Managing an Information Security and Privacy Awareness and Training Program
1st Edition
Published on 26. April 2005
Book
Hardback
552 pages
978-0-8493-2963-0 (ISBN)
Description
Managing an Information Security and Privacy Awareness and Training Program provides a starting point and an all-in-one resource for infosec and privacy education practitioners who are building programs for their organizations. The author applies knowledge obtained through her work in education, creating a comprehensive resource of nearly everything involved with managing an infosec and privacy training course. This book includes examples and tools from a wide range of businesses, enabling readers to select effective components that will be beneficial to their enterprises. The text progresses from the inception of an education program through development, implementation, delivery, and evaluation.
More details
Language
English
Place of publication
London
United Kingdom
Publishing group
Taylor & Francis Ltd
Target group
College/higher education
Professional and scholarly
Information security officers and managers, privacy officers and managers, compliance officers and managers, organizational training and learning officers, managers for GLB, HIPAA, and Sarbanes-Oxley compliance
Illustrations
43 s/w Tabellen, 27 s/w Abbildungen
43 Tables, black and white; 27 Illustrations, black and white
Dimensions
Height: 235 mm
Width: 156 mm
Weight
885 gr
ISBN-13
978-0-8493-2963-0 (9780849329630)
Copyright in bibliographic data and cover images is held by Nielsen Book Services Limited or by the publishers or by their respective licensors: all rights reserved.
Schweitzer Classification
Other editions
New editions
Book
08/2010
2nd Edition
CRC Press
€198.50
Shipment within 15-20 days
Person
Content
Brief History of Corporate Information Security
and Privacy Awareness and Training
Once Upon a Time
Welcome to the Information Age
Information Security and Privacy Education
Current Challenges Bring Changes in Professional Education
Notes
Why Training and Awareness Are Important
Regulatory Requirements Compliance
Customer Trust and Satisfaction
Compliance with Published Policies
Due Diligence
Corporate Reputation
Accountability
Legal and Regulatory Requirements for Training and
Awareness
Awareness and Training Needs
Legal Considerations
Copyright Considerations
Specific Regulatory Education Requirements
Incorporating Training and Awareness into Job
Responsibilities and Appraisals
Motivation Factors
Methods of Security and Privacy Objectives Assessments
Performance against Specific Privacy and Security Objectives
Considering Security and Privacy within Job Performance as a Whole
Paying for Performance
Challenges
Common Corporate Education Mistakes
Throwing Education Together Too Quickly
Not Fitting the Environment
Not Addressing Applicable Legal and Regulatory Requirements
No Leadership Support
Budget Mismanagement or No Budget
Using Unmodified Education Materials
Information Overload
No Consideration for the Learner
Poor Trainers
Information Dumping
No Motivation for Education
Inadequate Planning
Not Evaluating the Effectiveness of Education
Using Inappropriate or Politically Incorrect Language
Getting Started
Determine Your Organization's Environment, Goals, and Mission
Identify Key Contacts
Review Current Training Activities
Review Current Awareness Activities
Conduct a Needs Assessment
Create Your Road Map
Elements of an Effective Education Program
Establish a Baseline
Hard Data
Soft Data
Benefits of a Baseline
Get Executive Support and Sponsorship
Executive Security and Privacy Training and Awareness Strategy
Briefing
Provide Examples of Security and Privacy Impacting Events
Identify Training and Awareness Methods
Adult Learning
Training Delivery Methods
Auditorium Presentations to Large Groups
Remote Access Labs
Satellite or Fiber Optics Long-Distance Learning
Web-Based Interactive Training (such as Webinars)
Audio Instruction
Video and DVD
Workbooks
On-the-Job (OTJ)
Conference Calls
Outsourced Training and Awareness with Professional Education
Services
Education Provided by Professional Societies
Government-Sponsored Training
Awareness Methods
Awareness and Training Topics and Audiences
Target Groups
Topics
Mapping Topics to Roles and Target Groups
Standards and Principles
Define Your Message
Customer Privacy
Laws and Regulations
Access Controls .
Risk Management
Prepare Budget and Obtain Funding
Obtain Traditional Funding if You Can
Obtain Nontraditional Funding when Necessary
Final Budget and Funding Thoughts
Training Design and Development
Training Methods
Design and Development
Choosing Content
Core Content
Job-Specific Content and Topics for Targeted Groups
Learning Activities
Training Design Objectives
Awareness Materials Design and Development
Contrasting Awareness and Training
Make Awareness Interesting
Awareness Methods
Awareness Is Ongoing
Developing Awareness Activities and Messages
Bimonthly Customer Privacy Newsletters
Communications
Identify Where You Need to Improve, Update, or Create
Information Security and Privacy Training and Awareness
Obtain Executive Sponsorship
Communicate Information Security and Privacy
Program Overview
Send Target Groups Communications Outlining the Information
Security and Privacy Training and Awareness Schedules and Their
Participation Expectations
Deliver In-Person Training
What to Avoid in Training
Multinational Training Considerations
Delivering Classroom Training
Tips for Trainers
Visual Aids
Training in Group Settings
Case Studies
Launch Awareness Activities
Identify Areas in Which You Need to Improve, Update,
or Create Awareness
Obtain Executive Sponsorship
Communicate the Information Security and Privacy
Program Overview
Identify Trigger Events
Identify Target Groups
Identify Your Awareness Methods and Messages
Evaluate Changed Behavior
Update and Perform Ongoing Awareness
Plan for Specific Events
Evaluate Education Effectiveness
Evaluation Areas
Evaluation Methods
Evaluating Education Effectiveness: Intangible Benefits
Determining Intangible Benefits of Training and Awareness
Evaluating the Effectiveness of Specific Awareness and
Training Methods
Evaluating the Effectiveness of Awareness Newsletters
Surveys Composition
Survey Questions
Survey Administration
Education Effectiveness Evaluation Framework Activities Checklist
Leading Practices
Consulting for a Federal Organization to Improve Its Training and
Awareness Program
Case Study: 1200 Users, 11 Cities, in 7 Weeks ... and They
Wanted to Come to Security Awareness Training
Obtaining Executive Sponsorship for Awareness and Training
Information Assurance Awareness Programs in Multinational
Manufacturing Organizations
ISO 17799 Awareness for IT Managers Requires Security Mindset
Changes: Putting the Cart before the Horse
Education and Awareness for Security Personnel
Security Awareness via E-Learning: A Case Study
What's the Speed of Dark? Enlightenment through Education
Aetna's Award-Winning Security Awareness Program
Closing Comments
Addendum: How to Build a Custom Web-Based InfoSec Exam
Security Awareness Case Study
APPENDICES
A Sample Executive Education Sponsorship Memo
B Training Contact Training Data Collection Form
C Effectiveness Evaluation Framework
D Sample Privacy Roles Definitions
E Suggested Customer Privacy Awareness and Training
Strategy Announcement as Voice Mail Message
F Security and Privacy Icon or Mascot
G Sample Privacy Training Survey
H Customer Privacy Sample Training Plans
I Advocate and SME Interview Questions to Assist with
Customer Privacy Training Development
J Training and Awareness Inventory
K Incorporating Training and Awareness into the Job
Appraisal Process Interview/Questionnaire
L Training Contact Data Collection and Evaluation Form
M Sample Customer Privacy Awareness and Training
Presentation
N Designated Security and Privacy-Related Days
O Education Costs Worksheet
P Sample Pretraining/Awareness Questionnaire
Q Security Awareness Quiz Questions
R Consumer Privacy Pop Quiz
S Information Security and Privacy Awareness and
Training Checklist
T Awareness and Training Resources
U Awareness and Training Glossary
V Sample Case Studies
and Privacy Awareness and Training
Once Upon a Time
Welcome to the Information Age
Information Security and Privacy Education
Current Challenges Bring Changes in Professional Education
Notes
Why Training and Awareness Are Important
Regulatory Requirements Compliance
Customer Trust and Satisfaction
Compliance with Published Policies
Due Diligence
Corporate Reputation
Accountability
Legal and Regulatory Requirements for Training and
Awareness
Awareness and Training Needs
Legal Considerations
Copyright Considerations
Specific Regulatory Education Requirements
Incorporating Training and Awareness into Job
Responsibilities and Appraisals
Motivation Factors
Methods of Security and Privacy Objectives Assessments
Performance against Specific Privacy and Security Objectives
Considering Security and Privacy within Job Performance as a Whole
Paying for Performance
Challenges
Common Corporate Education Mistakes
Throwing Education Together Too Quickly
Not Fitting the Environment
Not Addressing Applicable Legal and Regulatory Requirements
No Leadership Support
Budget Mismanagement or No Budget
Using Unmodified Education Materials
Information Overload
No Consideration for the Learner
Poor Trainers
Information Dumping
No Motivation for Education
Inadequate Planning
Not Evaluating the Effectiveness of Education
Using Inappropriate or Politically Incorrect Language
Getting Started
Determine Your Organization's Environment, Goals, and Mission
Identify Key Contacts
Review Current Training Activities
Review Current Awareness Activities
Conduct a Needs Assessment
Create Your Road Map
Elements of an Effective Education Program
Establish a Baseline
Hard Data
Soft Data
Benefits of a Baseline
Get Executive Support and Sponsorship
Executive Security and Privacy Training and Awareness Strategy
Briefing
Provide Examples of Security and Privacy Impacting Events
Identify Training and Awareness Methods
Adult Learning
Training Delivery Methods
Auditorium Presentations to Large Groups
Remote Access Labs
Satellite or Fiber Optics Long-Distance Learning
Web-Based Interactive Training (such as Webinars)
Audio Instruction
Video and DVD
Workbooks
On-the-Job (OTJ)
Conference Calls
Outsourced Training and Awareness with Professional Education
Services
Education Provided by Professional Societies
Government-Sponsored Training
Awareness Methods
Awareness and Training Topics and Audiences
Target Groups
Topics
Mapping Topics to Roles and Target Groups
Standards and Principles
Define Your Message
Customer Privacy
Laws and Regulations
Access Controls .
Risk Management
Prepare Budget and Obtain Funding
Obtain Traditional Funding if You Can
Obtain Nontraditional Funding when Necessary
Final Budget and Funding Thoughts
Training Design and Development
Training Methods
Design and Development
Choosing Content
Core Content
Job-Specific Content and Topics for Targeted Groups
Learning Activities
Training Design Objectives
Awareness Materials Design and Development
Contrasting Awareness and Training
Make Awareness Interesting
Awareness Methods
Awareness Is Ongoing
Developing Awareness Activities and Messages
Bimonthly Customer Privacy Newsletters
Communications
Identify Where You Need to Improve, Update, or Create
Information Security and Privacy Training and Awareness
Obtain Executive Sponsorship
Communicate Information Security and Privacy
Program Overview
Send Target Groups Communications Outlining the Information
Security and Privacy Training and Awareness Schedules and Their
Participation Expectations
Deliver In-Person Training
What to Avoid in Training
Multinational Training Considerations
Delivering Classroom Training
Tips for Trainers
Visual Aids
Training in Group Settings
Case Studies
Launch Awareness Activities
Identify Areas in Which You Need to Improve, Update,
or Create Awareness
Obtain Executive Sponsorship
Communicate the Information Security and Privacy
Program Overview
Identify Trigger Events
Identify Target Groups
Identify Your Awareness Methods and Messages
Evaluate Changed Behavior
Update and Perform Ongoing Awareness
Plan for Specific Events
Evaluate Education Effectiveness
Evaluation Areas
Evaluation Methods
Evaluating Education Effectiveness: Intangible Benefits
Determining Intangible Benefits of Training and Awareness
Evaluating the Effectiveness of Specific Awareness and
Training Methods
Evaluating the Effectiveness of Awareness Newsletters
Surveys Composition
Survey Questions
Survey Administration
Education Effectiveness Evaluation Framework Activities Checklist
Leading Practices
Consulting for a Federal Organization to Improve Its Training and
Awareness Program
Case Study: 1200 Users, 11 Cities, in 7 Weeks ... and They
Wanted to Come to Security Awareness Training
Obtaining Executive Sponsorship for Awareness and Training
Information Assurance Awareness Programs in Multinational
Manufacturing Organizations
ISO 17799 Awareness for IT Managers Requires Security Mindset
Changes: Putting the Cart before the Horse
Education and Awareness for Security Personnel
Security Awareness via E-Learning: A Case Study
What's the Speed of Dark? Enlightenment through Education
Aetna's Award-Winning Security Awareness Program
Closing Comments
Addendum: How to Build a Custom Web-Based InfoSec Exam
Security Awareness Case Study
APPENDICES
A Sample Executive Education Sponsorship Memo
B Training Contact Training Data Collection Form
C Effectiveness Evaluation Framework
D Sample Privacy Roles Definitions
E Suggested Customer Privacy Awareness and Training
Strategy Announcement as Voice Mail Message
F Security and Privacy Icon or Mascot
G Sample Privacy Training Survey
H Customer Privacy Sample Training Plans
I Advocate and SME Interview Questions to Assist with
Customer Privacy Training Development
J Training and Awareness Inventory
K Incorporating Training and Awareness into the Job
Appraisal Process Interview/Questionnaire
L Training Contact Data Collection and Evaluation Form
M Sample Customer Privacy Awareness and Training
Presentation
N Designated Security and Privacy-Related Days
O Education Costs Worksheet
P Sample Pretraining/Awareness Questionnaire
Q Security Awareness Quiz Questions
R Consumer Privacy Pop Quiz
S Information Security and Privacy Awareness and
Training Checklist
T Awareness and Training Resources
U Awareness and Training Glossary
V Sample Case Studies