Recently, I was asked to complete a security awareness training at Check Point. It is considered a mandatory exercise for all employees. It consists of watching a brief presentation, taking a short multiple-choice test, virtually signing the security policy document, and providing a user validation question and answer.
The entire process took no more than 20 minutes. After having watched the presentation, I can tell you, with a fair degree of certainty what the different levels of classification are, what generally falls into each level of classification, and what my responsibilities are with respect to handling data in that classification. It was all done with clear language using examples I feel most people could relate to.
It is exactly the kind of policy presentation that any serious company should have. The reason: employees are often the weakest link in security. Educating employees on what the policy is vital to ensure corporate assets are protected.
Oh wait, you don't have a security policy? Well now, that is a problem.