160 likes | 377 Views
Information, Security & Privacy Matters Training (ISPM) eLearning Context and Design. Presentation for STEP May 2007. Information, Security & Privacy Matters: The Challenge. The number of reported privacy incidents increasing
E N D
Information, Security & Privacy Matters Training (ISPM)eLearning Context and Design • Presentation for STEP • May 2007
Information, Security & Privacy Matters: The Challenge • The number of reported privacy incidents increasing • Estimated that one million dollars of sensitive information is compromised every 90 seconds • Policies and controls alone cannot deliver sufficient compliance in practice. • Effectiveness depends on the actions of people within the organization • Increased electronic interactivity between banks and their customers has placed public focus on how banks manage information risk • Risk emerges from someone who is trusted and who interacts with sensitive corporate information as part of their everyday job • No integrated standardized enterprise-wide training program for employees to ensure they are aware of their responsibility for security in the use of BMO FG computer assets and networks • Personal Information Protection and Electronic Documents Act (PIPEDA) states: “Organizations shall implement policies and practices to give effect to the principles, including … training staff and communicating to staff information about the organization’s policies and practices” • Governments and regulators have addressed information management threats through the implementation of 18 other North American acts, policies & programs • During the 2005 Annual State of Privacy Report to the Conduct and Review Committee, the Privacy Office identified one gap in controls related to employee training and committed to developing a comprehensive, measurable, mandatory training program across Operating Groups to support privacy requirements in concert with Information Management and Information Security. The Problem The Situation • Legislative and Bank Requirements
Integrating Multiple Initiatives The Request • Privacy and compliance training delivered to the entire organization • 3 other groups requesting regulatory & policy training • Information Security • Information Management • Desktop Security Information Management Privacy • Leverage Privacy request as a catalyst to drive the integration of all 4 groups The Opportunity • Single deployment to users across the organization (instead of 4) • Reduction in development and deployment costs • Time savings: 4 initiatives expected 2 hours each > eliminated administration and content duplication The Benefits Information Security Desktop Security
Build vs. Buy Decision • No vendor could supply 100% of currently defined content (IM, IS, Privacy) • One vendor satisfied 50% of the content • One vendor had applicable elearning content readily available in both English and French • Analyzed vendor integration options based on costs, risks and benefits • Selected vendor to provide content • Meetings with TD, Scotia and Deloitte all indicated the number of modification to range between 40 and 60% • Implementation of vendor solutions typically require 9-14 month investment • Experience from previous projects dealing with licensing results in ownership disputes over who owns the customization of content and version control • Identified four vendor integration options: • Vendor to develop, host, and license total solution • License content only from vendor and customize • Buy content from vendor and customize • BMO to develop, host and build total solution • Applied a cost and risk analysis that favored buying content (Option 3) • Created a recommendation to buy existing content from vendor and build remaining content in house. • Purchase the specialized vendor content • Customize the content locally and avoid ownership disputes. • Explore offshore development capabilities Vendor Analysis External Experiences Options Decision
The Solution • Project objectives: • Increase awareness of the importance of managing and protecting information across the Bank • Help mitigate the exposure of privacy, information, reputation, legal and regulatory risk to the Bank • Comply with IM, IS, and Privacy regulatory requirements • Audience • 40,000 full-time and contract employees • 6 business groups • Primarily North America, and also Asia, Europe and Caribbean
Learner Questionnaire: will define the Learning Path (LP) LP1 No PC, Internet or email LP 2 LP1 + People Manager LP3 PC + Internet / email LP4 LP3 + People Manager LP5 LP3 + works at home / remote LP6 LP5 People Manager Avg. 2-3 hours depending on Learning Path 2hrs 3 hrs Introduction (Information Management) BMO Information Challenge Privacy Topics* • Privacy at BMO • The Legislation • The Key Principles • Rules of Disclosure Information Security Topics* • What is Information Security? • Entry Control • Classifying Information • Clear Desk Policy • Secure Disposal • Password Control • Systems Integrity • Virus Control • Electronic Communication • Email: Open with Care • Internet Security • Securing Your Home PC • Remote Access • Security Out of the Office • Social Engineering • Incident Reporting • Management and IT Responsibilities Awareness Assessment ISPM Learning Design 1 a 2 3 4 *Avg. topic length = 7 min. 5
Reporting and Tracking • Organizational and Managerial Reporting: • Summary reports to meet legal requirements • Managers can view entire managerial hierarchy • Managers can change only direct reports • Existing User Database: • World-wide employee feeds, with multiple inputs into HR databases • Anomalies include frequency of updates resulting in accuracy issues • Sufficient for internal reporting for employee training records • Insufficient for the rigor of compliance • Reengineered Database: • Collectively leveraged best practices from previous deployments and addressed each anomaly to maximize accuracy • Reduced administration service calls by giving mangers local access and quality controls • Direct linkage to HR system to correct anomalies (i.e. leaves of absence, seasonal employees, etc) • Solution can be used for other deployments Legislative And Bank Requirement The Problem The Solution
Questions Questions
Appendix Appendix
IM 20% Vendor content 50% IS/DSP + Privacy IS 26% Breakdown of the content purchased vs. built including DSP overlap. Buy Build BMO Modifications required Content Comparison: Preliminary analysis shows significant overlap between the content in the DSP awareness project and the IM awareness project. Privacy 4% DSP new content build DSP Build
ISPM Learning Program Overview There are five sections to the Information, Security and Privacy Matters learning program. The completion time is estimated between 2 to 3 hours in total, dependant on learner’s familiarity with the content, speed and number of required modules. The learning can be completed over several sessions. Learner Questionnaire: Initially users complete a brief learner questionnaire about their role, their location, and the technology they use. This will determine which learning topics are applicable. Information Management Scenarios (BMO Information Challenge): Next, users work through a series of 13 situations, providing advice on managing information appropriately. Their responses to these situations will give a measure of their information awareness and feedback on specific issues. Privacy Topics: The third section of the training focuses on privacy legislation and appropriate privacy practices. If users work in the US, their four privacy topics will reflect the US privacy legislation. If they work in Canada or any other location than the US, their four privacy topics will reflect the Canadian privacy legislation. Information Security Topics: In the fourth section, users work through a variety of topics focused on aspects of information security. The number of topics required depends on each user’s role and technology environment but they will always have access to both applicable and optional topics. Awareness Assessment: Finally, users complete an awareness assessment covering content from the information management, privacy, and information security sections of the program. To successfully complete this training users must achieve a score of 80% on this assessment. If they do not reach the 80% mark, they can review the topics and then try the assessment again until they achieve a score of 80%. There is no limit to the number of assessment attempts. 1 2 3 4 5