Friday, March 30, 2012
Delivery method
There are three principle methods of delivery for the security awareness message: Web-based, offline, and instructor led. Web-based delivery is the best way for most distributed organizations to reach all employees. Multi-purpose authoring tools enable customized messages, delivered by PowerPoint and enhanced with audio. They also allow integration of quizzes and tracking of participation. Placing an awareness presentation on the company Intranet, with participation tracking enabled, is a good way to reach everyone. It’s also a good way of demonstrating awareness efforts to auditors.
Offline awareness presentations are provided for those employees without high speed access to the Intranet. However, special delivery packages are not usually needed if multi-purpose tools are used. For example, the training modules on my site are available for either online viewing or for download. I could also choose to distribute them via CD-ROM.
Instructor led training is typically not necessary for initial awareness delivery. The content should be high-level, easy to understand, and applicable to every participant. It’s usually appropriate to reserve classroom training for in-depth training of targeted audiences.
Regardless of the delivery method, it’s important to validate everyone participates. Leaving pockets of employees unaware of the importance of security and how their actions affect system assurance is like leaving one or more windows open on a locked house.
Wednesday, March 14, 2012
Raising Employee Awareness
Building employee awareness begins with the new hire orientation process. Make sure this is included in your ISATP. On their first day, employees should understand what is and is not considered safe behavior. This initial exposure to company expectations might consist of requiring each person to sit through a short awareness presentation, followed by their reading and signing the acceptable use and password management policies.
Break training into three different content groups, based on whether the target audience was management, IT staff, or business users. This is fine for training, but the awareness message is the same for all employees, regardless of role. Organizations which are just now implementing an ISATP should follow-up with existing employees to ensure the awareness message is consistently distributed throughout the entire workforce.
Break training into three different content groups, based on whether the target audience was management, IT staff, or business users. This is fine for training, but the awareness message is the same for all employees, regardless of role. Organizations which are just now implementing an ISATP should follow-up with existing employees to ensure the awareness message is consistently distributed throughout the entire workforce.
Subscribe to:
Comments (Atom)