Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

– Security Awareness Program Execution Plan

advertisement 
Security Awareness Program –
Execution Plan
Last Updated: August 2, 2013
Table of Contents
1. Executive Summary ...................................................................................................................... 3
2. Steering Committee ...................................................................................................................... 3
3. Who .................................................................................................................................................... 3
4. What ................................................................................................................................................... 4
5. How .................................................................................................................................................... 5
5.1 New Hires ..................................................................................................................................................... 5
5.2 Training......................................................................................................................................................... 5
5.3 Closing Accounts ........................................................................................................................................ 6
6. Feedback and Improve ................................................................................................................ 6
7. Testing & Metrics .......................................................................................................................... 6
8. Key Dates and Milestones........................................................................................................... 7
Security Awareness Program – Execution Plan
1. Executive Summary
Our organization has an impressive track record preventing and responding to security
threats.
A large portion of the credit for that success comes from employees and how they
have adapted their behavior over time, in part, due to previous security awareness efforts.
To continue that success, we need to evolve the current ad hoc program into a formal effort
that ensures all users of the system are covered—not just those willing to show up for a free
lunch.
A more mature awareness program organized by the training group, enforced as a business
process by HR, and overseen by IT security will promote better decision making and serve as
a vehicle for compliance training in other areas, such as the FCPA and SBU project data
protection.
Sessions will be available live, in recorded format and, in some cases, using
professionally designed videos. This will allow flexibility, the opportunity to ask questions and
improved engagement with the content.
2. Steering Committee
Our organization has formed a Security Awareness Steering Committee (SC) made up of
various members from the organization. The role of the SC is to assist the Security Awareness
Officer, with planning, executing and maintaining a successful and engaging program.
Current committee members are:
M. P.
J. J.
A. W.
C. M.
M. A.
The committee will also include 2 rotating members from among the learning coordinators in
each office.
3. Who
All employees, contractors, interns and joint-venture employees (RME) will be required to
participate in the training program and assessments. This is the same target population as
the current program, but with a formal tracking mechanism for completion.
Security Awareness Program – Execution Plan
4. What
The following is the training content that we recommend for the initial year of the newly
formalized program. This training was selected by completing a risk analysis of all humanbased risks to our organization, including those risks based on the top human attack vectors.
We then prioritized the topics and selected those topics that reduce the greatest amount of
risk to our organization. New topics may be introduced and others retired in subsequent
years.
Training Modules
Description
The goal of this module is to teach employees how to
Think Before You Click
Sensitive But Unclassified (SBU)
recognize common attack techniques delivered online and
how to evaluate them in context of an email, webpage,
instant message or other electronic format.
The employee should be able to demonstrate knowledge of
PBS order 3490.1A and its requirements, as well as the
precautions for working on need-to-know projects.
Financial Frauds
Foreign Corrupt Practices Act
The employee should be aware of common financial frauds
including phishing sites, ATM/Gas pump Skimmers and
malicious software that
legitimate financial sites.
hijacks communications
with
Understand the legal requirements of the Foreign Corrupt
Practices Act (FCPA).
Hacked - Recognizing Signs of
Infection
Have employees identify and report suspicious behavior on
their systems.
Safe Browsing
Employees will learn safe web browsing habits for home and
office use.
Employees will understand how to use passphrases, the
Picking a Better Password
importance of not reusing passwords across sites and what
two-factor authentication is.
Employees will understand the immense amount of data
Mobile Devices
Security Awareness Program – Execution Plan
available from their mobile devices and how to report their
loss in a timely fashion.
Protecting Your Home Computer
Employees will learn good security practices for their home
computers.
Employees will learn techniques to allow their children to
Protecting Your Kids Online
learn from the Internet while limiting exposure to
inappropriate content and people they should not interact
with.
5. How
Our focus will be on how the training not only protects people at work, but protects them at
home. This engages more interest in the program than merely focusing on behaviors in the
workplace, and helps reinforce good security habits when using any computer.
5.1 New Hires
All new employees and contractors are required to complete the online version of the security
awareness training course within 15 days following their start date.
This process will be
monitored by HR as part of the standard onboarding process. Exceptions will be referred to
the person’s manager and IT. Accounts in violation may be placed in a security group with
extremely restricted access to the Internet.
5.2 Training
Annual Training: The primary method we will use to communicate our program is annual
in person or online video training through our internal Learning Management System. For inperson training, attendees can take an assessment and turn it in with their course evaluations.
During online training, all users will take an online quiz to test comprehension of each module.
This annual training will take place in the office during the scheduled hardware refresh and
anyone unable to attend will be required to make up the course using the online version. The
learning manager will schedule the in person classes and notify anyone who does not sign-in
about their requirement to attend the online version within 30 days.
The Learning
Management System can track both types of courses as required continuing education and
provide warnings if training is not completed.
Reinforcement Training: Throughout the rest of the year we will provide infrequent updates
to staff on novel threats.
Since many staff will ignore an email newsletter, we will provide
more frequent updates on the IT security page that employees may choose to follow if they
wish.
Security Awareness Program – Execution Plan
5.3 Closing Accounts
All access to our Learning Management System requires a valid corporate account. Once an
account is disabled it can no longer be used for federated access.
6. Feedback and Improvement
Our security awareness and education program is a long term project. As such we need a
process to continuously update and improve our program.
Feedback Evaluations: Every in-person training session provides an evaluation form for
providing feedback on both the content and presenter. For users of the online version, the
Learning Management System can collect feedback as part of the end of module quiz.
Steering Committee Meetings: The steering committee will meet twice a year to review
the program, including any content updates that are needed. The current modules will be
reviewed for out-of-date content and updates to meet new compliance requirements. New
modules may be introduced and others retired as needed.
7. Testing & Metrics
As we move to a more mature security awareness program we are identifying metrics that
will show the progress we are having in improving decision making.
collection will start with the new required assessment.
Our primary data
Previously, no testing has been
required and employees have only been counseled after an incident. These new assessments
may allow us to identify users in advance who do not understand the concepts presented.
As the program continues we would like to test a phishing assessment with a pilot group of
users randomly selected from the user population. This assessment will entice a user to follow
a link to a website and provide their logon credentials and other information. As this is an
experimental portion of the program, the results will remain confidential other than the user
being notified after providing their information. Should this prove to be a valuable technique,
we will recommend expanding it to the entire user base along with recommendations for how
to educate users who disclose this personal information.
Security Awareness Program – Execution Plan
8. Key Dates and Milestones
Below are the timeline and key milestones for the rollout of the new awareness program.
1. August:
a. Project Approval
b. Initial steering committee meeting for implementation
2. August-October:
a. Development of custom curriculum and assessments
b. Acquisition of licenses for appropriate online modules
3. November 1 – Initial email from CEO to all staff officially announcing updated security
awareness program and new mandatory assessments. New hires starting after this date
will need to fulfill the requirements.
4. November – First delivery of in-person training during a scheduled hardware refresh trip.
All employees in that office will start their 30 day timer for completing the assessment in
person or online. The steering committee will reconvene to review the effectiveness of all
processes.
5. December – The program should be fully up and running with each office being visited at
least once during every calendar year.
Security Awareness Program – Execution Plan
Related documents
It is with great sadness that I announce the tragic... sudden passing of our colleague, John Wattam-Bell from a heart...
It is with great sadness that I announce the tragic... sudden passing of our colleague, John Wattam-Bell from a heart...
Steering Committee Meeting Agenda - Office of the Chief Information
Steering Committee Meeting Agenda - Office of the Chief Information
Initial Tasks for the Steering Committee Meeting with Rapid Assessment and Steering
Initial Tasks for the Steering Committee Meeting with Rapid Assessment and Steering
Agenda for the November 2, 2004 Meeting
Agenda for the November 2, 2004 Meeting
Download
advertisement