With no budget, our manager has to devise a security awareness and training program on his own
This month, I've been putting together a security awareness and training program. It's been an opportunity to exercise my creative side (which admittedly is pretty weak). The challenge, of course, is the same as always (you're probably way ahead of me) -- I have no budget.
So like many other things that I've done in this job, I'm doing it myself. The difference this time is that I'm not building technology systems, which I'm comfortable with -- I'm putting together communications and training materials. That requires a different set of skills. Fortunately, I'm already comfortable with writing; these columns have given me a great opportunity to practice my written communication skills. But writing is only part of a comprehensive awareness and training strategy. Just sending out emails and posting information on a website isn't going to be enough to reach everybody.
The National Institute of Standards and Technology (NIST) has published a document, numbered SP800-50, that specifies some best practices for security awareness and training. Though it's oriented toward U.S. government agencies, it's a good starting point for determining what should go into a >security training and awareness program for any organization. It has some good guidance for people like me who aren't training professionals but need to teach people good security practices and show them how to follow security policies.
You can download SP800-50 for free, so I won't go into detail about what's in it. I'll just say that the focus is on reinforcing desired security behaviors and teaching security skills to the users. The NIST recommends various techniques to get the message across, most of which you've probably seen before. I'm putting together a Web-based training program to get across my key messages and show people how to properly apply our security policies. Putting up posters and sending out email newsletters are things I've already done, because they're free. These will supplement and reinforce the messages in my training. Giveaways and fancy video presentations are out of my range, since I don't have any budget. I'm also considering in-person meetings, such as joining department staff meetings to give a quick security presentation and dropping in on new-hire orientations. I'd rather have some slick materials to give out, but I'm making do with what I can produce myself. It seems there's a lot I can do to improve security awareness without spending money.
Document classification (Public, Internal or Confidential) is one of the core concepts I'm communicating with the training and awareness materials. Last month, I wrote about my new document protection technology project. It's going well so far. I found a consulting firm that can do the work and talked to some other companies that have implemented the technology. Now the key is to get my company's users to properly classify their documents. The technology will take care of the protection if the documents are classified according to their confidentiality.
Getting users to think about confidentiality and become aware of document classifications is my goal. The document authors and the departments that own the documents are in the best position to determine their confidentiality, so I'm relying on them. And the security training and awareness materials are my first step toward ingraining that thinking into the corporate culture. I don't expect change to happen overnight, but I am optimistic that I can dial up our security with the right messaging and reinforcement.