The Need for Security Awareness Programs. Agenda 1)The Need for Security Awareness Programs...
Transcript of The Need for Security Awareness Programs. Agenda 1)The Need for Security Awareness Programs...
Agenda
1) The Need for Security Awareness Programs
2) Security Awareness as a Product
3) Phase 1 – Identify Target Audiences and Product
4) Phase 2 – Identify Product Distribution Methods
5) Phase 3 – Obtain Management Support
6) Phase 4 – Product Launch
7) Phase 5 – Effectiveness Assessment
8) Ongoing Enhancements
9) Ideas for Customized Campaigns
10) Conclusion
The Need for Security Awareness Programs
Implementing a strong information security awareness program (ISAP) can be a very cost-effective methods of protecting critical information assets. An effective ISAP is needed to help all employees understand:
Why they need to take information security seriously
What they gain from active participation and support
How a secure environment helps them complete their
assigned tasks
The Need for Security Awareness Programs
Like any other marketing or sales organization, the CISO (Corporate Security Officer/Organization/Office) needs to develop, market, support, and improve a product – in this case, the product is awareness:
Disseminated in several formats
Structured by specific campaigns
Provided by diverse delivery techniques.
To bring this product to the customer –employees and management – several phases must occur.
Phase 1 – Identify Target Audiences and Product
The awareness program’s messages (product) must be prioritized and segmented by target audience (general, management, technical, etc.). During this phase:
Campaign themes will be established
Customer audiences will be defined and targeted
The product will be defined (email, mascots,
desktop systems, posters, gadgets, others)
Delivery schedules will be defined
Specification for ongoing support will be defined
Phase 1 – Identify Target Audiences and Product (cont)
Also during this phase:
Benchmark statistics will be captured (help desk calls,
trouble tickets, logs, system level availability, system
service calls, incident post-mortem reports)
Success criteria will be defined
Roles and responsibilities for ownership and
stewardship will be defined
A pilot group will be selected and informed of their role
Phase 1 – Identify Target Audiences and Product (cont)
Budgets must be discussed in this phase!!!!!!
Budgets must be discussed in this phase!!!!!!
Phase 2 – Identify Product Distribution Methods
In order to bring the product to the target customer in a cost-effective and timely manner, proper distribution channels must be established and schedules developed.
The product must be culturally acceptable to the organization, and may be distributed formally or informally. Some distribution will be mandated by management (new-hire orientations, quarterly meetings, or management review processes). In other cases, the product distribution may depend on the target audience (surveys, or drawings). Product may also be distributed by “drop” mechanisms.
Phase 2 – Identify Product Distribution Methods (cont)
Potential channels for distribution include:
Audio (voice mail, help center recordings)
Video (kiosks, CCTV, customized or purchased)
Formal Training (scheduled or one-time)
Orientations (new hire, mergers and acquisitions)
Posters (humorous or serious)
“Lunch & Learn” (full cafeteria or special sessions)
Desktop Systems (calendars, Web-based reminders)
Phase 3 – Obtain Management Support
The most successful ISAPs have full management endorsement and enthusiastic support from the highest levels of the company. During this phase: You will need to be motivator, cheerleader, and
politician
Management will receive progress reports and
product samples
Schedules for product launch will be formalized
Messages from management announcing the ISAP
will be issued
Phase 3 – Obtain Management Support (cont)
Also during this phase, certain I/T traditional functions should be noted and executed:
Take the traditional “test” to ”quality assurance (QA)”
to ”production” stance
Ensure that activities are listed as formal projects on
change control proceedings and/or production
schedules
Obtain support and authorization from Legal, Public
Relations, or Corporate Security departments
Phase 4 – Product Launch
The ISAP has (hopefully) already been publicized in Phase 3. When the launch date is selected, activities in this phase include:
Distribution channels will be established as identified
in Phase 2
Support processes will be enabled
Distribution schedules will be finalized
The project moves from “test” status to “QA” status
Phase 4 – Product Launch (continued)
Several points to consider during the product launch: Follow-up meetings may be scheduled (“test panels”)
Survey forms and evaluations should be provided
“Thank-you” tokens for pilot participants may be in
order
Feedback to pilot participants is important!!!!
Phase 5 – Effectiveness Assessment
The implementation should now be considered in “production” status at this time, based on the following results:
The ISAP should show results in tangible measurements based on Phase 1 benchmarking: Fewer help center calls
Closer adherence to standards
Fewer incidents requiring response
Improved SLA metrics
Phase 5 – Effectiveness Assessment
The ISAP should also show results in intangible measurements based on Phase 4 follow-up: Increased employee enablement
Employee pride in ownership
Increased understanding of organizational goals
Increased productivity
Improved performance
Ongoing Enhancements
The ISAP should be evaluated at the end of every campaign (or at least quarterly) to assess impact and benefit to the organization.
Ideas for Customized Campaigns
AntiVirus
Data Classification
Business Cycle (sales, R&D)
Laptop Safety
Physical Security
Privacy
Regulatory (HIPAA, GLB, 21CFR11)