1 / 25

The Need for Security Awareness Programs

The Need for Security Awareness Programs. Agenda. The Need for Security Awareness Programs Security Awareness as a Product Phase 1 – Identify Target Audiences and Product Phase 2 – Identify Product Distribution Methods Phase 3 – Obtain Management Support Phase 4 – Product Launch

bbenoit
Download Presentation

The Need for Security Awareness Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Need for Security Awareness Programs

  2. Agenda • The Need for Security Awareness Programs • Security Awareness as a Product • Phase 1 – Identify Target Audiences and Product • Phase 2 – Identify Product Distribution Methods • Phase 3 – Obtain Management Support • Phase 4 – Product Launch • Phase 5 – Effectiveness Assessment • Ongoing Enhancements • Ideas for Customized Campaigns • Conclusion

  3. The Need for Security Awareness Programs Implementing a strong information security awareness program (ISAP) can be a very cost-effective methods of protecting critical information assets. An effective ISAP is needed to help all employees understand: • Why they need to take information security seriously • What they gain from active participation and support • How a secure environment helps them complete their assigned tasks

  4. The Need for Security Awareness Programs Like any other marketing or sales organization, the CISO (Corporate Security Officer/Organization/Office) needs to develop, market, support, and improve a product – in this case, the product is awareness: • Disseminated in several formats • Structured by specific campaigns • Provided by diverse delivery techniques. To bring this product to the customer –employees and management – several phases must occur.

  5. Phase 1- Identify Target Audiences and Product

  6. Phase 1 – Identify Target Audiences and Product The awareness program’s messages (product) must be prioritized and segmented by target audience (general, management, technical, etc.). During this phase: • Campaign themes will be established • Customer audiences will be defined and targeted • The product will be defined (email, mascots, desktop systems, posters, gadgets, others) • Delivery schedules will be defined • Specification for ongoing support will be defined

  7. Phase 1 – Identify Target Audiences and Product (cont) Also during this phase: • Benchmark statistics will be captured (help desk calls, trouble tickets, logs, system level availability, system service calls, incident post-mortem reports) • Success criteria will be defined • Roles and responsibilities for ownership and stewardship will be defined • A pilot group will be selected and informed of their role

  8. Phase 1 – Identify Target Audiences and Product(cont) Budgets must be discussed in this phase!!!!!! Budgets must be discussed in this phase!!!!!!

  9. Phase 2 – Identify Product Distribution Methods

  10. Phase 2 – Identify Product Distribution Methods In order to bring the product to the target customer in a cost-effective and timely manner, proper distribution channels must be established and schedules developed. The product must be culturally acceptable to the organization, and may be distributed formally or informally. Some distribution will be mandated by management (new-hire orientations, quarterly meetings, or management review processes). In other cases, the product distribution may depend on the target audience (surveys, or drawings). Product may also be distributed by “drop” mechanisms.

  11. Phase 2 – Identify Product Distribution Methods (cont) Potential channels for distribution include: • Audio (voice mail, help center recordings) • Video (kiosks, CCTV, customized or purchased) • Formal Training (scheduled or one-time) • Orientations (new hire, mergers and acquisitions) • Posters (humorous or serious) • “Lunch & Learn” (full cafeteria or special sessions) • Desktop Systems (calendars, Web-based reminders)

  12. Phase 3 – Obtain Management Support

  13. Phase 3 – Obtain Management Support The most successful ISAPs have full management endorsement and enthusiastic support from the highest levels of the company. During this phase: • You will need to be motivator, cheerleader, and politician • Management will receive progress reports and product samples • Schedules for product launch will be formalized • Messages from management announcing the ISAP will be issued

  14. Phase 3 – Obtain Management Support (cont) Also during this phase, certain I/T traditional functions should be noted and executed: • Take the traditional “test” to ”quality assurance (QA)” to ”production” stance • Ensure that activities are listed as formal projects on change control proceedings and/or production schedules • Obtain support and authorization from Legal, Public Relations, or Corporate Security departments

  15. Phase 4 – Product Launch

  16. Phase 4 – Product Launch The ISAP has (hopefully) already been publicized in Phase 3. When the launch date is selected, activities in this phase include: • Distribution channels will be established as identified in Phase 2 • Support processes will be enabled • Distribution schedules will be finalized • The project moves from “test” status to “QA” status

  17. Phase 4 – Product Launch (continued) Several points to consider during the product launch: • Follow-up meetings may be scheduled (“test panels”) • Survey forms and evaluations should be provided • “Thank-you” tokens for pilot participants may be in order • Feedback to pilot participants is important!!!!

  18. Phase 5 – Effectiveness Assessment

  19. Phase 5 – Effectiveness Assessment The implementation should now be considered in “production” status at this time, based on the following results: The ISAP should show results in tangible measurements based on Phase 1 benchmarking: • Fewer help center calls • Closer adherence to standards • Fewer incidents requiring response • Improved SLA metrics

  20. Phase 5 – Effectiveness Assessment The ISAP should also show results in intangible measurements based on Phase 4 follow-up: • Increased employee enablement • Employee pride in ownership • Increased understanding of organizational goals • Increased productivity • Improved performance

  21. Ongoing Enhancements

  22. Ongoing Enhancements The ISAP should be evaluated at the end of every campaign (or at least quarterly) to assess impact and benefit to the organization.

  23. Ideas for Customized Programs

  24. Ideas for Customized Campaigns • AntiVirus • Data Classification • Business Cycle (sales, R&D) • Laptop Safety • Physical Security • Privacy • Regulatory (HIPAA, GLB, 21CFR11)

  25. Conclusion Hopefully, you now have a fresh approach to building a security program that delivers meaning and value to the entire organization. Questions and comments are welcome at this point!

More Related