Information Security 101 - security orientation/awareness program launch module

Executive summary

Information Security 101 is a starter-pack of high quality, professionally-designed information security awareness materials, intended for use both in new employee security orientation sessions, and to launch a new security awareness program. Right from day one, employees will know that you take information security seriously, and that they have an important part to play.

Our design philosophy

Information security should be an integral part of every employee’s time with the organization, from their first day to their last. Most organizations put newcomers through some sort of ‘welcome aboard’ rite-of-passage not long after they join. The fundamental purpose of orientation training is to bring new employees quickly up to a basic level of understanding regarding their new work environment. With respect to information security, the accepted wisdom is that new recruits must be informed in particular about their information security obligations laid out in various laws, regulations and policies. These are of course Very Important Things, therefore the information should be put across in a very formal and stilted manner, apparently, complete with the rigmarole of our intrepid newcomers signing numerous pieces of paper to acknowledge receipt of said obligations, despite everyone knowing it is just a rubber-stamping exercise.

Broadening the scope, most traditional security awareness and training programs are designed around circulating or broadcasting security messages throughout the organization. That is their primary purpose, focusing very much on the outbound communication of ‘guidance’ (in practice: explicit directions, constraints and dire warnings) from IT Security to End Users. There is an implicit assumption that IT Security knows what’s best for the organization, and that they need to be told. It’s all very them-and-us. This becomes even more obvious in compliance-driven organizations, where cynical managers don’t honestly care whether anyone actually understands their security and privacy obligations, just so long as there is a paper trail showing that they have been duly informed, hence management is off the hook. The supreme arrogance and myopia of the traditional approach to awareness is, to a large extent, why it doesn’t work well, if at all.

Given NoticeBored’s unique approach to awareness, you won’t be surprised to discover that we take a markedly different line. A NoticeBored awareness program exploits the socialization of information security as a primary driver and vehicle of cultural change. Our foundation is a corporate social network throughout the enterprise - the web of social links, mutual respect and trust that, in turn will be used for bidirectional communications between Information Security and The Business. The social network is just as much a vehicle for the Information Security function to find out about business objectives and needs, as it is a way to promulgate security policies and awareness messages.

Quote on orientation training from Jack LooWe see a newcomer’s first days on site as a clean-slate opportunity for us (meaning Information Security) to outline what makes us tick, and to find out just a bit about them (our new colleagues). Most of all, we want to initiate a productive, mutually beneficial relationship, a partnership-of-equals that will last indefinitely, way beyond the orientation session.

Given the overall aim to establish a corporate security culture, we know there is more to this than forcing newcomers to sign a few forms and heed the warnings about keeping in line. The orientation sessions are our first chance to start explaining to newcomers what information security is about, why it is necessary and valuable, what it involves, and how everyone plays a part ... and at the same time an opportunity to discover their preconceptions, their needs, even their hopes and dreams. It cuts both ways.

At the root of it all, we see our fellow employees not as ‘our biggest security challenge’ (as Jack Loo put it) but as our partners and allies who are, on the whole, side-by-side with us fighting on the same side. Opening the dialog, exploring common ground and building a trusted relationship will, we believe, make a huge difference in the long run - and it starts right there and then on day one.

Download the listingContent of the module

Information Security 101 is supplied as a ZIP containing 68 mostly MS Office files. Here’s a full listing in the form of a checklist we suggest you use when you first receive and look through the module, marking the items that you intend to use in your awareness and training program (we don’t anticipate you using all 68 - at least not at first!).

The materials are divided into three parallel streams:

  1. The staff/all employee stream has general-interest awareness materials concerning basic security controls such as choosing strong passwords. This stream gives a gentle introduction to information security, acting as a solid foundation for the security awareness program that follows.
  2. The management stream emphasizes broad governance, risk management and compliance aspects of information security, taking a relatively high-level strategic view. Our emphasis here is that information security supports and enables the business - it is business-driven, not an end in itself.
  3. The professionals’ stream goes into slightly more depth on the technical aspects of information security, although this is not detailed technical training.

The materials themselves comprise a wide range of types and formats, ranging from graphics and diagrams to seminar slides to briefing papers. There are relatively formal items such as policies, mid-range items such as the extensive hyperlinked glossary, and light-hearted fun items such as the quiz and crossword. This gives you a lot of flexibility in how you choose to deliver Information Security 101 in your organization, and lets you respond to the evolving needs (for instance, you might make almost all the materials available on your intranet site, but present only a small selection in the orientation classes).

As with all our awareness materials, they are fully customer-editable, protected only by the license agreement and copyright law. You are free to customize and adapt the content, change the format and style, swap the logo, provide appropriate contact details, cut-n-paste our stuff into other places(e.g. new starter goody-packs and Learning Management Systems) and blend in additional content (e.g. notes about specific legal and regulatory obligations). [If you would prefer a pre-customized pack with your corporate logo, colors etc. contact us for pricing. We’re happy to deliver the unlocked Office files in any case so you are not beholden to us for subsequent updates and tweaks.]

By the way, talking of intranet site, we’ve included a generic design specification for an intranet site to promote information security. Even if you already have such a site up and running, we hope you’ll find some worthwhile new ideas in the spec.

Contact us to buy the module. The price? Oh that’s US$645 ... unless you subscribe to the NoticeBored security awareness service in which case we’ll throw it in for free!

Home > InfoSec 101 >

Copyright © 2017 IsecT Ltd.