B6.a Culture
Key Point:
Your organisation must develop and maintain a positive culture around information assurance.
Overview:
This outcome requires your organisation to foster an environment where cyber security and information governance (IG) are valued. Staff must feel comfortable raising concerns, reporting issues, and understanding the importance of information assurance in their roles. A negative culture, where staff feel discouraged from reporting incidents, can lead to severe vulnerabilities.
How to Meet the Requirement:
- Establish a just culture, where staff are encouraged to report incidents, breaches, and near misses without fear of reprimand.
- Ensure executive management plays a visible role in supporting cyber security and IG, discussing these topics at board meetings, sponsoring initiatives, and leading by example.
- Educate all staff on their personal responsibility in maintaining information security and the correct procedures for handling data securely.
- Empower staff to report irregular behaviour or potential issues, ensuring the reporting process is clear and free from conflicts of interest.
Evidence to Provide:
To demonstrate compliance, you could submit:
- Documentation on policies and procedures for reporting concerns.
- Records of staff reporting phishing emails, breaches, or other security issues.
- Minutes and terms of reference from meetings where security culture was discussed.
- Training materials used to promote a positive information assurance culture.
Indicators of Good Practice:
- Executive management communicates the importance of a positive information assurance culture, with clear attitudes and behaviours reflected across the organisation.
- All staff understand their role in protecting information and can articulate how they contribute to the security of the organisation’s systems and data.
- Staff routinely report concerns about information security and are recognised for their contributions.
B6.b Training
Key Point:
All staff supporting your essential functions must receive appropriate information assurance training tailored to their roles.
Overview:
This outcome requires your organisation to implement comprehensive and role-specific training for all staff. Each staff group should understand the level of information assurance necessary for their duties, and training should cover cyber security, confidentiality, and information governance.
How to Meet the Requirement:
- Conduct a Training Needs Analysis (TNA) to assess the level of training needed for different staff roles, from senior leaders to frontline staff. The TNA should be a living document that evolves with your organisation’s needs.
- Implement role-specific training, ensuring that employees with higher levels of access or responsibility receive additional, specialised training.
- Ensure training is continuous and regularly updated based on new risks, changes in legislation, and staff feedback. Use tools like the DSPT’s TNA template to track and refresh your training programmes.
- Consider using national resources such as NHS England’s IG portal and the NCSC for up-to-date guidance and training materials.
Evidence to Provide:
To support this outcome, examples of evidence include:
- Training policies and procedures that outline your organisation’s approach to information assurance training.
- A Training Needs Analysis or equivalent document that assesses the appropriate training paths for different roles.
- Training materials, such as presentations, e-learning modules, or videos used for information assurance training.
- Minutes and terms of reference from relevant meetings discussing training needs and improvements.
Indicators of Good Practice:
- Training paths are followed by all staff, from the most junior to the most senior, with role-appropriate information assurance education.
- Staff members can articulate the importance of training in their role and demonstrate awareness of key security principles.
- The TNA is regularly updated to reflect organisational changes and new security challenges.
At Periculo, we help you build a culture where security and governance are second nature. From designing engaging staff training programmes to cultivating a reporting environment that encourages transparency, we ensure your team is prepared to protect your critical functions. Contact us today to elevate your staff awareness and training initiatives!
.svg)
