cc2-2 Medium priority Security / Communication and Information

Security information is communicated internally

Employees and relevant stakeholders need to receive security information appropriate to their role. Engineers need to know about secure coding standards. All staff need to know how to report a suspected incident. Finance needs to know about phishing risks. Internal security communication is how an organization converts policy documents into actual behaviour at the team level.

6h estimated effort

communication awareness internal documentation

Complete first: cc1-1

Implementation steps

1

Define what security information each audience needs

Map out the internal audiences (all employees, engineers, IT admins, executives, new hires) and what security information is relevant to each. All-staff needs: how to report incidents, phishing awareness, acceptable use. Engineers need: secure coding guidelines, vulnerability disclosure process. Executives need: risk posture summaries.

confluence notion
2

Maintain a security knowledge base

Publish security policies, procedures, and guidelines in a location all employees can find. A dedicated security section in your internal wiki is ideal. Include: how to report an incident, the acceptable use policy, the data classification policy, and contact information for the security team.

confluence notion google-sites
3

Establish a security communication channel

Create a dedicated channel for security announcements. Use it to push timely communications: new phishing campaigns, policy updates, required actions, drill results. Make it easy for employees to ask security questions and get answers. Record that announcements were sent.

slack microsoft-teams email