Disseminating Policies

Question 1

Disseminating Policies

Answer 1

• Policies should be promoted/supported by a security
  education, training, and awareness (SETA) programme that
  helps employees do their jobs securely

Question 2

Education:

Answer 2

• Not everyone needs formal degree or certificate in info security
• But some roles may require certain employees to hold/attain
  info security academic qualifications or industry certification

Question 3

Training

Answer 3

• EVERYONE in an organisation needs to be trained and aware
  of information security
• Provides employees with hands-on instruction and detailed
  info designed to prepare them to perform duties securely
• Management of info security can develop customised in-house
  training or outsource training

Question 4

Awareness

Answer 4

• keeps info security at forefront of the user’s mind
• can be as simple as security posters, newsletters, flyers, etc
• may include printed mouse-pads or company mugs

Question 5

NCSC Guidance:
Good security governance should:

Answer 5

Link security activities to your organisation’s goals
and priorities identify the individuals, at all levels, who are
responsible for making security decisions and empower them
to do so

• Ensure accountability for decisions
• Ensure that feedback is provided to decision-makers on the
  impact of their choices
• Fit into an organisation’s wider approach to governance.
  Security needs to be considered alongside other business
  priorities, such as health and safety, or financial governance.

Question 6

Incidents happen

Answer 6

Preventive activities based on the results of risk assessments
can lower the number of incidents.

• but not all incidents can be prevented

An incident response capability is therefore necessary for:
* rapidly detecting incidents,
* minimising loss and destruction,
* mitigating the weaknesses that were exploited,
* and restoring IT services.