Managing an Information Security and Privacy Awareness and Training Program, Second Edition

Starting with the inception of an education program and progressing through its development, implementation, delivery, and evaluation, Managing an Information Security and Privacy Awareness and Training Program, Second Edition provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies. Written by Rebecca Herold, a well-respected information security and privacy expert named one of the "Best Privacy Advisers in the World" multiple times by Computerworld magazine as well as a "Top 13 Influencer in IT Security" by IT Security Magazine, the text supplies a proven framework for creating an awareness and training program. It also: Lists the laws and associated excerpts of the specific passages that require training and awareness Contains a plethora of forms, examples, and samples in the book’s 22 appendices Highlights common mistakes that many organizations make Directs readers to additional resources for more specialized information Includes 250 awareness activities ideas and 42 helpful tips for trainers Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides the holistic and practical understanding needed to identify and implement the training and awareness methods best suited to, and most effective for, your organization. Praise for: The first edition was outstanding. The new second edition is even better ... the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly..—NoticeBored.com

Brief History of Corporate Information Security and Privacy Awareness and TrainingOnce Upon a Time Welcome to the Information AgeInformation Security and Privacy EducationCurrent Challenges Bring Changes in Professional Education Why Training and Awareness Are ImportantRegulatory Requirements ComplianceCustomer Trust and SatisfactionCompliance with Published PoliciesDue DiligenceCorporate ReputationAccountability Legal and Regulatory Requirements for Training and AwarenessAwareness and Training NeedsLegal ConsiderationsCopyright ConsiderationsSpecific Regulatory Education Requirements Incorporating Training and Awareness into Job Responsibilities and AppraisalsMotivational FactorsMethods of Security and Privacy Objectives AssessmentsPerformance against Specific Privacy and Security ObjectivesUsing Appraisal ResultsConsidering Security and Privacy within Job Performance as a WholePaying for PerformanceAdditional Percentage Element Added to PayChallengesCommon Corporate Education MistakesThrowing Education Together Too QuicklyNot Fitting the EnvironmentNot Addressing Applicable Legal and Regulatory RequirementsNo Leadership SupportBudget Mismanagement or No BudgetUsing Unmodified Education MaterialsInformation OverloadNo Consideration for the LearnerPoor TrainersInformation DumpingNo Motivation for EducationInadequate PlanningNot Evaluating the Effectiveness of EducationUsing Inappropriate or Politically Incorrect Language Getting StartedDetermine Your Organization’s Environment, Goals, and MissionIdentify Key ContactsReview Current Training ActivitiesReview Current Awareness ActivitiesConduct a Needs AssessmentCreate Your Road MapElements of an Effective Education Program Establish a BaselineHard DataSoft Data Get Executive Support and SponsorshipExecutive Security and Privacy Training and Awareness Strategy BriefingProvide Examples of Security- and Privacy-Impacting EventsCase StudiesKey Business Leader Information Protection Responsibilities Identify Training and Awareness MethodsAdult LearningTraining Delivery MethodsAuditorium Presentations to Large GroupsRemote Access LabsSatellite or Fiber-Optic Long-Distance LearningWeb-Based Interactive Training (such as Webinars)Audio InstructionVideo and DVDWorkbooks On-the-Job (OTJ)Conference CallsOutsourced Training and Awareness with ProfessionalEducational ServicesEducation Provided by Professional SocietiesGovernment-Sponsored TrainingAwareness Methods Awareness and Training Topics and AudiencesTarget GroupsMapping Topics to Roles and Target GroupsStandards and Principles Define Your MessageCustomer PrivacyLaws and RegulationsAccess ControlsRisk Management Prepare Budget and Obtain FundingObtain Traditional Funding if You CanObtain Nontraditional Funding When NecessaryFinal Budget and Funding Thoughts Training Design and DevelopmentTraining MethodsDesign and DevelopmentChoosing ContentJob-Specific Content and Topics for Targeted GroupsLearning ActivitiesTraining Design Objectives Awareness Materials Design and DevelopmentContrasting Awareness and TrainingMake Awareness InterestingAwareness MethodsAwareness Is OngoingDeveloping Awareness Activities and MessagesMonthly Information Security and Privacy Newsletters CommunicationsStep 1: Identify Where You Need to Improve, Update, or Create Information Security and Privacy Training and AwarenessStep 2: Obtain Executive SponsorshipStep 3: Communicate Information Security and Privacy Program OverviewStep 4: Send Target Groups Communications Outlining the Information Security and Privacy Training and Awareness Schedules and Their Participation Expectations Deliver In-Person TrainingWhat to Avoid in TrainingMultinational Training ConsiderationsDelivering Classroom TrainingTips for TrainersVisual AidsTraining in Group SettingsCase Studies Launch Awareness ActivitiesStep 1: Identify Areas in Which You Need to Improve, Update, or Create AwarenessStep 2: Obtain Executive SponsorshipStep 3: Communicate the Information Security and Privacy Program OverviewStep 4: Identify Trigger EventsStep 5: Identify Target GroupsStep 6: Identify Your Awareness Methods and MessagesStep 7: Evaluate Changed BehaviorStep 8: Update and Perform Ongoing Awareness Plan for Specific Events Evaluate Education EffectivenessEvaluation AreasEvaluation MethodsEvaluating the Effectiveness of Specific Awareness and Training MethodsEducation Effectiveness Evaluation Framework Activities Checklist Leading PracticesSetting the Standard for Data Privacy and AwarenessEstablishing a Security Culture Through Security AwarenessEmpirical Evaluations of Embedded Training for Antiphishing User EducationWe Are Now the Targets of Thieves!Risks from Advanced Malware and Blended ThreatsCase Study: 1200 Users, 11 Cities in 7 Weeks … and They Wanted to Come to Security Awareness TrainingObtaining Executive Sponsorship for Awareness and TrainingEducation and Awareness for Security PersonnelAetna’s Award-Winning Security Awareness ProgramSecurity Awareness Case Study APPENDICES: Sample Executive Education Sponsorship MemoTraining Contact Training Data Collection FormEffectiveness Evaluation FrameworkSample Privacy Roles DefinitionsSuggested Privacy Awareness and Training Strategy Announcement as Voice Mail MessagePrivacy Icon or MascotSample Privacy Training SurveyPrivacy Sample Training PlansAdvocate and SME Interview Questions to Assist with Privacy Training DevelopmentTraining and Awareness InventoryIncorporating Training and Awareness into the Job Appraisal Process Interview/QuestionnaireSample Customer Privacy Awareness and Training Presentation Designated Security and Privacy–Related DaysEducation Costs WorksheetSample Pre-training/Awareness QuestionnaireSecurity Awareness Quiz QuestionsSocial Engineering Quiz

Herold, Rebecca