to operate or configure it incorrectly, causing unnecessary delays in workflows. Procuring and installing (security) software is therefore not enough. Particularly in the case of critical IT systems and applications, operating errors can have existential consequences.
Undetected Security Incidents
In the day-to-day operation of IT and ICS components, many disruptions and errors can occur. Security incidents may not be identified as such by staff, and cyberattacks or attempted attacks may go undetected. Security incidents and technical errors are sometimes not easy to distinguish from one another. If users and administrators are not specifically trained and made aware of how to recognise security incidents and respond to them appropriately, security gaps may remain undetected and be exploited. If security incidents are detected too late or not at all, effective countermeasures cannot be taken in time. Minor security gaps within the institution can develop into critical threats to integrity, confidentiality, and availability. This can impede business processes, cause financial damage, or result in regulatory and legal sanctions.
Non-Observance of Security Measures
Various reasons, such as inattentiveness or hectic conditions, can lead to situations such as confidential documents being left openly on workstations or emails not being encrypted. Such seemingly minor lapses can cause damage that well-trained employees would not normally incur.
Carelessness in Handling Information
It is frequently observed that in institutions, although a large number of organisational and technical security procedures are defined, these are circumvented by the careless behaviour of employees. A typical example of this is the almost legendary sticky notes on monitors on which access passwords are written. Similarly, hard disk encryption does not protect a laptop in transit from having confidential information simply read by the person sitting next to you on the train. The best technical security solutions are of no avail if printouts containing confidential information are left at the printer or end up in freely accessible waste paper containers.
If employees are careless in their handling of information, the established information security processes become ineffective. Unauthorised persons could, for example, exploit negligence in the handling of information in order to deliberately engage in industrial espionage.
Lack of Acceptance of Information Security Requirements
There can be various reasons why employees do not implement information security requirements. These include, for example, a missing security culture within the institution or a lack of role-model behaviour by top management. Exaggerated security requirements can also lead employees to reject security measures. Problems can also arise from the fact that certain authorisations or the provision of specific hardware or software are seen as status symbols. Restrictions in these areas can meet with strong resistance.
Social Engineering
Social engineering is a method used to gain unauthorised access to information or IT systems by “pumping” employees for information. In social engineering, the attacker usually establishes direct contact with a victim, for example by telephone, email, or via social networks. Social engineering attacks are often multi-stage. By feigning inside knowledge while simultaneously appealing to the target’s willingness to help, the attacker can expand their knowledge in further steps. If employees are not sufficiently aware of this type of attack, they can be manipulated through skilful communication into acting improperly. This can lead to them disclosing internal information, their IT systems becoming infected with malware, or even transferring money to supposed business partners.
In so-called “CEO fraud”, for example, employees who are authorised to transfer funds on behalf of the institution are led to believe that they have received a fictitious instruction from management. They are supposed to carry out transactions for an allegedly urgent and confidential business matter that is described as vital to the institution’s continued existence.
Requirements
The following are the specific requirements of the building block ORP.3 Information Security Awareness and Training. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | IT Operations, Supervisors, HR Department, Top Management |
Exactly one role SHOULD hold Primary responsibility. There may also be Additional responsibilities. If one of these additional roles holds primary responsibility for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people are intended to fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
ORP.3.A1 Raising Top Management Awareness of Information Security (B) [Supervisors, Top Management]
Top management MUST be sufficiently made aware of security issues. Security campaigns and training measures MUST be supported by top management. Before an information security awareness and training programme begins, the support of top management MUST be obtained.
All line managers MUST support information security by setting a good example. Managers MUST implement the security requirements. Beyond this, they MUST instruct their employees to comply with them.
ORP.3.A2 DISCONTINUED (B)
This requirement has been discontinued.
ORP.3.A3 Briefing of Personnel on the Secure Use of IT (B) [Supervisors, HR Department, IT Operations]
All employees and external users MUST be briefed on and made aware of the secure use of IT, ICS, and IoT components, insofar as this is relevant to their work contexts. Binding, comprehensible, and up-to-date policies for the use of the respective components MUST be available. If IT, ICS, or IoT systems or services are used in a manner that conflicts with the interests of the institution, this MUST be communicated.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
ORP.3.A4 Design and Planning of an Information Security Awareness and Training Programme (S)
Information security awareness and training programmes SHOULD be oriented towards the respective target groups. To this end, a target group analysis SHOULD be carried out. Training measures SHOULD be able to be focused on the specific requirements and different backgrounds of participants.
A target-group-oriented information security awareness and training programme SHOULD be created. This training programme SHOULD provide employees with all the information and skills required to be able to implement the security regulations and measures applicable within the institution. It SHOULD be reviewed and updated on a regular basis.
ORP.3.A5 DISCONTINUED (S)
This requirement has been discontinued.
ORP.3.A6 Conducting Information Security Awareness and Training Sessions (S)
All employees SHOULD receive training on information security topics in accordance with their tasks and responsibilities.
ORP.3.A7 Training on the IT-Grundschutz Methodology (S)
Information Security Officers SHOULD be familiar with IT-Grundschutz. If a training need is identified, appropriate IT-Grundschutz training SHOULD be planned. When planning training, the BSI’s online course on IT-Grundschutz SHOULD be taken into account. The methodology SHOULD be practised using practical examples during the training. It SHOULD be examined whether the Information Security Officer should obtain qualification as a BSI IT-Grundschutz Practitioner.
ORP.3.A8 Measurement and Evaluation of Learning Outcomes (S) [HR Department]
Learning outcomes in the area of information security SHOULD be measured and evaluated on a target-group-specific basis in order to determine the extent to which the objectives described in the information security awareness and training programmes have been achieved. The measurements SHOULD take into account both quantitative and qualitative aspects of the information security awareness and training programmes. The results SHOULD be incorporated in an appropriate manner into the improvement of the information security awareness and training offerings.
The Information Security Officer SHOULD regularly exchange information with the HR Department and the other points of contact relevant to security (data protection, occupational health and safety, fire protection, etc.) on the effectiveness of training and further education.
Requirements for High Protection Needs
The following are exemplary proposed requirements for this building block that go beyond the level of protection that represents the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
ORP.3.A9 Specialised Training for Exposed Individuals and Institutions (H)
Particularly exposed individuals SHOULD receive in-depth training with regard to possible threats as well as appropriate behaviours and precautionary measures.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for the awareness and training of employees in the standard ISO/IEC 27001:2013 in chapter 7.2.
The Information Security Forum (ISF) defines various requirements for awareness and training of employees under PM2 in its standard “The Standard of Good Practice for Information Security”.
The BSI offers an online course on IT-Grundschutz at https://www.bsi.bund.de/grundschutzkurs that presents the IT-Grundschutz methodology.
The BSI offers a two-stage training concept on the topic of IT-Grundschutz. Through the training concept, participants can obtain evidence of being an IT-Grundschutz Practitioner and can go on to be certified by the BSI as an IT-Grundschutz Consultant.
A list of training providers that offer BSI training for IT-Grundschutz Practitioner and IT-Grundschutz Consultant can be found at https://www.bsi.bund.de/dok/128348.