Planning
By Patrick Paradis, Information Security AdvisorCloud computing offers undeniable benefits to businesses, such as cost optimization, improved service levels and the use of on-demand services. However, cloud computing also entails significant security issues, such as the confidentiality of information.According to the National Institute of Standards and Technology (NIST), cloud computing is defined as “a model for enabling convenient, on-demand network access to a shared pool of configurable...
By Philip Veilleux, Information Security AdvisorNowadays, information security is a very common term used in the business world. Previously, security was simply a matter of installing a firewall to protect a corporate network by adding barriers to prevent intruders from access it.In the last few years, information has become electronic, or should I say virtual, in its primary form. What used to be on hard copy or paper form is now stored, processed and transferred electronically, which makes...
By Patrick Paradis, Information Security AdvisorTechnical vulnerabilities are weaknesses in operating systems or software. Exploiting a vulnerability can allow an attacker (e.g. a hacker) or malicious code to increase their access privileges in order to perform malevolent acts.It is therefore important to install security patches (software updates) as soon as possible to eliminate existing vulnerabilities.For individuals, it is recommended to enable security patches to be installed...
Problem:
One of the recurrent questions asked is: How to ramp-up an information security campaign? Sometimes, getting the participation of people just feels like a walk in the desert… Where is everybody!?
The question is complex as there are manyProblem:
One of the recurrent questions asked is: How to ramp-up an information security campaign? Sometimes, getting the participation of people just feels like a walk in the desert… Where is everybody!?
The question is complex as there are many...
I believe all security awareness trainers understand that most end users can’t really be “trained” in how to protect their systems and their corporate networks. However, if all systems are security protected and configured, security awareness training can assist in helping end users understand the security risks and know what mistakes to avoid making.
PCI DSS is primarily focused on technological solutions and most organizations have implemented anti-virus, firewalls, IPS, monitoring and...
Arguably, the most important part of your business case is being able to clearly communicate the costs and benefits of a program. Below is a suggestion for this final part of your business case.
Cost Benefit Analysis
Costs:
To fulfill the required mandate for a security awareness training program, we will need to allocate resources and purchase materials for this purpose. To ensure the program’s success on a long-term basis, we are requesting that a Security Awareness Training Manager be...
This blog entry provides you with a possibility for Section 5 of your business case in which you should discuss how the program will be managed and measured.
Security Awareness Program Management
An information security awareness steering committee will govern the program and will be ultimately responsible for ensuring the program’s success. Yearly, the business case will be reviewed and updates made by the committee. The committee will be responsible for appointing the manager of the...
Further building of the business case should include a review of how you will deliver the awareness program. This blog could be included as Section 4 of your business case.
Delivery Methods
The method of delivery will be dependant upon the overall goals and expectations of the program. Delivering content monthly would be ideal. However, more realistically, content will be delivered on a quarterly basis. An approach that combines communication of the upcoming training topic (via posters,...
As a follow up, to the last post, we are now working on Section 3 of the business case. In this section we review and detail the awareness program content. Here is the suggested sample content for this section:
Awareness Program Content
A robust content list fed to the end user on a monthly or quarterly basis will avoid information overload and will allow flexibility in the program so immediate response to current information security risks can be dealt with. A monthly or quarterly...
As discussed in the previous blog building a business case for security awareness can be a daunting task. So, we are helping you by providing you with a section a week to provide content for your plan.
Following is a sample Introduction section for the security awareness business plan:
2. Introduction
2.1 Background/Business Need
Security of data has become critically important to all organizations regardless of their location. Our increasing dependence on information, digital or...
- 1 of 3
- ››
