Example Proposal for Information Security …

1 Example Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: ProposalforInformation SecurityAwareness programme (Discussion Draft) Example Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: 3 SUMMARY OF TRAINING 3 TARGET 3 THE awareness CYCLE .. 4 GENERIC awareness 5 BENCHMARKING AND OBJECTIVES & BENEFITS 6 CULTURE & METHODOLOGY 6 programme STRUCTURE 7 MATERIALS 7 TRAINING REQUIREMENTS PLANNING & 7 LAUNCH 8 LAUNCH FOLLOW-UP 8 SELF STUDY & REINFORCEMENT / 8 COSTS .. 9 PROJECT 9 BENCHMARKING, OBJECTIVES & BENEFITS ANALYSIS.

2 9 AND CULTURE & METHODOLOGY 9 programme STRUCTURE 9 MATERIALS 9 LAUNCH 9 SELF STUDY & REINFORCEMENT / 10 ORDER 10 TERMS & CONDITIONS .. 11 Example Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: complexity of an awareness programme makes it impossible to provide costs withoutconsultation although the Mission Possible demonstration disk contains a spreasheet thatenables a guide price to be generated by filling in a number of Proposal is based on x staff within {Company Name} offices in {Location 1} and afurther x in {Location 2}.Summary of Training ObjectivesWhilst Compliance with the Security Code Of Practice is the broad objective of anyawareness campaign, the sessions and materials are to be designed to address the keyelements of Information Security , explaining why it is needed and how it relates to thedelegates personal objectives.

3 To raise the general level of awareness The allocation of Information Security responsibility To gain, and maintain, commitment to good Information Security To re-enforce the Code Of Practice To have a positive impact on the organisational culture To achieve continuing improvement in Information securitySpecial attention will also be paid to ensure that the target audience understand thatsecurity is not just about addressing viruses and hacking as presented by the media, butcovers all aspects of the Confidentiality, Integrity and Availability of {Company Name s} Audience Management Teams General User Population New Starters IT FunctionsExample Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: awareness CycleThe objective of any awareness programme is to assist people to move around theawareness cycle in a planned and controlled manner.

4 Not everybody in an organisationneeds to progress the whole way around the cycle. As a rule of thumb, everyone shouldreach the commitment stage. Those with a leadership role or one that has direct relevanceto the subject matter should complete the cycle and then continue to revisit it as thesubject matter awareness programme will address portions of the cycle separately as it is impossibleto progress until an element has been achieved. For Example , an individual cannot knowthe value of a subject unless they understand the subject and commitment will not beachieved without ownership, and so will almost certainly require different approaches to each of the elements. Some can beaddressed en-mass with poster or newsletter campaigns whilst others will require moretraditional training or even something a bit different!

5 awareness (I know it exists)Understanding(I know what it is)Value(I know why it sworthwhile)Ownership(I agree with it)Commitment(I ll do it)Communication(I ll promote it)Development(I ll help enhance it) Example Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: awareness ProcessCulture &MethodologyAn aly s isProgrammeStructureTime- tablingLaunch Follow-upSessionsSelf-studyReviewLaunch EventMaterialsProductionAdministrationTr ainingRequirementsPlanningT r adit ionalTrainingReinforcementSessionsPromot ionalThe DeliveryObjectives &Be n e f it sExample Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web.

6 And Objectives & Benefits AnalysisPurposeTo enable us to understand the business objectives and benefits of the awarenesscampaign and to ensure that they are addressed measure the degree of success of the documentation provided by {Contact Name} states the overall programme objectivesbut there is a need to ascertain specific objectives of any particular location, division,department or job definition of specific objectives may be combined with a benchmarking exercise tohighlight any areas in need of particular attention. This is done via interview and the useof a targeted multiple choice questionnaire with key personnel and a sample of staffacross the business. The questionnaire addresses both understanding and commitment toinformation Security and needs to be led by an interviewer as the answers includeweighting for suggested sample size would be n% of the user base (x for {Location 1} and x for{Location 2} ).

7 The benchmark interviews will be re-run after the principle portion of the awarenessprogramme is completed to measure movement towards defined targets and to refinemethods and messages for the on-going & Methodology AnalysisPurposeTo enable us to understand the culture of the organisation, existing trainingmethodologies and any resistance to change. We are then able to propose appropriatetraining sites are visited to get a feel for the style of the workplace and to see which methodscan be used, are there training rooms with multimedia, can posters be put up, are thereany common areas such as a staff restaurant, and so personnel from each site are interviewed on three basic questions: What training methods are currently used in {Company Name} that work What training methods are currently used in {Company Name} that do not work What other training methods could be successfully used in {Company Name}These activities can be combined with the benchmarking Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email.

8 Web: Structure DesignPurposeTo ensure that the programme content is appropriate for the {Company Name} cultureand the physical attributes of the offices. To structure the training programme to make themost efficient use of time and meeting with {Contact Name} to discuss the results of the benchmarking and culturalanalysis to define the course structure and create a matrix of more specific ProductionPurposeTo act as the basis for self-study, traditional training or promotional activities, to reinforcethe programme content and act as reference on the earlier analysis, the materials may comprise some or all of thefollowing: PowerPoint presentations Scripts Quizzes Videos Handouts Posters Self-study materials (books/CDs/disks) Reference books/guides E-mails Mouse mats, mugs, Requirements Planning & Time-tablingPurposeTo ensure that staff receive the most suitable portions of the method depends on the level of granularity required in the training.

9 It can range froma single method aimed at all staff, to different methods for each job function ordepartment. This will not be known until the programme structure has been defined. It isusual for the client to allocate the staff to the appropriate training and to book them forpresentations etc. First Base are able to assist if Security awareness programme \\FBTRAINING\DATA\DATA\FIRSTB\S ample-Quotes\ Base Training The Old Courthouse, 38 High Street, Steyning, West Sussex, BN44 3YE, UKTel: (01903) 879 879 Fax: (01903) 879 274 Email: Web: EventsPurposeThese are key to the success of the awareness programme . The launch events are used toachieve fast buy-in to the programme by staff, focusing on the key issues and to set thebackdrop for the rest of the will be tailored to suit the message, culture and physical environmentLaunch Follow-up SessionsPurposeTo give the delegates an opportunity to enhance any of the elements of the launch and toreinforce the messages.

10 To provide specific additional messages to key areas such as IT will be tailored to suit the message, culture and physical Study & Reinforcement / PromotionalPurposeTo drive home messages on key Security issues, such as password management, visitorcontrol or will be tailored to suit the message, culture and physical topics are focussed on and may be addressed in a wide variety of ways. The methodsfrequently follow the simple marketing model. This is because the issue is rarely one ofunderstanding but one of commitment. If a message is reinforced regularly in the sameway as adverts are repeated, often in a variety of formats, attitudes and the organisation sculture tend to be gradually meetings provide an opportunity to consolidate feedback from delegates, managersand presenters to evaluate the programme on an on-going basis.