A robust content list fed to the end user on a monthly or quarterly basis will avoid information overload and will allow flexibility in the program so immediate response to current information security risks can be dealt with. A monthly or quarterly approach also prevents the repetitious, boredom that often accompanies learning sessions that are not delivered in small manageable chunks.
Topics can be arranged according to a baseline examination that is recommended to understand the gaps in the existing end user knowledge base and immediately work on areas where the organization feels is most important. Baseline examinations can be derived from existing organization materials or resources or purchased from a security awareness vendor and delivered via a learning management system that is either existing within the organization or a purchased or hosted option can be chosen
Suggested topics for end user awareness training:
Information Security
• Introduction to Information Security
• Information Classification
• Information Management
• Managing Sensitive Information
• Marking and Labeling
• Intellectual Properties
• Physical Security
Information Protection
• Electronic Mail Message (Email)
• Unsolicited Mail Message (SPAM)
• Confidentiality on the Web
• External Communications
• Clean Desk Policy
• Privacy
• Using Passwords
IT Security
• Main Concepts of IT Security
• Threat and Risk Management
• Internet Usage
• Mobile Devices and Removable Media
• Secure Mobile workplace - Mobile Users
Physical Security
• Access Control
• Transport and Transmittal of Sensitive Information
• Destruction of Sensitive Information or Assets
• Storage
Awareness of External Threats
• Malicious code – Myths and Reality
• Malicious code – Protection Measures
• Spyware
• Identity Theft
• Social Engineering
Communicating the Message
Delivering key messages that relate to the organization’s policies or rules tied to the monthly or quarterly learning topics will help to solidify and reinforce those policies. Any regulations, or fundamental security issues or concepts that need to be communicated should be planned along with the delivery of the online training component.
Sources of Information
Relevant materials can be found within the organization, previously taught security awareness courses, security standards, directives or policies. External sources are abundant, SANS has a great library of materials as does Microsoft that is free for use. Awareness communication messages can be derived from these sources and delivered via posters, newsletters, reminder stickers, games, etc. Alternatively, many security awareness vendors also offer either free or for a small fee these types of resources. Where necessary creation of new materials internally may need to be created
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment