Agency Security Education & Training
|
All the firewalls, operating system patches, and defenses are for naught if your agency staff is not properly trained on security protocol – One errant click or opening a file can leave your data vulnerable. Find out the clear steps to train agency staff. I. New Employees
Make sure all new employees have signed an ISP (information security policy) and ensure that electronic safety is part of the onboard training. 1. Start with basic computer dos and dont’s. Some existing resources are: InformationShield Employee Information Security Policy
ACT/IIABA ‘Written Information Security Policy‘ (WISP) * Note” Acess requires Big ‘I’ ID & Password Downloadable free ISP Template – InstantSecurity II. Current Employees (each department) 1. At least annual IT update on what is going on for risks (preferably quarterly). 2. Have an emergency response plan that is reviewed on a regular basis. 3. Perform quarterly testing (at a minimum) to see how employees respond. a. Perform random, consistent Phishing-testing Known resources are PhishMe and KnowBe4.
These send out a customized bogus email that looks authentic but creates reports for leadership analysis and follow-up. The key is to train employee behavior to carefully review every email before opening, thereby reducing risk. b. Monitor website activity from IT reporting, and limit where ever applicable. c. Discuss what to look for in emails, websites, social posts, and all electronic interactions. 4. Daily: If a specific risk is identified each department should be notified, and employees should be guided on what happened, what steps are being taken to fix the incident, and what actions III. Departing Employees 1. Walk departing employee(s) to the door and check any boxes, etc., even if leaving on good terms. Authors, Mary-Hauri (Insurance Concepts In Motion, Inc.), Ron Berg (ACT) |