Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document. Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project.
Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven't completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:
• How sensitive is the information stored, processed, and exchanged outside entities?
• What regulatory constraints apply (e.g., HIPAA and SOX)?
• What is the company’s security strategy?
• What are the company’s security policies? How do they translate to practical, day-to-day activities?
• What are the company’s critical business processes?
• How does security affect employees’ day-to-day activities?
• How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.
Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.
No comments:
Post a Comment