I'm a project manager for implementing information security in my company. I would like to put together an awareness program. Do you have any examples in the form of a framework or approach, with specific steps and areas to cover that I can follow?
There's no short answer to building an effective awareness program, but when I build them I start by addressing the following ten challenges:
A genuine belief in the importance of employee awareness.
To keep management happy
To avoid legal risks
To meet regulatory requirements Goals
To strengthen security defenses
To reinforce policy awareness
To target and change specific behavior Commitment
Needs the complete support of management
Needs the necessary budget
Must include management-backed consequences for failure Audience
You must understand how much they know and how well they can learn.
They must be convinced and committed.
How will the audience access the program: how many countries/languages; access to PC, high speed connection, video.
What is their attention span/time availability?
Will there be any follow up? Delivery System
Paper -- manuals, newsletters
E-mail -- daily, weekly or monthly reminders
Web is best, but do they have easy access?
Focus on changing attitudes and behavior before demanding compliance.
Choose the most important messages.
Divide them into short lessons, typically 10-16 in total.
Deliver the lessons in short bursts.
20 minutes max for effective retention.
Use a variety of formats: text, Flash, video, audio, PowerPoint. Measurement
Use testing to measure retention and effectiveness.
Use testing to measure compliance and participation.
Use testing to identify knowledge gaps and security weaknesses.
Using testing to sell to management. Consequences
There must be some...
For failing to participate.
For failing to complete.
For failing to comply.
That?s why management support is essential. Participation
All employees and managers must participate.
Participation should be rewarded ? certification and prizes. Response
Response must be encouraged and measured.
Feedback must be encouraged and simple.
Feedback must be fed back, to fix gaps and improve the impact.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Security Management
Dig Deeper on Security Awareness Training and Internal Threats-Information
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.