3.1.6 Cyber Security Awareness

No: 381000091275

Date(g): 24/5/2017 | Date(h): 28/8/1438

Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right

Principle

A cyber security awareness program should be defined and conducted for staff, third parties and customers of the Member Organization.

Objective

To create a cyber security risk-aware culture where the Member Organization's staff, third parties and customers make effective risk-based decisions which protect the Member Organization's information.

Control considerations

1.	The cyber security awareness programs should be defined, approved and conducted to promote cyber security awareness and to create a positive cyber security culture.
2.	A cyber security awareness program should be defined and conducted for:
	a.	staff of the Member Organization;
	b.	third parties of the Member Organization;
	c.	customers of the Member Organization.
3.	The cyber security awareness program should target cyber security behaviors by tailoring the program to address the different target groups through multiple channels.
4.	The activities of the cyber security awareness program should be conducted periodically and throughout the year.
5.	The cyber security awareness program should at a minimum include:
	a.	an explanation of cyber security measures provided;
	b.	the roles and responsibilities regarding cyber security;
	c.	information on relevant emerging cyber security events and cyber threats (e.g., spear-phishing, whaling).
6.	The cyber security awareness program should be evaluated to:
	a.	measure the effectiveness of the awareness activities;
	b.	formulate recommendations to improve the cyber security awareness program.
7.	Customer awareness should address for both retail and commercial customers and, at a minimum, include a listing of suggested cyber security mechanisms which customers may consider implementing to mitigate their own risk(s).

Soft Launch