All individuals working at the data center should attend a security awareness training/orientation at a level appropriate for their function within the organization. There should be regular refresher courses and updates relevant to the job role. Appropriate records of such training, including details of attendees, instructors and signed attendance records need to be maintained.
The security awareness program should include, but not be limited to:
- Overall security policies of the organization.
- Specific security requirements of the department/function of the individual.
- Behavioural considerations (e.g. no company and customers information to be posted on social media).
- Security incident reporting structure including relevant details (e.g. contact numbers).
The organization should define a policy to determine who should attend which type of security awareness training/orientation. The type of training/orientation for individuals external to the organization should be defined based on the level of on-site presence and interaction within the data center facility.
The organization should continuously re-affirm its security policies by creating additional security awareness programs (e.g. posters, email campaign).