Security Awareness Policy (statement 1)
The Information Security (IS) team is responsible for promoting ongoing security awareness to all information system users. A Security Awareness program must exist to establish formal methods by which secure practices are communicated throughout the corporation. Security guidance must exist in the form of formal written policies and procedures that define the principles of secure information system use and the responsibility of users to follow them. Security awareness articles, posters, and bulletins should be periodically created and distributed throughout the corporation to educate employees about new and existing threats to security and how to cope with them. All employees are responsible for promptly reporting to their management and Information Systems (IS) management any suspected insecure conditions or security violations they encounter. All employees must be made aware of their security responsibilities on their first day of employment as part of the newhire orientation program. All employees must comply with IS security policies by signing a compliance agreement that is retained in their personnel file. IS Security policies and procedures must remain current and readily available (e.g., via the intranet site) for Information System users to review and understand them. Information Systems (IS) management must ensure that the terms and conditions of authorized system access are clearly communicated to potential users of those systems before access is granted. A formal process must exist to document that appropriate management was aware of and approved all access and privileges granted to corporate system users.
Justification:
Organizational security awareness is an essential part of the corporate security posture. Information is one of the most valuable assets owned by