Planning
Problem:
One of the recurrent questions asked is: How to ramp-up an information security campaign? Sometimes, getting the participation of people just feels like a walk in the desert… Where is everybody!?
The question is complex as there are many factors to consider: If the course is not mandatory or if the high management is not involved, if, if, if… Instead of getting to the root of the problem, let’s talk about a proven ‘’quick fix’’: Efficient follow-ups.
Solution:
All the people who...
I believe all security awareness trainers understand that most end users can’t really be “trained” in how to protect their systems and their corporate networks. However, if all systems are security protected and configured, security awareness training can assist in helping end users understand the security risks and know what mistakes to avoid making.
PCI DSS is primarily focused on technological solutions and most organizations have implemented anti-virus, firewalls, IPS, monitoring and...
Arguably, the most important part of your business case is being able to clearly communicate the costs and benefits of a program. Below is a suggestion for this final part of your business case.
Cost Benefit Analysis
Costs:
To fulfill the required mandate for a security awareness training program, we will need to allocate resources and purchase materials for this purpose. To ensure the program’s success on a long-term basis, we are requesting that a Security Awareness Training Manager be...
This blog entry provides you with a possibility for Section 5 of your business case in which you should discuss how the program will be managed and measured.
Security Awareness Program Management
An information security awareness steering committee will govern the program and will be ultimately responsible for ensuring the program’s success. Yearly, the business case will be reviewed and updates made by the committee. The committee will be responsible for appointing the manager of the...
Further building of the business case should include a review of how you will deliver the awareness program. This blog could be included as Section 4 of your business case.
Delivery Methods
The method of delivery will be dependant upon the overall goals and expectations of the program. Delivering content monthly would be ideal. However, more realistically, content will be delivered on a quarterly basis. An approach that combines communication of the upcoming training topic (via posters,...
As a follow up, to the last post, we are now working on Section 3 of the business case. In this section we review and detail the awareness program content. Here is the suggested sample content for this section:
Awareness Program Content
A robust content list fed to the end user on a monthly or quarterly basis will avoid information overload and will allow flexibility in the program so immediate response to current information security risks can be dealt with. A monthly or quarterly...
As discussed in the previous blog building a business case for security awareness can be a daunting task. So, we are helping you by providing you with a section a week to provide content for your plan.
Following is a sample Introduction section for the security awareness business plan:
2. Introduction
2.1 Background/Business Need
Security of data has become critically important to all organizations regardless of their location. Our increasing dependence on information, digital or...
Many of our clients need to prepare a business case for security awareness training to present to management. So, we thought it might be helpful if we provide some of the content that you can use for this purpose. A section of the business case will be provided per week. For this entry, we will start with what a typical table of contents would look like for this exercise and I will also provide some sample content for the executive summary section.
A typical business case table of contents...
The hacking attack on Google earlier this year is an excellent example of how an unsuspecting employee can undermine all the security controls that might be in place in an organization. The primary reason the attack was successful was due to an employee clicking on a link in a phishing email directing them to a website set up by the attackers, which then downloaded malware onto the employee’s computer. Once through, the attackers were able to infiltrate Google’s internal systems. (reference -...
In many cases, security awareness programs fail because they are not tied to the overall company-wide security policies. In some cases, security policies and therefore security awareness training is not given the proper attention and buy-in required by key stakeholders within the company.
According to www.windowssecurity.com, “The Security Awareness Program can be defined as one of THE key factors for the successful implementation of a company-wide security policy.” Clearly, the goals for any...
- 1 of 2
- ››
