Security awareness program
I'm a project manager for implementing information security in my company. I would like to put together an awareness
program. Do you have any examples in the form of a framework
or approach, with specific steps and areas to cover that I can follow?
There's no short answer to building an effective awareness program, but when I build them I start by addressing the following ten challenges:
A genuine belief in the importance of employee awareness.
To keep management happy
To avoid legal risks
To meet regulatory requirements
To strengthen security defenses
To reinforce policy awareness
To target and change specific behavior
Needs the complete support of management
Needs the necessary budget
Must include management-backed consequences for failure
You must understand how much they know and how well they can learn.
They must be convinced and committed.
How will the audience access the program: how many countries/languages; access to PC, high speed connection, video.
What is their attention span/time availability?
Will there be any follow up?
Paper -- manuals, newsletters
E-mail -- daily, weekly or monthly reminders
Web is best, but do they have easy access?
Focus on changing attitudes and behavior before demanding compliance.
Choose the most important messages.
Divide them into short lessons, typically 10-16 in total.
Deliver the lessons in short bursts.
20 minutes max for effective retention.
Use a variety of formats: text, Flash, video, audio, PowerPoint.
Use testing to measure retention and effectiveness.
Use testing to measure compliance and participation.
Use testing to identify knowledge gaps and security weaknesses.
Using testing to sell to management.
There must be some...
For failing to participate.
For failing to complete.
For failing to comply.
That?s why management support is essential.
All employees and managers must participate.
Participation should be rewarded ? certification and prizes.
Response must be encouraged and measured.
Feedback must be encouraged and simple.
Feedback must be fed back, to fix gaps and improve the impact.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Security Management
This was first published in January 2002