Итак, не исчерпывающий перечень:
- PCI Council Best Practices for Implementing a Security Awareness Program - 10.2014
- NIST Special Publication 800-50 - 10.2003 - немного о документе можно прочитать в посте Андрея Прозорова.
- ENISA The new users' guide: How to raise information securityawareness - 11.2010
- ISO ГОСТ РИСО/МЭК ТО13335-3—2007 МЕТОДЫ И СРЕДСТВА ОБЕСПЕЧЕНИЯБЕЗОПАСНОСТИ ISO/IEC TR 13335-3:1998 Раздел 10.3 Обучение персонала информационной безопасности 1998/2007
- ISO 27001
- COBIT 5
Кстати, документ от PCI Council достаточно свежий и содержит полезную информацию. Ниже, например, типы ключевой аудитории:
В самом документе в итоге идет отсылка к NIST, COBIT и ISO 27001.
Также предлагается следующий чеклист (привожу без перевода):
Creating the Security Awareness Program
- Identify compliance or audit standards that your organization must adhere to.
- Identify security awareness requirements for those standards.
- Identify organizational goals, risks, and security policy.
- Identify stakeholders and get their support.
- Create a baseline of the organization’s security awareness.
- Create project charter to establish scope for the security awareness training program.
- Create steering committee to assist in planning, executing and maintaining the awareness program.
- Identify who you will be targeting—different roles may require different/additional training (employees, IT personnel, developers, senior leadership).
- Identify what you will communicate to the different groups (goal is shortest training possible that has the greatest impact).
- Identify how you will communicate the content—three categories of training: new, annual, and ongoing.
Implementing Security Awareness
- Develop and/or purchase training materials and content to meet requirements identified during program creation.
- Document how and when you intend to measure the success of the program.
- Identify who to communicate results to, when, and how.
- Deploy security awareness training utilizing different communication methods identified during program creation.
- Implement tracking mechanisms to record who completes the training and when.
Sustaining Security Awareness
- Identify when to review your security awareness program each year.
- Identify new or changing threats or compliance standards and updates needed; include in annual update.
- Conduct periodic assessments of organization security awareness and compare to baseline.
- Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility).
- Maintain management commitment to supporting, endorsing and promoting the program.
- Document security awareness program including all previously listed steps within “Creating the Security Awareness Program,” “Implementing Security Awareness,” and “Sustaining Security Awareness.
Secure your life!
