Information Security Awareness Program Plan

For those of you putting together an information security awareness, training and education plan in the new year, I provide this to help you define and plan a successful implementation and operation to work towards the ultimate goal of a successful information security plan.


VISION - The ultimate goal of our information security awareness program is to incorporate security as a regular part of what we do. To give our employees an understanding that security is not something you can add at the end, is not something that technology or someone else can always do for you.

MISSION - The goal of the Security Awareness Program is the preservation of the confidentiality, integrity and availability of sensitive information, and of the integrity and availability of the systems that process and store that information. Information security is a triad of People, Process and Technology. Process and technology are driven by people and people are driven by their job responsibilities, their knowledge and experience. Security awareness is what we use to define these parameters.

STRATEGY - Security awareness, training and education will be based upon IT security roles and access rights to sensitive data. End users with minimal access to IT resources and/or sensitive data will require less security training requirements than would a data owner for administrative systems. Awareness will be broadly available through a variety of methods and media throughout the year for administration, faculty, staff and students. Specific training will be created and delivered through a combination of on-line delivery, classroom style instruction, special meeting topics, and one-on-one instruction.

PURPOSE - Security policies should be viewed as key enablers for the organization, not as a series of rules restricting the efficient conduct of business. The Security Awareness Program is a factor for the successful implementation of an organizational security policy. Ensuring that our organization's intellectual property, customer and patient data, and assets are protected from inadvertent disclosures or malicious Internet threats is the responsibility of every employee and contractor. This is done by defining and outlining the specific role of each employee in the effort to secure critical organization assets, as well as covering in detail the core elements of the security policy. Security Awareness achieves a long term shift in the attitude of employees towards security, while promoting a cultural and behavioral change within the organization.

SECURITY AWARENESS - People, information, operations, and systems are critical assets. Protecting the safety, confidentiality, integrity, and availability of these assets is essential to maintaining compliance, public image, regulatory and legal obligations. Organizations face threats to their employees, systems, operations, and information every day. These threats include information technology and information security, physical and other emergencies. Organizations implement tools and procedures to protect against these threats. Unfortunately, even the best technology and procedures can be defeated by a user who is unaware how to use them, or how important security is.