1 Org XXXX Security Awareness Training Program By Aron Warren
2 Introduction This document is part of the Security Awareness Program for a government laboratory s organization XXXX. This program was conceived out of the need to inform the staff on several key security practices that they will run into in their day-to-day activities. This program focuses on reinforcement of key material contained in the corporate mandated trainings while providing additional material to keep the staff engaged. In addition to reinforcement activities another key aspect is that the training is be most up-to-date material available.
3 Introduction Table of Contents Key Roles Module Rankings Communication Plan Project Timeline Metrics Execution Checklist Annual Review and Revision Table of Contents
4 Key Roles Primary target of the awareness training are the non-management employees of org XXXX. The organization consists entirely of IT Staff of type employee and contractor, full and part time. Secondary target of the awareness training are the team leads of XXXX. The team leads need to also be knowledgeable of these awareness topics but who may not directly benefit as greatly as the IT Staff. The team leads have traditionally attended any training directed toward their staff.
5 Module Rankings The following table consists of each training module topic as well as the perceived risk (eg. no formal risk calculations were performed). The Time to Communicate is the estimated time to present the material. It is designed to be very brief and concise but to create an environment of engaging dialog amongst the staff. The Cost to Implement has not been calculated at the time of writing this document. Following are the reasons topics were given the Risk level they were. You are a target is High due to the recent interest in the government labs from Asia and Middle East countries and the subsequent rise in attacks. Data Protection and Data Destruction are High due to the upcoming declassification of several storage devices as well as the addition of new staff to the group. Social Engineering is High due to the upcoming availability of BYOD to work. The rest of the topics to be covered are marked as Medium due to the fact that are predominantly controlled by external agents and do not rely on as much effort on the part of the employee. Module Name Risk Reduction Time to Communicate Cost to Implement You are a target High 3 minutes TBD Data Protection High 3 minutes TBD Encryption Medium 3 minutes TBD Know your SOC Medium 2 minutes TBD Data Destruction High 4 minutes TBD Browsing Medium 3 minutes TBD Social Engineering High 3 minutes TBD Mobile Device Security Medium 3 minutes TBD Protecting your personal computer Medium 2 minutes TBD Hacked Medium 2 minutes TBD
6 Communication Plan The communication plan lays out how the security awareness program will be communicated to the various stakeholders. This may need to be revised if the awareness training grows beyond the immediate primary target audience. Content Stakeholder Delivery Method Awareness Program Status Report Management Training Metrics & Status Security Awareness Reinforcement Training Steering Committee & Management All company staff & contractors In Person Internal maillist Purpose Frequency Communicator Communicate overall status of awareness program. Helps ensure executive commitment. Quarterly Aron Warren Discuss status of awareness program, including metric results, and how to improve program. Quarterly Aron Warren Updates on awareness topics Quarterly Aron Warren
7 Project Timeline This is an updated project timeline showing what steps have already been completed up until this point. Task Status Timefra me Notes Project Approval: Create Initial Project Plan Completed Q Receive initial stakeholder buy-in Completed Q Achieve this first then have stakeholders approach mgmt. Receive initial midmanagement buy-in Completed Q Already had support from Executive management, just needed push from stakeholders (team leads in this case) Create Revised (Final) Project Plan Completed Q Milestone 1 - project plan approved Completed Q Identification of awareness topics Completed Q Identification of communication mediums Completed Q Identification of SMEs Q Creation of initial survey Q Creation of initial training/awareness module Q Rollout of initial training/awareness module Q To occur in June Meeting Milestone 1 - First module deployed Q Review of initial metrics and lessons learned Q Meet with Stakeholders and report findings to management Q What topics are we going to be looking at? This is the identified list. Who is available as resources? How do we get them engaged?
8 Rollout of second training/awareness module Q To occur in July Meeting Review of 2nd module metrics & lessons learned Q Rollout of third training/awareness module Q To occur in August Meeting Review of 3rd module metrics & lessons learned Milestone 2 - Third module deployed Meet with Stakeholders and report findings to management Q Project redesign if necessary, reevaluation of Complete Project Review Q applicability of topics to be presented in Q4 trainings Rollout of fourth training/awareness module Q To occur in September Meeting Review of 4th module metrics & lessons learned Q Rollout of fifth training/awareness module Q To occur in October Meeting Review of 5th module metrics & lessons learned Q Rollout of sixth training/awareness module Q To occur in December Meeting Review of 6th module metrics & lessons learned Q Rollout of seventh training/awareness module Q To occur in January Meeting Review of 7th module metrics & lessons learned Q Rollout of eigth training/awareness module Q To occur in February Meeting Review of 8th module metrics & lessons learned Q Rollout of nineth training/awareness module Q To occur in March Meeting Review of 9th module metrics & lessons learned Q Meet with Stakeholders and report Q This is in order to ensure stakeholders have
9 findings to management Milestone 3 - Yearly Review Q information for their performance reviews Project redesign if necessary, reevaluation of applicability of topics to be presented in Q2-Q4 of Complete review of metrics from previous modules.
10 Metrics This section lays out the overview of how metrics for the program are collected. Metric Name Online Surveys What Is Measured 1) Existing knowledge of subject material. 2) Knowledge or interest in future materials. How It is Measured Online Survey via Sharepoint When Is It Measured 1 week before In- Person Short Training Who Measures Trainer Details This survey will measure the student's knowledge of the subject material before the In-Person Short Training is done. Questions about other topics will be asked in order to judge the need for future trainings. In- Person Short Training Handout Paper Surveys Attendance count 1) Usefulness of information just presented. 2) What was learned is applicable is employee Sign-in sheets Monthly Trainer Paper survey Immediately after In- Person Short Training Trainer At selected weekly staff meetings a short 5-10 minute module will be presented. 1 module will be presented per month to keep interest but not to overload staff. This survey will measure the effectivity of the training module that we just presented. The Online Survey will be correlated to this survey in order to create the metrics for the module.
11 Execution Checklist This section lays out each step of the execution of this plan and the current updated status of the program. Tasking Owner Completion Comments Build Steering Committee Aron Warren March 2012 Identify Targets (WHO) Aron Warren March 2012 Identify Topics (WHAT) Aron Warren May 2012 Identify Primary Training (HOW) Aron Warren May 2012 Identify Reinforcement Training (HOW) Stephanie Romero May 2012 Execution Timeline Aron Warren June 2012 Metrics Baseline Aron Warren June 2012 Management Briefing Stephanie Romero Team will consist of 5 members consisting of one staff member, two team leads, a level 1 manager and a level 2 manager. The target audience are the employees of org XXXX consisting of employees, contractors and team leads. 10 topics have been identified as having value that go above and beyond the currently corporate required trainings. The primary training delivery method will be short, in-person trainings that are at the end of the regular staff meetings. Reinforcement trainings will be s, newsletters, hallway posters, Sharepoint material and surveys. The execution timeline is referenced in the Project Timeline document. Given the current understaffed and overworked employees, it is viewed that any training offered is better than the little to none that is currently being done beyond the required corporate trainings. Pre and post training surveys will provide metrics for the training module covered as well as provide leads to other topics that are needed. Brief management on value of awareness and how you will execute.
12 Test Primary Training Rollout Execute Primary Training Rollout Reinforcement Training Rollout Monthly / Quarterly Metrics Feedback / Improve (recommend steering committee meeting twice a year) Aron Warren Aron Warren Aron Warren Aron Warren/ Stephanie Romero Aron Warren/ Stephanie Romero Initial rollout will be to the two team leads, one security professional and one user support employee. Roll out primary training to entire organization. Reinforcement training will be provided after each in-person training. Metrics are gathered after each training module and are used to determine changes in previous covered module as well as a change in the topic covered in the next training module. Steering committee meets every 6 months to review the overall progress of the program. The trainer and team leads meet every month to discuss previous month's metrics as well as determine module content changes, module delivery changes and revision to which modules are presented next.
13 Annual Review and Revision Every year, according to the project timeline, the program will be evaluated for its effectiveness. As the timeline has built in a continual re- evaluation of the learning module for timeliness and freshness, the content should be continually developed toward the end of the year. Thusly as the year ends the next year s module should already be in development. Each year a reevaluation of the target audience as well as the consideration of inclusion of additional audiences will be considered. Any organizational changes amongst the stakeholders or primary target audience is not anticipated to drastically change the program s objectives and any such changes to the program can be addressed annually.
MISSION AND GOALS 34 3 DEVELOP A MISSION, AND GOALS When organizations or individuals decide to join forces and work as a partnership, they do so with a purpose in mind. While the individual partners may
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Corrective Actions to Address the Disaster Recovery Material Weakness Are Being Completed June 27, 2011 Report Number: 2011-20-060 This report has cleared
Vanderbilt University Medical Center Project Implementation Process (PIP).......... Project Implementation Process OVERVIEW...4 PROJECT PLANNING PHASE...5 PHASE PURPOSE... 5 TASK: TRANSITION FROM PEP TO
. VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Review of Alleged Improper Program Management within the FLITE Strategic Asset Management Pilot Project September
DISTINGUISHED CLUB PROGRAM AND CLUB SUCCESS PLAN How to Be a Distinguished Club Rev. 4/2014 WHERE LEADERS ARE MADE DISTINGUISHED CLUB PROGRAM AND CLUB SUCCESS PLAN How to be a Distinguished Club TOASTMASTERS
Office of Adult Education Follow-Up Manual State of Michigan Workforce Development Agency Office of Adult Education revised September 2014 CONTENTS OVERVIEW OF NRS REQUIREMENTS...2 OVERVIEW OF THIS DOCUMENT...
TRANSFERS Transferring electronically stored information (ESI) creates many challenges, many of which center around the collection and review of information relevant to the matters transitioning into or
Developing a Recruitment Plan & Strategy NursingCAS is the centralized application service for nursing administered by the American Association of Colleges of Nursing and Liaison International 1 Developing
2014 Education Program Strategic Review Phase 1 Continuing Education June 2014 Introduction Early in 2012, the Real Estate Council of Ontario (RECO) initiated a comprehensive review of its education program.
STRENGTHENING NONPROFITS: A Capacity Builder s Resource Library Measuring Outcomes TABLE OF CONTENTS INTRODUCTION... 4 OVERVIEW... 5 Why Measure Outcomes?... 5 What is Outcome Measurement?... 5 Some Words
Inspiring leaders to improve children s lives Children s services The National Succession Planning Framework for Children s Services Professional development Contents Introduction 3 Section one: The National
Comprehensive Consulting Solutions, Inc. Business Savvy. IT Smart. Disaster Recovery Planning An Overview White Paper Published: March 1999 (with revisions) An overview of the Disaster Recovery Planning
ASSESSMENT REPORT April 23, 2014 Document History This document is controlled through the Document Management Process. To verify that the document is the latest version, please contact the First Data team.
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
PLAN THE WORK Strategic Communication Planning for Not-for-Profit Organizations This handbook was produced by the Institute for Media, Policy and Civil Society for the Centre for Community Organizations
APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1
U.S. Nuclear Regulatory Commission 2011 Data Center Consolidation Plan and Progress Report Version 2.0 September 30, 2011 Enclosure Contents 1 Introduction... 2 2 Agency Goals for Data Center Consolidation...
What Every Director Should Know How to get the most from your internal audit Endorsed by Foreword This is the second edition of our flagship governance guide What every director should know. Since we published
Certification of Competency in Business Analysis (CCBA ) Certification Handbook The IIBA guide to gaining the CCBA designation. April 14, 2014 1 Table of Contents 1. ABOUT THIS HANDBOOK... 3 2. ABOUT INTERNATIONAL
Report on Board Effectiveness Updating progress, promoting best practice December 2012 Report on Board Effectiveness 2012 3 Foreword It has been an eventful 15 months since we published our first report
http://www.davidlankes.org TITLE: Statistics, Measures and Quality Standards for Assessing Digital Library Services: Guidelines and Procedures AUTHOR(s): Charles McClure, R. David Lankes, Melissa Gross,
ATO Management Services Community Enterprise Proofs of Concept for Succession Planning & Management and Career Progression Plan As Supported by The Leadership and Career Development Partnership (LCD) May
Forum Product Development & Dissemination Guide National Forum on Education Statistics Sponsored by the National Center for Education Statistics Questions or comments should be directed to the Chairperson