Awareness & Cyber Hygiene
Awareness Program
Ongoing Measures
| Measure | Description | Interval |
|---|---|---|
| Phishing simulation | Realistic phishing emails sent to all employees | Semi-annually |
| Security advisories | Current warnings for relevant threats (e.g., new phishing wave) | Event-driven |
| Onboarding briefing | Security induction for new employees | Upon joining |
| Annual mandatory training | Refresher on all basic topics | Annually |
Phishing Simulation
| Aspect | Description |
|---|---|
| Frequency | 2x per year |
| Difficulty level | Varies (basic to advanced) |
| Evaluation | Click rate, report rate, department comparison |
| Remedial training | Automatic for employees who clicked |
| Target click rate | < 5% |
Cyber Hygiene Rules
Workplace
| Rule | Description |
|---|---|
| Screen lock | Automatic after 5 minutes of inactivity |
| Clean desk | No confidential documents left in the open |
| Removable media | USB drives only with IT approval |
| Personal devices | No access to corporate data from personal devices without MDM |
Passwords & Authentication
| Rule | Description |
|---|---|
| Password manager | Mandatory for all employees |
| Unique passwords | Each service receives its own password |
| MFA | Enabled for all external services and admin access |
| Password sharing | Prohibited -- access only via personalized accounts |
Communication
| Rule | Description |
|---|---|
| Suspicious emails | Do not open, do not forward, report to ISO |
| Confidential data | Transmit only via encrypted channels |
| Public networks | Use only with VPN |
| Unknown callers | Never disclose credentials or internal information |
Documentation
| Evidence | Description | Retention |
|---|---|---|
| Training completion | Attendance confirmation per module | Minimum 3 years |
| Phishing results | Aggregated statistics per campaign | 2 years |
| Onboarding confirmation | Signed security policy acknowledgment | Duration of employment |