Sample Security Awareness Policy:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample Security Awareness Policy


As stated in the Company Sample Information Security Program Charter, the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will ensure that the Sample Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to facilitate awareness.

This Security Awareness Policy defines Company objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Sample Information Security Program Charter and associated policies, standards, guidelines, and procedures.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.

II. Objectives


The Company Sample Information Security Program Charter and relevant policies, standards and guidelines must be properly communicated to Company corporate and business unit management. Specific instructions and requirements for providing security awareness education and training for Company management are provided in the Sample Management Awareness Standard.

The Company Sample Information Security Program Charter and relevant policies, standards, and guidelines must be properly communicated to and understood by all newly hired Company employees. Newly hired Company employees must be provided with the appropriate security awareness education and training. Specific instructions and requirements for providing security awareness education and training for new Company employees are provided in the Sample New Hire Security Awareness Standard.

The Company Sample Information Security Program Charter and relevant policies, standards, and guidelines must be properly communicated to and understood by all contractors, partners and consultants. Specific instructions and requirements for providing security awareness education and training for contractors, partners, and consultants are provided in the Sample Third Party Security Awareness Standard.

All Company employees will be provided with recurring and ongoing education and training to ensure continued awareness, and address emerging risks or topics of interest. Specific instructions and requirements for providing security awareness education and training for Company employees are provided in the Sample Ongoing Security Awareness Standard.

All Company employees will be provided appropriate access to the Sample Information Security Program Charter and relevant policies, standards, and guidelines. Specific instructions are provided in the Security Awareness Standard.

III. Responsibilities


The Chief Information Officer (CIO) is the approval authority for the Security Awareness Policy.

The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Security Awareness Policy and the associated standards and guidelines.

Company management is responsible for ensuring that the Security Awareness Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units.

All individuals, groups or organizations identified in the scope of this policy are responsible for familiarizing themselves with and complying with the Security Awareness Policy and associated standards, guidelines, and procedures.

IV. Policy Enforcement and Exception Handling


Failure to comply with the Security Awareness Policy and associated standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees, or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Security Awareness Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.

V. Review and Revision


The Security Awareness Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Officer