Annex D: Outline of Scottish Government Security Awareness, Training and Education Programme
1. This annex sets out details of the Scottish Government's Security Awareness, Training and Education Programme. Products developed under this programme will be adapted and made available for general use by the wider Scottish public sector.
2. The Scottish Government is in the process of developing a new Corporate Security Awareness, Training and Education programme – "Security Action for Everyone" ( SAFE) – which will improve all aspects of security behaviours by engaging with staff to develop a culture of security awareness which will reduce the likelihood of a successful physical or online attack.
3. The scope of the SAFE programme has evolved from a purely cyber awareness, training and education programme to a broader security behavioural change programme that now includes cyber, IT, physical, personnel and counter terrorism. This change in focus follows conversations with exemplar organisations. As the Centre for the Protection of National Infrastructure states: "Effective protective security requires the integration of physical, personnel and people, and cyber security measures."
4. The main objectives of the SAFE Programme are:
- Compliance with data protection regulations, Code of Conduct, IT Security Policy.
- Ensure employees understand and comply with policies, processes, and procedures.
- Identify top seven human risks to the Scottish Government and reduce those risks.
- Improve incident response by enabling employees to identify and report an incident.
- Implement metrics activities to track and report on the impact of the programme.
5. The SAFE programme will focus on 7 themes, with clearly defined key messages using a range of activities including primary online training and reinforcement activities such as events, webcasts, screensavers, corporate communications and phishing exercises. These themes are:
- Access – Passwords and Passes
- Phishing and Social Engineering
- You're a target!
- Clear workspace
- Remote working
- Report it!
6. The SG Security ATE Programme begins content development in Autumn 2017 and roll-out of the programme in 2018/19.
7. For more information on this project please contact: SG Cyber Resilience Unit: firstname.lastname@example.org