Information security briefing log
The sphere of activity of almost any company is inextricably linked with the processing of personal data of employees and presupposes the presence of a document management system.
Ensuring the safety of data constituting a commercial, state, professional or other secret is one of the main tasks facing the owner or manager.
Let's talk about checking knowledge on information security issues, learning accounting.
Purpose and focus of classes
To protect sensitive data and preserve their integrity, local legal regulations approve the procedure for training employees in security rules.
In order to form and maintain the required level of personnel qualifications, instructions on safety rules are developed taking into account:
- requirements of the law;
- information security standards;
- applied technologies;
- the degree of secrecy of data; and employee access to documents of strategic importance.
Regular training and testing of knowledge about data protection affects:
- the effectiveness of the methods used to ensure information security in the organization;
- speed of data processing and transmission, which may affect the effectiveness of production activities;
- prevention and reduction of the risk of information leakage, access to documents by strangers;
- reduction of potential deficiencies in information processing.
How often do specialists need to be trained?
There are several stages of training on the safety of use and data processing, the frequency of which is regulated. Be sure to conduct introductory, primary, repeated training in methods of protection using information technology. The rest - targeted and unscheduled - are carried out regardless of how much time has passed since the initial or re-examination of knowledge.
After signing an employment contract with new employees, students undergoing industrial practice, citizens sent by the employment center to perform public works, they conduct an introductory lesson. In fact, it is for informational purposes only.
The instructed person gets a general idea:
- on the rules of work organization, internal regulations, legal acts regulating activities and data protection;
- on measures taken to ensure the security of information, methods of work;
- on the procedure for action in the event of risks of leakage or violation of the integrity of the database, failure of the automated security system;
- on the procedure for notifying management in case of emergencies that threaten the life and health of people, destruction or distortion of data;
- about other nuances associated with the activities of the organization.
An entry is made in the journal under the personal signature of the newly hired employee, followed by a serial number, where the following should be recorded:
- date of reading the instructions;
- personal data of the instructed person - surname, name, patronymic in full;
- position, name of the structural unit that is the employee's permanent workplace under the terms of the employment contract;
- information about the official of the organization who conducted the training and knowledge testing.
Initial familiarization with the rules and responsibilities
It is conducted by an employee who is competent in information security issues on the written order of the manager before the admission of a new specialist to perform professional duties at the workplace.
The instruction includes a detailed description of the rules of employee behavior, taking into account the specifics of his activities, access to confidential and other data.
Initial training may include:
- instructing on the use of a personal computer;
- the procedure for processing personal data of other employees or clients available to a specialist to perform his job duties;
- ways of transmitting messages;
- rules for the storage of documents of particular importance;
- familiarity with the warning signals used in the workplace.
Familiarization with the rules regarding the protection of information is mandatory if increased requirements are imposed on the security of documents available to an employee by type of activity.
In the journal, a note is made on the passage of training for the newly hired employee, the date of his admission to the performance of professional duties is indicated.
Re-examination of knowledge
Every three years, personnel who have access to data, the loss or distribution of which could harm the organization, its employees and customers, is retrained. Knowledge is checked individually or with an entire group of specialists performing similar duties.
If it is necessary for an employee to perform work that is not part of his daily work duties, they are required to conduct a targeted lesson with him, focusing on the necessary data protection measures.
Unscheduled knowledge test
In the course of activities, additional measures may be required to ensure the proper level of knowledge and skills of employees working with information systems, the organization's software, having access to databases, and classified documents.
Unscheduled classes, regardless of the qualifications and work experience of the employee, are carried out:
- in the event of the introduction of new instructions regarding the protection of information, amendments to the existing legal acts;
- when changing the used media;
- with a long break in work (for example, in the case of a prolonged illness of a specialist);
- when modernizing technological processes and introducing new automated systems to ensure safety;
- after revealed violations of the rules for the use and transfer of data, other legal requirements.
Requirements for documentary registration of classes and knowledge testing
There are no unified forms of record keeping of training. Guided by the general rules of office work, pages are numbered in a specially kept journal. The document is stitched, the ends are fastened, certified by the signature of the responsible person, the head of the organization, with a seal (if any).
In the graded form, in order of priority, entries are made, for which they indicate:
- date and type of training;
- data on the instructed person;
- name of the instruction;
- information about the person who instructed.
Be sure to leave the columns for the signatures of the responsible person and the trained person.
The effectiveness of the information security policy adopted in the company largely depends on the attitude of the employees. In order to legally prosecute employees responsible for information leaks in the future, it is important to timely teach them the rules and check their knowledge.