Welcome to the SecAware blog

I spy with my beady eye ...

21 Aug 2009

Cradle-to-grave security awareness

Today's release of Information Security 101 adds another valuable tool to the Information Security Manager's security awareness toolkit from IsecT Ltd.

Information Security 101 was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work.

All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added. Information Security 101 still provides three parallel 'streams' of materials addressing three audience groups with subtly different information needs and perspectives:
  1. General employees or staff have broad responsibilities for information security and need to know the simple things such as choosing good passwords, running antivirus and backing up their data. For them, security is an incidental aspect of their work and home life that most don't really consider without some conscious effort being made to make them aware;
  2. Managers and Directors have specific governance and compliance obligations in respect of information security although they may not at first appreciate this. They are invariably busy people, yet take an interest in high level security strategies, policies and so forth. Getting managers on board with information security significantly improves the chances of the awareness program resonating with staff and ultimately being successful;
  3. IT professionals have an obvious interest in the more technical IT security controls. They are broadly expected to design, implement and operate most of the IT security controls on behalf of general IT users throughout the organization, yet it is not uncommon to find that IT pros have had limited exposure to even fundamental information security principles during their formal education, let alone leading security practices such as federated identity management and multifactor authentication.
As well as its use for induction/orientation purposes, Information Security 101 gives extra value by helping organizations launch (or relaunch!) best-practice security awareness programs. Bringing the whole employee base quickly up to speed on information security ensures that everyone has a firm grasp of the basics, preempting the regular security awareness activities that follow. [For this reason, Information Security 101 is supplied free of charge to customers of our flagship product, NoticeBored - a US$695 value.]

NoticeBored is a security awareness subscription service providing a fresh package of creative awareness materials on a different information security topic each month. This innovative approach is designed to drive "rolling" or continuous-delivery awareness programs giving year-roound coverage to a brad range of information security topics. The NoticeBored materials also have three parallel streams covering the same three target audiences on relevant issues in familiar terms. The materials themselves are delivered as ordinary Microsoft Office files, making it easy for customers to customize or adapt the materials to suit their purposes. Customers can reference their own information security policies and procedures, provide contact details for their Information Security, Physical Security, Legal, HR and Compliance people, and incorporate the NoticeBored materials into intranet websites and Learning Management Systems supporting information security throughout the organization.

Other security awareness materials in the NoticeBored product family include:
  • The Back Catalog, a comprehensive library of awareness materials covering more than 30 information security topics - ideal to get your awareness program off to a flying start without having to wait for the monthly NoticeBored deliveries.
  • A generic information security policy manual based on the good security practices and controls recommended by ISO/IEC 27002. Organizations that are implementing Information Security Management Systems use our manual to develop their own custom set of policy principles, axioms and detailed policy statements reflecting the ISO27k standards.
  • A range of over 200 high-quality security awareness posters, supplied as JPG images for customers to customize and brand, then print as many hardcopies as they actually need at no extra charge.
  • A set of Internal Controls Questionnaires covering some 31 information security topics. These are useful prompts or guides for risk assessments, gap analysis, internal audits or management reviews, helping customers assess the extent to which their security controls actually mitigate the organization's information security risks. The questions posed are deliberately open-ended to encourage intelligent and flexible application, as opposed to the usual brain-dead compliance tick-lists that achieve so little in practice.
Thanks to our low overheads, we are able to offer unbeatable prices across the whole NoticeBored product range. Given that awareness leverages existing investments in technical and other forms of security controls, as well as being the only rational way to address the human elements of social engineering, fraud, phishing and similar security risks, NoticeBored provides outstanding value for money.

Last but not least, NoticeBored embodies our passion for the subject. Few if any information security managers would dispute the importance of security awareness, training and education, yet they seldom have the time or indeed the skills to really do it justice. By providing "camera ready" security awareness materials on topical subjects, we release our customers from the tedious burden of researching, writing and polishing the awareness content, leaving them free to concentrate on the fun part - interacting with employees, promoting good security practices and enthusiastically spreading a little of that passion we mentioned. In some ways, it's a shame we can't walk the last mile with you ... good luck.

No comments:

Post a Comment