Once your organization has developed and documented its ICS security policies, standards and procedures, it is critical to make sure that personnel are aware of the existence and importance of these materials. There are two parts to such a program.
The first is to conduct an awareness program. An awareness program focuses on ensuring that personnel throughout your organization are aware of company policies, standards and best practices. To be successful, the awareness program should be communicated by senior management to all applicable employees. It should then be followed up with regular communications to continually remind people of the program.
The second is a training program that provides personnel with job-relevant information on how to apply security and what to do if they suspect there is a security breach. This training cannot be a “one size fits all” program. Different personnel have different responsibilities and this will need to be represented in the training program. We highly recommend developing a role-based training program for control system security.
Designing a role-based training program starts with identifying the major job roles in your company. Next, the training needs are identified for each role. For example, you may identify the following main roles in your organization; visitors, contractors, operations, maintenance, engineering, management, executives, etc.
Visitor training might focus on defining allowed and prohibited activities while on site, while engineering training might focus on the secure configuration and use of key network assets. Management training might focus on how to respond when an employee reports a possible security breach. To help sort this out, we recommend developing a training matrix which lists the training topics on one axis and the roles on another.
Once the matrix has been developed the training content can be designed. We find a modular approach in developing the course materials is ideal; this allows materials to be easily combined and customized for particular roles. Many organizations are using computer-based training very effectively, particularly for high-level training. Regardless of your approach, it is important to keep records of who has attended the training and to include knowledge assessments in order to ensure the information was properly understood.