User Awareness Training

Hi all, we have just revised our security awareness training programme. In our organisation (small setup) as part of a new starters we give them basic IT security awareness training, i.e. password good practice, awareness for social engineering, shoulder surfing etc.

We have got a 3rd party external audit coming in soon and I wonder what sort of things they will pick us up on. Have you had similar audits, i..e them auditing you that you are training your staff properly. What sort of things did they ask, recommend, highlight in there testing and findings?

In terms of documentation our training programme is documented, we record users attendance etc, we dont allow exceptions i.e. a corporate director still has to have it etc. Anything we are likely to have to do in addition to satisfy the external auditors?
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kjanickeCommented:
Documentation, awareness, and auditing were key elements in our inspection which was held just a few weeks ago.

If you have a policy of not allowing wireless devices or cell phones in the building, do you actively seek those devices?  If company policy doesn't allow you to surf ebay at work, can you tell who is surfing ebay?  

What types of things do you audit, and do people actually look at the audits?

Proper markings (to the letter) of any regulation you have.  Are portable hard drives encrypted or allowed?

Do you have documented procedures for minor incidents and major disasters?  If you found somebody stealing computer hardware, do the other employees know what to do and who to contact?  Do your employees know where that documentation is?
0
pma111Author Commented:
Thanks kjanicke, what documentation did they ask you specific to training, was it training records or lots more? Regards
0
kjanickeCommented:
They did ask for signed copies of our authorized user policy.  It was some of the basic rules such as sharing passwords, surfing unprofessional web sites, usingt he computer for personal entertainment or profit, etc.

But they also asked how we were preventing or audting the policy.

Having a central location for all documentation helped, but quite a few folks didn't know where it was, and there was almost too much stuff there.  Some documentation wa sn't updated in years.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks ever so much, some good advice. Cheers
0
kjanickeCommented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.