Effective Security Awareness. Workshop Report
|
|
- Logan Aldous Russell
- 8 years ago
- Views:
Transcription
1 Effective Security Awareness Workshop Report April 2002
2 1. Set objective for security awareness 1.1 Identify security awareness problems 1.2 Set high-level programme objective 1.3 Set specific campaign goals 1.4 Define & establish campaign metrics 2. Scope and design security awareness programme 2.1 Perform stakeholder analysis 2.2 Identify driving and resisting forces 2.3 Identify appropriate action steps 3. Develop and deliver security awareness campaigns 3.1 Define security awareness messages 3.2 Unfreeze existing behaviour 3.3 Deliver messages 3.4 Refreeze new behaviour 4. Evaluate effectiveness of campaigns 4.1 Evaluate 4.2 Revise 4.3 Run campaign campaign / further effectiveness programme campaigns Figure 1: Process for effective security awareness
3 Executive Summary Data from the Forum s Information Security Status Survey indicates that most Members believe that the effectiveness of their security awareness initiatives does not rate especially highly, and that more than four out of five feel they do not commit sufficient time and resources to their awareness activities. These concerns combined with comments from many Member organisations that security awareness activities often fail to deliver a lasting behaviour change were addressed during a series of eight workshops run by the Forum on the topic of Effective Security Awareness. At the workshops, Members agreed that awareness initiatives often fail because they: are not managed as a formal programme of work, and lack formal objectives, a business sponsor or the necessary resources for their successful completion are not aimed at specific business problems, but instead from a belief that awareness needs to be raised do not use specialised awareness materials do not incorporate a mechanism for assessing security behaviour: instead looking at security knowledge. In order to address these issues, the workshops examined a process developed by the Forum to deliver lasting behavioural change, based on the concept of effective security awareness. The process shown in Figure 1 opposite is derived from a proven approach that facilitates a positive change in behaviour by examining the forces driving and resisting that change. The key stages of the process are to: set a clear, measurable objective for security awareness activities create a structured programme of awareness work that includes one or more campaigns, where each campaign has a goal to change an aspect of security behaviour develop and deliver the awareness messages, and ensure that the desired security-positive behaviour is maintained measure the effectiveness of the awareness campaigns to confirm the change to securitypositive behaviour, and revise and repeat the awareness campaigns if necessary. The key findings of this project are important for anyone planning or managing information security awareness activities. They provide a unique insight into a new process for planning and implementing security-positive behaviour change.
4 WARNING This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org or on +44 (0) Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, the Information Security Forum accepts no responsibility for any problems or incidents arising from its use.
5 Part 1 Introduction Table of contents This report Purpose of this report Who should read it Page Part 2 Part 3 Part 4 Part 5 Part 6 Basis for this report Background Validity of the effective security awareness process Security awareness What is security awareness? The importance of security awareness A traditional model for security awareness Key issues Extent of awareness activities Drivers for security awareness Objective of awareness activities Sponsorship of awareness activities Awareness topics Effectiveness of the traditional model Commitment to delivering awareness From awareness to behaviour change The need for a new awareness model Influencing risk perception The impact of organisation culture Reluctance to change Creating security-positive behaviour The importance of equilibrium Maintaining security-positive behaviour Effective security awareness What is effective security awareness? A new approach to security awareness Stage One: Set objective for security awareness Stage Two: Scope and design security awareness programme Stage Three: Develop and deliver security awareness campaigns Stage Four: Evaluate effectiveness of campaigns Summary Conclusions and next steps Conclusions How the process addresses the key issues Next steps: Recommendations for further work
6 Security awareness must be delivered through an ongoing, continuous programme of work, as opposed to a finite set of activities that stop and are not continued. The key messages, tone and approach of the programme must be relevant to the audience and consistent with their values and goals: If security is perceived as a hindrance to their own personal activities, then the t message will carry little meaning. Effective security awareness is achieved through an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organisation from lasting behavioural change. The benefits of awareness activities must be quantifiable in order to determine value for money and whether the programme itself is successful in achieving its objectives. The awareness programme should not only result in a security-positive change in behaviour, but that change should last longer than the programme itself. Figure 2: Definition of effective security awareness
7 Part1 This report Purpose of this report Introduction Many organisations run security awareness programmes in order to encourage security-positive behaviour in their employees, but which often fail to deliver any lasting benefit. This leads many organisations to query: whether it is possible to create a change in staff attitude to security that has sustainable, quantifiable benefits for the organisation what the success factors are that make for an effective security awareness programme. In order to provide Members with a fresh perspective on this topic, the Forum ran a series of workshops on Effective Security Awareness. The definition for effective security awareness shown in Figure 2 opposite, was validated by Members at all of the workshops. This concept of effective security awareness is explored throughout this report, and the definition is described in greater detail in Part 5, Effective security awareness. The purpose of this report is to assist Members in their goal of making effective, positive and lasting change in security behaviour through awareness. The report does this by: documenting Members experiences of security awareness and the lessons they have learnt: both from material collected from Members before the workshops and from know how shared at the events themselves setting out the principles of an effective security awareness campaign: in particular, by examining closely the issues associated with getting people to change their behaviour providing a process for awareness that Members may wish to consider in order to become agents of positive change within their organisations. Who should read it This report is aimed primarily at information security professionals, but is also intended for any individual within a Member organisation with an interest in or responsibility for the developme nt or delivery of security awareness programmes or materials. The reader should have some familiarity with security awareness techniques prior to reading this report. WARNING This report is not intended to be a full Forum report and has not involved the detailed level of analysis that would be normal for such a document. 1
8 Part 2 Background Previous Forum reports Basis for this report In 1993, the Forum published an Implementation Guide on How to make your organisation aware of IT security. The Implementa tion Guide provides a comprehensive framework for the planning and implementation of an IT security awareness programme. Since the publication of the Implementation Guide, both security technology and the management approach to security have changed signif icantly; for example, the Internet has become an important enterprise resource, and security standards have been developed to manage its threat to enterprise security. These new controls require end users to adopt new security behaviours which in turn require new security awareness initiatives. The Forum therefore decided to run a series of workshops to explore how Members are addressing the subject of security awareness now, and what the critical success factors are for an effective security awareness programme. To prepare for the workshops, the Forum drew upon a range of information sources, including: previous Forum reports, including Information Security Culture: A preliminary investigation and Driving Information Risk Out of the Business results from the Information Security Status Survey research by the project team results from a questionnaire of participating Members presentations by Members at the workshops case studies of Members security awareness experiences. These information sources were used to define and develop the workshop contents, and are described in greater detail below and on the following pages. The Forum has already produced several reports that are relevant to an information security awareness programme. The current workshop report complements the existing materials, details of which are shown in Table 1 opposite: 2
9 Table 1: Previous security awareness reports Document It Could Happen to You: A Profile of Major Incidents (2000) Information Security Culture: A preliminary investigation (2000) Driving Information Risk Out of the Business (1999) The Impact of Security Management (1999) How to make your organisation aware of IT security (1993) Summary This report contains details of 13 information incidents that had a major impact on Member organisations. The incidents provide valuable examples for use within a security awareness programme by providing: a realistic view of the range of events that can compromise business information insights into their causes and their business impact practical suggestions for action to prevent recurrence of the incidents. This report presents the results of a preliminary investigation into the nature of an organisation s culture and its importance in determining the level of information security in that organisation. This report presents quantified information about the business risks of breakdowns in information security. It is based on the results of the Information Security Status Survey and other quantitative research. It also presents a framework for action, designed to help Members strengthen their information security arrangements and bring risks down to an acceptable level. This is one of a series of publications arising from the results of the Forum s 1998/99 Information Security Status Survey. The report focuses on the arrangements made to promote good information security practices (eg security organisation, programmes and resources). It identifies what organisational arrangements and resources are required, measures the impact of individual programmes and outlines what indiv idual Members can do to strengthen their existing arrangements, thereby maximising the contribution they make to business success. This report is aimed at all organisations that wish to start or improve their security awareness programmes. It sets out a method for developing and delivering security awareness campaigns, and provides tips on how to ensure the success of those campaigns. This list does not cover all of the Forum s awareness documentation; in particular, valuable material is available in The Forum s Standard of Good Practice. The Forum s Information Security Status Survey The Forum s Information Security Status Survey ( the Survey ) allows Members to complete a detailed questionnaire at intervals of their choosing and obtain a thorough analysis of their information security status, giving a clear picture of performance across all aspects of information security. Security awareness is one of the sets of controls probed by the Survey. The Forum drew upon the Survey results database to determine the impact of security awareness on the overall level of security. These results are presented at relevant points within Part 5, Effective security awareness. 3
10 Research The questionnaire Member presentations The project team calle d upon the resources of vendors, service providers and media reports in order to research the workshop contents. To ensure that this research was valid and provided a fresh perspective on the subject, the team was joined by Dr John Maule, Director of the Centre of Decision Research and Senior Lecturer in Management Decision Making at Leeds University Business School. Dr Maule has an international reputation in research on human decision making and risk taking, focusing in particular on the mental models that underlie strategic choice, the effects of time pressure and stress, and various aspects of human risk taking, including how to communicate risk. Dr Maule contributed to the research, and presented at five of the eight workshops. Prior to the workshops, participants were asked to complete a questionnaire about their opinions of security awareness and the effectiveness of awareness in their organisations. A total of 80 individuals from 72 Member organisations completed the questionnaire, the results of which are presented at relevant points within this report. The questionnaire, and its consolidated results, are available on the Forum s Member Exchange (MX) System, as are copies of the presentations, workshop packs and workbooks. Eight Effective Security Awareness workshops were held. Participants had the opportunity to share experiences, issues and ideas for effective security awareness. They also worked through the Effective Security Awareness process described later in this report using examples from their own organisations. Each workshop included presentations from Members, as detailed in Table 2 opposite: 4
11 Table 2: Workshop presentations Venue Date Presentation Topic Copenhagen 5 September 2001 Per Verdelin, TDC Services Melle Beverwijk, Infosecure Dublin 6 September 2001 Martina Costelloe, AIB Jim Sheridan, British Airways London 10 September 2001 Steve Pomfret, Nationwide Building Society Amanda Finch, Marks & Spencer Cheshire 25 September 2001 John Wall, Clerical Medical Martin Whitehead, The Co -operative Bank London 26 September 2001 Mark Goddard, Friends Provident Adrian Wright, Reuters Amsterdam 28 September 2001 Saïda Wulteputte, Procter & Gamble Melle Beverwijk, Infosecure/Klaas Bruin, KLM The Elements of an Awareness Project Awareness Programme for Information Security Security Awareness The Chameleon Programme Security Awareness Development of an Awareness CBT Campaign at M&SFS Changing Staff Attitudes Staff Awareness Experiences From The Front Line A CBT System for Security Awareness How We Failed and How We Plan to do Better in the Future Awareness Programme for Information Security Johannesburg 6 November 2001 Geoff Tumber, SCMB Security Awareness Chicago 5 December 2001 Dan Landess, State Farm Insurance Information Security Awareness Case studies During the research and delivery of the workshops, the project team met with Members to discuss their experiences of Information Security Awareness. Since the topic is subjective, and experie nces vary greatly between organisations, the objective was not to provide comparisons between Members, but instead to gather useful information about their awareness activities. This report therefore contains anecdotal case studies that describe the experiences of individual Member organisations and the lessons that they have learnt through their awareness programmes. Validity of the effective security awareness process The effective security awareness process described in this report was revised after each workshop to ensure that it provides a practical, usable method to develop an effective security awareness programme. When the workshops were complete, the project team spent two days with the information security team from a Member organisation working through the process to test its validity in a real environment. 5
12 Part 3 What is security awareness? Security awareness In 1993, the Forum published an Implementation Guide on How to make your organisation aware of IT security. The Guide includes a framework for the planning and implementation of an IT security awareness programme, and provides a definition of security awareness as follows: Information security awareness is the degree or extent to which every member of staff understands: the importance of information security the levels of information security appropriate to the organisation their individual security responsibilities and acts accordingly. The definition was validated by Members at all of the workshops, who agreed that it is still rele vant. The key element of this definition is the final line, since awareness is itself of no value unless it results in a desired change in behaviour. The importance of security awareness The effective management of information security requires a combination of technical and procedural controls to protect information assets. However, these controls can be circumvented or abused by employees who disregard their organisation s policies for security behaviour. Therefore the implementation of effective securit y controls is dependent upon creating a securitypositive environment where employees understand and engage in the behaviour that is expected of them. The use of security awareness to create and maintain security-positive behaviour is a critical element in an effective information security environment. The Information Security Status Survey provides data on the value of promoting information security activities. The results of question SM2401: Is awareness of information security promoted across the enterprise? are shown in Figure 3 opposite: 6
13 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Did not experience major incident Experienced major incident Figure 3: SM2401: Is awareness of information security promoted across the enterprise? Awareness and other security initiatives A traditional model for security awareness The results suggest that organisations that do not promote information security awareness are more likely to experience a major security incident than those that do promote awareness. A security-positive environment is a pre-requisite for certain other security initiatives. For example, a scheme of information classification whereby staff can assign a label to information that will determine the security controls to be applied to it is dependent upon all staff understanding and respecting the classification mechanism, which in turn requires staff to understand and respect information security. The Implementation Guide How to make your organisation aware of IT security proposes a four-step model for delivering a security awareness programme. The model allows for multiple awareness campaigns, where: a security awareness programme is a continuous undertaking aimed at building and sustaining a security-positive environment a security awareness campaign is one of a number of defined activities aimed at a special audience and/or at a specific security problem: for example, informing users about the threat from viruses, and teaching them how to control that risk. The security awareness programme is used to determine the scope of work and to define the multiple security awareness campaigns, as shown at a high level in Figure 4 overleaf: 7
14 Campaigns Determine programme scope Design campaign 1 Design campaign 2 Design campaign 3 Programme Develop campaign 1 Develop campaign 2 Develop campaign 3 Deliver campaign 1 Deliver campaign 2 Deliver campaign 3 Figure 4: Traditional model for security awareness The model comprises multiple campaigns forming an overall programme of work. The programme commences with a scope phase, which defines the security awareness campaigns, each of which will then have separate design, development and delivery phases. These may run sequentially or in parallel (as shown in Figure 4). Key issues The traditional model for security awareness described in How to make your organisation aware of IT security is widely used by Members. However, organisations represented at the workshops complained that security awareness activities fail to deliver a lasting behaviour change: that is, staff adopt the desired securitypositive behaviour for a short period of time, but often revert to their previous behaviour when the awareness activities have finished. To better understand the effectiveness of the traditional approach to security awareness, 80 participants from 72 Member organisations completed a questionnaire about their activities. The following sections explore the key issues associated with the traditional approach to security awareness. These are derived from statistical evidence from the questionnaire and the Information Security Status Survey, and anecdotal feedback from workshop attendees. The key issues, and their consequences for security awareness, are listed in Table 3 opposite: 8
15 Table 3: Key issues for security awareness Item Key Issue The majority of security awareness activities are not managed as a formal programme of work. The belief that awareness needs to be raised is the most common reason for commencing a security awareness programme. Very few awareness programmes have a formal, documented objective. The security management team sponsors the majority of awareness programmes. Many security awareness campaigns do not use specialised awareness materials. The majority of awareness campaigns do not incorporate a mechanism for assessing their own effectiveness, but instead measure the level of security knowledge of staff. Most organisations fail to commit sufficient resources to their awareness programme. Consequences Awareness programmes may not be correctly prioritised against other security activities The pace of delivery is not maintained due to a lack of formal deadlines and commitments The business case for security awareness is hard to justify because the need has not been clearly identified Value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined The purpose of the awareness programme may be unclear It may be hard to evaluate success since the desired outcome is unknown It may be difficult to determine the financial value of security awareness to the organisation The relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities Business management are reluctant to release staff for awareness training because they have not committed to the activities Recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need The programme fails to achieve a culture change because staff do not see senior management who may themselves have security-negative attitudes leading that change Staff do not understand what is expected of them since the awareness message does not specify who should do what and are therefore less likely to adopt the desired behaviour Campaigns fail because staff have heard similar messages before and are no longer interested Measurement of awareness proves little except that the individual has received the awareness messages: measure ment of effectiveness proves whether the message has actually changed behaviour Without firm evidence of effectiveness, it is difficult to justify or measure the success of awareness, and hence this can become a major obstacle to commencing an awareness programme A security function which does not receive adequate resources for security awareness is likely to focus instead on other activities that are perceived to be more important 9
16 Extent of awareness activities Members were asked to describe their current security awareness activities in order to understand whether they are formal campaigns or intermittent activities. The results are shown in Figure 5 below: Percentage of responses 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% A formal Unstructured, A single No security programme of intermittent campaign awareness work activities activities Activity Figure 5: Please describe your organisation s security awareness activities Findings Whilst half of the respondents describe their awareness activities as a formal programme of work, it is clear that the remainder have less or no structure for security awareness as: over a third of awareness projects are run as unstructured, intermittent activities one in six organisations have only a single campaign or no awareness activities at all. Thus in the absence of a formal programme of work, it is likely that most security awareness activities will suffer from a lack of formal deadlines and commitments. These findings are reinforced by data taken from the Information Security Status Survey. Figure 6 opposite shows the result of question SM2403a: Is awareness promoted using a formal awareness programme? 10
17 In no case 37% Exception 1% In all cases 14% In most cases 26% In a few cases 14% In about half the cases 8% Figure 6: SM2403a: Is awareness promoted using a formal awareness programme? Consequences It can be seen that for those cases where all, most or about half of awareness activities are managed using a formal awareness programme, 48% of all survey participating organisations promote security awareness issues through the use of formal awareness programmes. Over one half of Survey participants have little or no formal structure for their awareness activities. If security awareness activities are not managed as a formal programme of work, then: awareness programmes may not be correctly prioritised against other security activities the pace of delivery is not maintained due to a lack of formal deadlines and commitments. Key Issue: The majority of security awareness activities are not managed as a formal programme of work. 11
18 Drivers for security awareness Members were asked to comment on what they saw as the drivers for commencing their security awareness activities. The results are shown in Figure 7 below: Knowledge that security awareness can contribute to overall level of security Compliance with external standards/best practice Compliance with regulatory requirements Management concern about overall levels of information Drivers Audit or security review Result of risk analysis Many minor incidents in this organisation Major incident in this organisation Major incident in another organisation Very Low Low Medium High Very High Scale Figure 7: To what extent did the following events prompt the initiation of your security awareness activities? Findings The results suggest that Members security awareness activities are most commonly influenced by soft drivers: eg knowledge that awareness needs to be raised, either to comply with a standard, or because awareness is known to be a good thing. The hard drivers eg risk assessments or incidents appear to have less influence on the need to run security awareness campaigns. Consequences Commencing a security awareness campaign because of a belief that awareness needs to be raised means that: the business case for security awareness is hard to justify because the need has not been clearly identified value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined. Key Issue: The belief that awareness needs to be raised is the most common reason for commencing a security awareness programme. 12
19 Objective of awareness activities Members were asked to comment on the importance of their objective for security awareness activities. The results are shown in Figure 8 below: To reduce the number of security incidents To comply with external standards/best practice To address management concern about overall levels of information security Objective To comply with regulatory requirements To satisfy the recommendations of a review Other Very Low Low Medium High Very High Scale Figure 8: In your opinion, how important are the following objectives of your security awareness activities? Findings The results show a broad spread of objectives, with many Members reporting several different objectives for security awareness. The objectives appear to be more tangible than the drivers for commencing awareness activities described in the previous section. However, in the workshop sessions Members were asked whether they have a formal written objective for their awareness activities. The response suggests that only a small proportion typically fewer than 10% have a documented objective for their security awareness activities. Consequences In those cases where security awareness activities do not have a formal, documented objective: the purpose of the awareness programme may be unclear it may be hard to evaluate success since the desired outcome is unknown it may be difficult to determine the financial value of security awareness to the organisation the relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities. Key Issue: Very few awareness programmes have a formal, documented objective. 13
20 Sponsorship of awareness activities In order to understand where the responsibility for awareness is perceived to rest, Members were asked who sponsors their awareness activities. The results are shown in Figure 9 below: No sponsor 16% Other Senior business 9% management 33% Human resources department 2% Information security management 40% Figure 9: Who sponsors your awareness activities? Findings The results show that: only one third of awareness activities are sponsored by the business management one project in six had no sponsor at all. Consequences SM24: Security Awareness of The Forum s Standard of Good Practice ( The Standard ) states that Formal awareness programmes should be supported by top management. Anecdotal evidence from workshop attendees suggests that successful awareness programmes often have a business sponsor or significant involvement from senior business management, and that nearly all successful programmes have some sponsor. Without a sponsor, awareness activities are likely to suffer problems that include: business management are reluctant to release staff for awareness training because they have not committed to the activities recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need the programme fails to achieve a culture change because staff do not see senior management who may themselves have security-negative attitudes leading that change. Key Issue: The security management team sponsors the majority of awareness programmes. 14
Maximising the Effectiveness of Information Security Awareness
Maximising the Effectiveness of Information Security Awareness This thesis offers a fresh look at information security awareness using research from marketing and psychology. By Geordie Stewart and John
More informationBusiness Case. for an. Information Security Awareness Program
Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security
More informationChapter 1: Health & Safety Management Systems (SMS) Leadership and Organisational Safety Culture
Chapter 1: Health & Safety Management Systems (SMS) Leadership and Organisational Safety Culture 3 29 Safety Matters! A Guide to Health & Safety at Work Chapter outline Leadership and Organisational Safety
More informationRISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT
RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) Risk should be defined as An uncertain event that, should it occur, would have an effect (positive or negative) on the project or business objectives.
More informationP3M3 Portfolio Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction
More informationWritten evidence for the Department of Business, Innovation and Skills: a small business commissioner
Written evidence for the Department of Business, Innovation and Skills: a small business commissioner About ACCA ACCA is the global body for professional accountants. We aim to offer business-relevant,
More informationDESCRIBING OUR COMPETENCIES. new thinking at work
DESCRIBING OUR COMPETENCIES new thinking at work OUR COMPETENCIES - AT A GLANCE 2 PERSONAL EFFECTIVENESS Influencing Communicating Self-development Decision-making PROVIDING EXCELLENT CUSTOMER SERVICE
More informationTEAM PRODUCTIVITY DEVELOPMENT PROPOSAL
DRAFT TEAM PRODUCTIVITY DEVELOPMENT PROPOSAL An initial draft proposal to determine the scale, scope and requirements of a team productivity development improvement program for a potential client Team
More informationBeyond Security Awareness Achieving culture and avoiding fatigue
Beyond Security Awareness Achieving culture and avoiding fatigue Prof. Steven Furnell Centre for Security, Communications & Network Research University of Plymouth United Kingdom Session Content Introduction
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationComparison of Change Theories
VOLUME 8 NUMBER 1 2004-2005 Comparison of Change Theories Alicia Kritsonis MBA Graduate Student California State University, Dominquez Hills ABSTRACT The purpose of this article is to summarize several
More informationKey Performance Indicator (KPI) Guide
Key Performance Indicator (KPI) Guide Measuring performance against the NSW Disability Services Standards Version 1.0 Key Performance Indicator (KPI) Guide, Measuring performance against the NSW Disability
More informationRiver Clyde Homes: Officer Service Desk Analyst
Job Role: Officer Service Desk Analyst Directorate: Business Support Role reports to: ICT Manager Roles Reporting to this role: N/A Total number of team members within team: 5 Grade: River Clyde Homes
More informationHow To: Implement Change Successfully
How To: Implement Change Successfully INTRODUCTION The most important part of the audit cycle is making change Baker et al (1999) The aim of this How To guide is to provide advice on how to implement change
More informationAfro Ant Conversation. Change Management Return on Investment 3 April 2014
Afro Ant Conversation Change Management Return on Investment 3 April 2014 Overview This report documents the information gathered at the Afro Ant Conversation held on the 3 rd of April 2014 on the topic
More informationHow to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.
SECURITY AWARENESS SURVEY Is a survey necessary A survey will give you insight into information security awareness within your company. The industry has increasingly realized that people are at least as
More informationAchieve. Performance objectives
Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.
More informationData Quality Assurance: Quality Gates Framework for Statistical Risk Management
Data Quality Assurance: Quality Gates Framework for Statistical Risk Management Narrisa Gilbert Australian Bureau of Statistics, 45 Benjamin Way, Belconnen, ACT, Australia 2615 Abstract Statistical collections
More informationPerformance Management Is performance management really necessary? What techniques are best to use?
Performance Management Is performance management really necessary? What techniques are best to use? This e-book is a guide for employers to help them discover tips and methods of performance management,
More informationJOB DESCRIPTION. Contract Management and Business Intelligence
JOB DESCRIPTION DIRECTORATE: DEPARTMENT: JOB TITLE: Contract Management and Business Intelligence Business Intelligence Business Insight Manager BAND: 7 BASE: REPORTS TO: Various Business Intelligence
More informationApplies from 1 April 2007 Revised April 2008. Core Competence Framework Guidance booklet
Applies from 1 April 2007 Revised April 2008 Core Competence Framework Guidance booklet - Core Competence Framework - Core Competence Framework Core Competence Framework Foreword Introduction to competences
More informationDocument management concerns the whole board. Implementing document management - recommended practices and lessons learned
Document management concerns the whole board Implementing document management - recommended practices and lessons learned Contents Introduction 03 Introducing a document management solution 04 where one
More informationCHANGE MANAGEMENT PLAN WORKBOOK AND TEMPLATE
CHANGE MANAGEMENT PLAN WORKBOOK AND TEMPLATE TABLE OF CONTENTS STEP 1 IDENTIFY THE CHANGE... 5 1.1 TYPE OF CHANGE... 5 1.2 REASON FOR THE CHANGE... 5 1.3 SCOPE THE CHANGE... 6 1.4 WHERE ARE YOU NOW?...
More informationA Risk Management Standard
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
More informationWHO GLOBAL COMPETENCY MODEL
1. Core Competencies WHO GLOBAL COMPETENCY MODEL 1) COMMUNICATING IN A CREDIBLE AND EFFECTIVE WAY Definition: Expresses oneself clearly in conversations and interactions with others; listens actively.
More informationWHITE PAPER. PCI Compliance: Are UK Businesses Ready?
WHITE PAPER PCI Compliance: Are UK Businesses Ready? Executive Summary The Payment Card Industry Data Security Standard (PCI DSS), one of the most prescriptive data protection standards ever developed,
More informationMiddlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager
Middlesbrough Manager Competency Framework + = Behaviours Business Skills Middlesbrough Manager Middlesbrough Manager Competency Framework Background Middlesbrough Council is going through significant
More informationAre waterfall and agile project management techniques mutually exclusive? by Eve Mitchell, PwC. 22 MARCH 2012 www.pmtoday.co.uk
Are waterfall and agile project management techniques mutually exclusive? by Eve Mitchell, PwC 22 MARCH 2012 www.pmtoday.co.uk Projects need to be managed to be successful Change is a ubiquitous feature
More informationCPD an emotional rollercoaster
CPD an emotional rollercoaster Aims: To raise awareness of the emotional aspects of change management (which are often ignored) and to introduce Fisher s transition curve to describe how mandatory CPD
More informationHow to gather and evaluate information
09 May 2016 How to gather and evaluate information Chartered Institute of Internal Auditors Information is central to the role of an internal auditor. Gathering and evaluating information is the basic
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationNational Occupational Standards. Compliance
National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements
More informationWhat to look for when recruiting a good project manager
What to look for when recruiting a good project manager Although it isn t possible to provide one single definition of what a good project manager is, certain traits, skills and attributes seem to be advantageous
More informationGuide to Penetration Testing
What to consider when testing your network HALKYN CONSULTING 06 May 11 T Wake CEH CISSP CISM CEH CISSP CISM Introduction Security breaches are frequently in the news. Rarely does a week go by without a
More informationBenefits realisation. Gate
Benefits realisation Gate 5 The State of Queensland (Queensland Treasury and Trade) 2013. First published by the Queensland Government, Department of Infrastructure and Planning, January 2010. The Queensland
More informationCompetency Frameworks as a foundation for successful Talent Management. part of our We think series
Competency Frameworks as a foundation for successful part of our We think series Contents Contents 2 Introduction 3 If only they solved all of our problems 3 What tools and techniques can we use to help
More informationGuide to to good handling of complaints for CCGs. CCGs. May 2013. April 2013 1
Guide to to good handling of complaints for CCGs CCGs May 2013 April 2013 1 NHS England INFORMATION READER BOX Directorate Commissioning Development Publications Gateway Reference: 00087 Document Purpose
More informationTHE DESIGN AND EVALUATION OF ROAD SAFETY PUBLICITY CAMPAIGNS
THE DESIGN AND EVALUATION OF ROAD SAFETY PUBLICITY CAMPAIGNS INTRODUCTION This note discusses some basic principals of the data-led design of publicity campaigns, the main issues that need to be considered
More informationRisk Factors in Retail Buyer's Success
Negotiation skills First Friday is a leading provider of training & development and change management services with a portfolio of 100+ clients across the UK, Europe and South Africa. Our team is unique;
More informationCOLUMN. Metrics for knowledge management and content management. How can you know if your project has succeeded without using metrics?
KM COLUMN FEBRUARY 2003 Metrics for knowledge management and content management Metrics are a concrete way of defining what a knowledge management or content management project will achieve, and whether
More informationMaking a positive difference for energy consumers. Competency Framework Band C
Making a positive difference for energy consumers Competency Framework 2 Competency framework Indicators of behaviours Strategic Cluster Setting Direction 1. Seeing the Big Picture Seeing the big picture
More information1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.
Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is
More informationAssessing your management system and the approach that you take
Management system management by matrix Assessing your management system and the approach that you take raising standards worldwide About the author John Osborne is Product Manager for BSI Training. The
More informationEffective from 1 January 2009. Code of Ethics for insolvency practitioners.
INSOLVENCY PRACTITIONERS (PART D) Effective from 1 January 2009. Code of Ethics for insolvency practitioners. On 1 January 2014 a minor change was made to paragraph 400.3 of the code. The change clarifies
More informationFactsheet: Market research
Factsheet: Market research A close understanding of the local childcare market and your customers needs is essential in order for your childcare business to succeed. Performing market research on potential
More informationRole Activity Grade 5 PAS Professional Officer
Role Activity Grade 5 PAS Generic Post Job Title: Market Insight Officer Title: Reporting to: Head of Market Insight School/ External & Community Relations Department: Job Family: Professional and Administrative
More informationAPES 320 Quality Control for Firms
APES 320 Quality Control for Firms APES 320 Quality Control for Firms is based on International Standard on Quality Control (ISQC 1) (as published in the Handbook of International Auditing, Assurance,
More informationExperience Report: Using Internal CMMI Appraisals to Institutionalize Software Development Performance Improvement
Experience Report: Using Internal MMI Appraisals to Institutionalize Software Development Performance Improvement Dr. Fredrik Ekdahl A, orporate Research, Västerås, Sweden fredrik.p.ekdahl@se.abb.com Stig
More informationPerformance Measurement
Brief 21 August 2011 Public Procurement Performance Measurement C O N T E N T S What is the rationale for measuring performance in public procurement? What are the benefits of effective performance management?
More informationResearch report. Understanding small businesses experience of the tax system
Research report Understanding small businesses experience of the tax system February 2012 This research was commissioned by the HM Revenue & Customs (HMRC) Behavioural Evidence and Insight Team and Business
More informationCorporate Staff Survey Action Plan 2008. DRAFT v2.0
Corporate Staff Survey Action Plan 2008 1 DRAFT v2.0 1 1. Working Conditions 1.1 Issue Possible Impacts Actions Owners Timescale Success Measures Identify key areas where dissatisfaction is dissatisfaction
More informationBT Contact Centre Efficiency Quick Start Service
BT Contact Centre Efficiency Quick Start Service The BT Contact Centre Efficiency (CCE) Quick Start service enables organisations to understand how efficiently their contact centres are performing. It
More informationChange Management in Project Work Survey Results
Change Management in Project Work Survey Results Contents 1. Introduction 1 2. Survey and Participants 2 3. Change Management 6 4. Impact of Change Management on Project Effectiveness 12 5. Communications
More informationINSOLVENCY CODE OF ETHICS
LIST OF CONTENTS INSOLVENCY CODE OF ETHICS Paragraphs Page No. Definitions 2 PART 1 GENERAL APPLICATION OF THE CODE 1-3 Introduction 3 4 Fundamental Principles 3 5-6 Framework Approach 3 7-16 Identification
More informationMODULE 10 CHANGE MANAGEMENT AND COMMUNICATION
MODULE 10 CHANGE MANAGEMENT AND COMMUNICATION PART OF A MODULAR TRAINING RESOURCE Commonwealth of Australia 2015. With the exception of the Commonwealth Coat of Arms and where otherwise noted all material
More informationPrinciples of Good Complaint Handling
Principles of Good Complaint Handling Principles of Good Complaint Handling Good complaint handling means: 1 Getting it right 2 Being customer focused 3 Being open and accountable 4 Acting fairly and proportionately
More informationHealth & Safety for Businesses and the Voluntary Sector. Key Principles
Health & Safety for Businesses and the Voluntary Sector Key Principles KEY PRINCIPLES 1 Key Principles Introduction The importance of managing health and safety effectively cannot be over-emphasised. Ensuring
More informationThe Business Benefits of Logging
WHITEPAPER The Business Benefits of Logging Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 The Business Benefits of Logging 4 Security as
More informationArticle on Change Management vs. Behavioural Change Management By Jonathan Gardner. Where change management fails and what to do about it?
Article on Change Management vs. Behavioural Change Management By Jonathan Gardner Where change management fails and what to do about it? Change Management : one of the buzzwords of our time. But what
More informationLevel: 3 Credit value: 5 GLH: 28 Relationship to NOS:
Unit 341 Implement UAN: Level: 3 Credit value: 5 GLH: 28 Relationship to NOS: Assessment requirements specified by a sector or regulatory body: Aim: T/506/1929 Management & Leadership (2012) National Occupational
More informationDual Diagnosis Dr. Ian Paylor Senior Lecturer in Applied Social Science Lancaster University
Dual Diagnosis Dr. Ian Paylor Senior Lecturer in Applied Social Science Lancaster University Dual diagnosis has become a critical issue for both drug and mental health services. The complexity of problems
More informationComplying with the Records Management Code: Evaluation Workbook and Methodology. Module 8: Performance measurement
Complying with the Records Management Code: Evaluation Workbook and Methodology Module 8: Performance measurement Module 8: Performance measurement General 10.1 Many of the questions in the earlier modules
More informationBudget 300-360 per day negotiable for the right candidate 6 month contract 5 days per week for 1 st month - negotiable 3 days per week for 5 months
Job Title Pay Band Hours Contract Type Base Employing organisation Directorate Responsible to Accountable to Benefits Manager Budget 300-360 per day negotiable for the right candidate 6 month contract
More informationGuide to marketing. www.glasgow.ac.uk/corporatecommunications. University of Glasgow Corporate Communications 3 The Square Glasgow G12 8QQ
Guide to marketing www.glasgow.ac.uk/corporatecommunications University of Glasgow Corporate Communications 3 The Square Glasgow G12 8QQ 0141 330 4919 2 Introduction One of the easiest mistakes to make
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationPolicy document Date. YourPlace Property Management www.your-place.net. Debt Recovery Policy. Part of the GHA family. Page 0. Debt Recovery Policy
YourPlace Property Management www.your-place.net Policy document Date Debt Recovery Policy Page 0 Part of the GHA family Name of Policy Responsible Officer Executive Finance Manager Date approved by YourPlace
More information4 Keys to Driving Results from Project Governance
THOUGHT LEADERSHIP WHITE PAPER In partnership with Agile or Waterfall? 4 Keys to Driving Results from Project Governance You can t swing a project manager these days without hitting the debate of Agile
More informationRonan Emmett Global Human Resources Learning Solutions
A Business Impact Study detailing the Return on Investment (ROI) gained from a Negotiation Skills training programme in Ireland delivered by the EMEAS Learning Solutions Team. There is a definite trend
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationSelling Telematics Motor Insurance Policies. A Good Practice Guide
Selling Telematics Motor Insurance Policies A Good Practice Guide April 2013 1 INTRODUCTION 1.1 The purpose of the guidance This guidance sets out high-level actions that insurers should seek to achieve
More information2015 Information Security Awareness Catalogue
Contents 2015 Catalogue Wolfpack Engagement Model 4 Campaign Drivers 6 Offerings 8 Approach 9 Engaging Content 10 Stakeholder Change Management 12 Bundles 13 Content 14 Grey Wolf -Track compliance with
More informationAPPENDIX ONE: SUMMARY TABLE OF SURVEY FINDINGS AND ACTIONS TAKEN ANNUAL PATIENT AND PUBLIC SURVEY 2013: SUMMARY OF KEY FINDINGS
APPENDIX ONE: SUMMARY TABLE OF SURVEY FINDINGS AND ACTIONS TAKEN ANNUAL PATIENT AND PUBLIC SURVEY 2013: SUMMARY OF KEY FINDINGS Topic Finding Action taken/planned Awareness of the GDC Unprompted awareness
More informationCommercial Buildings Special Working Group Change Management Report 2010
1 Contents 1. Introduction... 3 2. Findings from member interviews... 4 Review of Current Change Management Practices... 6 3. Methodology... 7 Structured Approach... 7 Improving your context... 8 Getting
More informationMaking information security awareness and training more effective
Making information security awareness and training more effective Mark Thomson Port Elizabeth Technikon, South Africa Key words: Abstract: Information security, awareness, education, training This paper
More informationAttribute 1: COMMUNICATION
The positive are intended for use as a guide only and are not exhaustive. Not ALL will be applicable to ALL roles within a grade and in some cases may be appropriate to a Attribute 1: COMMUNICATION Level
More informationModule 1 Study Guide
Module 1 Study Guide Introduction to OSA Welcome to your Study Guide. This document is supplementary to the information available to you online, and should be used in conjunction with the videos, quizzes
More informationHow to Write a Marketing Plan
How to Write a Marketing Plan This article highlights what we believe to be many of the key points that we need to consider when developing a marketing plan. It combines marketing theory, practical tools
More informationThe Six Deadly ERP Sins
The Six Deadly ERP Sins Summary: This white paper is a collection of observations by Manoeuvre based on our experience in the field of Enterprise Resource Planning (ERP) system implementations. The target
More informationThe Healthcare Leadership Model Appraisal Hub. 360 Assessment User Guide
The Healthcare Leadership Model Appraisal Hub 360 Assessment User Guide 360 Assessment User Guide Contents 03 Introduction 04 Accessing the Healthcare Leadership Model Appraisal Hub 08 Creating a 360 assessment
More informationIt will help you to think about how best to approach change, the key considerations and managing potential barriers to successful change.
CHANGE MANAGEMENT This tool kit has been designed to help you plan and implement change. It will help you to think about how best to approach change, the key considerations and managing potential barriers
More information4374 The Mauritius Government Gazette
4374 The Mauritius Government Gazette General Notice No. 2260 of 2012 THE INSOLVENCY ACT Notice is hereby given that the following Rules governing the performance and conduct of Insolvency Practitioners
More informationThe following criteria have been used to assess each of the options to ensure consistency and clarity:
4 Options appraisal 4.1 Overview We have appraised each of the options identified in section 3: Maintain the status quo Implement organisational change and service improvement Partner / collaborate with
More informationDevelopment of a retention schedule for research data at the London School of Hygiene & Tropical Medicine JISC final report
1. Introduction Development of a retention schedule for research data at the London School of Hygiene & Tropical Medicine JISC final report 1.1 The London School of Hygiene & Tropical Medicine is a postgraduate
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationOrganisational Change Management
Organisational Change Management The only thing that is constant is change in your business, your market, your competitors, and your technology. Remaining competitive and responsive to your customers and
More informationHow the Internet has Impacted Marketing?
Online Marketing and Social Media ( Module 1 ) How the Internet has Impacted Marketing? The internet has developed very rapidly as a major force in the marketing equation for many consumer products. Not
More informationPROGRESS THROUGH PARTNERSHIP MAKING A DIFFERENCE GUIDANCE PERFORMANCE MANAGEMENT FRAMEWORK AND CONTINUOUS IMPROVEMENT
PROGRESS THROUGH PARTNERSHIP MAKING A DIFFERENCE GUIDANCE PERFORMANCE MANAGEMENT FRAMEWORK AND CONTINUOUS IMPROVEMENT July 2014 Contents Page Introduction 3 What is continuous improvement? 4 Why do we
More information4. The creation of a Teaching Excellence Framework will not be straightforward and requires an iterative process of development.
Business, Innovation and Skills Committee Inquiry: Assessing quality in Higher Education Written evidence submitted by the Office of the Independent Adjudicator for Higher Education (OIA). Summary 1. The
More informationSeven Principles of Change:
Managing Change, LLC Identifying Intangible Assets to Produce Tangible Results Toll Free: 877-880-0217 Seven Principles of Change: Excerpt from the new book, Change Management: the people side of change
More informationQueensland Government Human Services Quality Framework. Quality Pathway Kit for Service Providers
Queensland Government Human Services Quality Framework Quality Pathway Kit for Service Providers July 2015 Introduction The Human Services Quality Framework (HSQF) The Human Services Quality Framework
More informationThird Party Litigation Funding
OVERVIEW Third party litigation funding (TPLF) is the practice where an outside party, with no direct interest in the claim, pays for the cost of a lawsuit in exchange for a portion or percentage of any
More informationFINANCIAL MANAGEMENT MATURITY MODEL
Definition: Financial management is the system by which the resources of an organisation s business are planned, directed, monitored and controlled to enable the organisation s goals to be achieved. Guidance
More informationInformation Governance in Dental Practices. Summary of findings from ICO reviews. September 2015
Information Governance in Dental Practices Summary of findings from ICO reviews September 2015 Executive summary The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that
More informationThe Cambridge Executive MBA - Seeking Employer Support
- Seeking Employer Support An Executive MBA is a programme designed for people who have excelled in their career to date and have proved their ambition and drive to succeed and wish to invest in their
More informationThe PMO as a Project Management Integrator, Innovator and Interventionist
Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter
More informationWaveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy
Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise
More informationStandards of conduct, ethics and performance. July 2012
Standards of conduct, ethics and performance July 2012 Reprinted July 2012. The content of this booklet remains the same as the previous September 2010 edition. The General Pharmaceutical Council is the
More information