This article provides additional information on how you can meet the requirement for the CAF control - B6.a Culture
Promoting a Positive Cyber Security Culture
A strong cyber security culture helps ensure staff understand their responsibilities and feel confident raising concerns that could impact the services delivered to clients.
Leadership Commitment
-
Executive management should communicate the organisation’s security priorities and objectives.
-
Leaders should be visibly involved in cyber security activities.
-
Management system objectives should be maintained and shared through Adoptech so staff understand the focus areas.
Open Reporting
-
Staff should be encouraged to report security concerns or incidents without fear of blame.
-
Reports can be submitted via the organisation’s incident response email.
-
All concerns should be taken seriously and handled promptly.
Shared Responsibility
-
Teams should work together on security improvements.
-
Individuals who support strong security practices can be recognised for their contributions.
-
The Incident Management Plan should ensure everyone understands how to respond to issues.
Continuous Improvement
-
Organisations should regularly review how effectively security is communicated and understood.
-
Security objectives, messaging and processes should be updated where needed to keep the culture strong and aligned with evolving risks.