Personnel are made aware of their responsibilities for protection and acceptable use of IT, OT, and information assets
Context and Guidance: Employees and other users of the organisation’s IT, OT, and information assets should be informed about their own responsibilities for the protection and acceptable use of those assets. The organisation should define methods for clearly communicating responsibilities, such as periodic security awareness training and policies. For example, an acceptable use policy, for example, can establish the boundaries of acceptable behaviors when using the organisation’s systems and data, such as disallowing password syncing and reuse across systems or using personal password vaults to comingle management of both personal and organisational passwords. Organisations may consider supplemental training for users who have access to IT, OT, and information assets with greater protection requirements. To reinforce expectations of required protection of more sensitive IT, OT, and information assets, organisations may consider creating goals and objectives for users around protection requirements for these assets.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-1e, WORKFORCE-1g.