Skip to main content

This section of the ISM provides guidance on cyber security awareness training.

Providing cyber security awareness training

Organisations should ensure that ongoing cyber security awareness training is provided to all personnel in order to assist them in understanding their security responsibilities. The content of cyber security awareness training will depend on the objectives of the organisation; however, personnel with responsibilities beyond that of a standard user will require tailored content to meet their needs.

Security Control: 0252; Revision: 6; Updated: Jun-20; Applicability: O, P, S, TS
Cyber security awareness training is undertaken annually by all personnel and covers:

  • the purpose of the cyber security awareness training
  • security appointments and contacts within the organisation
  • authorised use of systems and their resources
  • protection of systems and their resources
  • reporting of cyber security incidents and suspected compromises of systems and their resources.

Security Control: 1565; Revision: 0; Updated: Jun-20; Applicability: O, P, S, TS
Tailored privileged user training is undertaken annually by all privileged users.

Reporting suspicious contact via online services

Online services such as email, internet forums, instant messaging apps and direct messaging on social media can all be used by an adversary in an attempt to elicit information from personnel. As such, personnel should be advised of what constitutes suspicious contact via online services and how to report it.

Security Control: 0817; Revision: 4; Updated: Jan-20; Applicability: O, P, S, TS
Personnel are advised of what suspicious contact via online services is and how to report it.

Posting work information to online services

Personnel should be advised to take special care not to post work information to online services unless authorised to do so, especially in internet forums and on social media. Even information that appears to be benign in isolation could, along with other information, have a considerable security impact. In addition, to ensure that personal opinions of individuals are not interpreted as official policy, personnel should be advised to maintain separate work and personal accounts for online services, especially when using social media.

Security Control: 0820; Revision: 5; Updated: Jan-20; Applicability: O, P, S, TS
Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.

Security Control: 1146; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Personnel are advised to maintain separate work and personal accounts for online services.

Posting personal information to online services

Personnel should be advised that any personal information they post to online services, such as social media, could be used by an adversary to develop a detailed profile of their lifestyle in order to build a relationship with them. This relationship could then be used to attempt to elicit information or influence them to undertake specific actions, such as opening malicious emails or visiting malicious websites. Furthermore, encouraging personnel to use the privacy settings of online services can minimise who can view their information and interactions on such services.

Security Control: 0821; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS
Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.

Sending and receiving files via online services

When personnel send and receive files via online services, such as instant messaging apps and social media, they often bypass security controls put in place to detect and quarantine malicious code. Advising personnel to only send and receive files via authorised online services will ensure files are appropriately protected and scanned for malicious code.

Security Control: 0824; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Personnel are advised not to send or receive files via unauthorised online services.

Further information

Further information on email usage policy can be found in the email usage section of the Guidelines for Email.

Further information on web usage policies can be found in the web proxies section of the Guidelines for Gateways.

Further information on detecting socially engineered messages be found in the Australian Cyber Security Centre (ACSC)’s Detecting Socially Engineered Messages publication at https://www.cyber.gov.au/acsc/view-all-content/publications/detecting-socially-engineered-messages.

Further information on the use of social media can be found in the ACSC’s Security Tips for Social Media and Social Networking Apps publication at https://www.cyber.gov.au/acsc/view-all-content/publications/security-tips-social-media-and-social-networking-apps.

Further information on the sanitisation of documents before posting them to authorised online services can be found in the ACSC’s An Examination of the Redaction Functionality of Adobe Acrobat Pro DC 2017 publication at https://www.cyber.gov.au/acsc/view-all-content/publications/examination-redaction-functionality-adobe-acrobat-pro-dc-2017.