Local information security - STEP 2
The activities in STEP 2 focus on increasing insight and knowledge about information security through awareness, following up on implemented initiatives, and on identifying areas for improvement.
Activities
The activities listed under STEP 2 are minimum requirements. If the risk assessment requires further measures, these will be carried out locally.
- Increase employee knowledge about information security so they understand their roles and responsibilities.
- Follow up on initiatives launched - what is their status and what can we do better.
- Select what we want to measure and how, in order to ensure that developments are monitored.
- Review vulnerabilities and threats – are they still relevant and/or have new ones emerged?
- Prepare/document processes for any planned changes.
Awareness initiatives can be performed in many ways (e-learning, quizzes, lessons, posters, videos, leaflets, etc.), and they are an important part of creating a good security culture locally.
Risk management and consequences of any possible incidents should be balanced against the unit management’s risk tolerance.
Information and information assets must be secured using appropriate measures based on a risk assessment and in accordance with data classification.
