free page hit counter
Click the banner for the site map  of NoticeBored.com, the information security awareness service
NoticeBored this month

August’s awareness module covers information security governance

One of many awareness postersIntroduction and scope

August’s topic views information security as an essential element of IT and corporate governance. Governance is a concept that is not easy to define precisely. Muddled thinking combined with a divergence of opinions make it difficult to grasp. Our intention through the awareness program is to explore the topic from the differing perspectives of staff, managers and technologists, drawing out the essential elements that contribute to commercial success. 

Information security governance requires management to make sensible decisions on how best to protect and enhance the value of “information assets” (including intellectual property, data, IT systems and knowledge) from all manner of security risks, in the same way that they protect and enhance the value of other corporate assets (money, plant, people, brands, relationships etc.). There are many decisions to be made, many risks and controls to consider, and many different ways of protecting information assets. Governance provides the conceptual framework, a route map through the muddle to help management make the right decisions.

Content of the module

August’s topic is clearly relevant to managers but, as always, we provide information and advice to employees in general and IT professionals too. The module draws on information security and risk management concepts introduced last month.

The module is delivered as a 37 Mb compressed ZIP file containing the materials described below. Most are standard Microsoft Office files. NoticeBored customers are welcome to add their own security awareness logos, edit the text or images, cut-and-paste content to or from other media (including Learning Management Systems and corporate intranets), alter the formatting to suit their corporate style guides and so forth, and of course to use the materials to raise awareness of information security governance.

Awareness materials for all employees

1. Security awareness seminar: information security governance MS PowerPoint 11 PowerPoint slides

Security awareness seminar slides with accompanying speaker notes explain information security and governance issues that everyone should know something about.

2. Security awareness posters: information security governance Graphic image 12 JPG images

Posters are a valuable part of a security awareness program - not enough in themselves but a means to promote broad awareness of the issues and lead in to more explicit guidance. We’re delivering six brand new high-resolution awareness posters (thumbnails below - the original images provided to customers are approximately 3,500 x 5,000 pixels), plus a further 6 previously delivered, to highlight the main points and interest people in the remaining awareness materials.

08-08-01

Working together to secure information assets

08-08-04

Information security is down to U

08-08-02

The guvnor leads the carge

08-08-05

Clear accountability promotes security

08-08-03

Senior management - the power behind infosec

08-08-06

A guvorner controls a steam engine

3. Screensavers: information security governance PS screensaver 4 PC screensavers

NoticeBored screensavers bring the graphical content of other awareness materials to employees’ screens:

  1. Slides from the staff seminar (item #1), displayed in sequence
  2. Slides from the management seminar (item #17), in sequence
  3. Slides from the technical seminar (item #28), in sequence
  4. The new poster images (item #2), displayed in random order

Customers, please contact us if you would like to customize the screensavers or create your own. We won’t charge you to do it - we’ll tell you how to do it yourself, simply and for free.

4. Staff guideline: information security governance MS Word document 1 page Word document

A brief overview of information security governance, intended for a general audience and suitable as a handout at awareness seminars and briefings.

5. Staff guideline: accountability MS Word document 2 page Word document

A double-sided informational leaflet on information security accountability.

6. Case studies: information security governance MS Word document 4 x 2 page Word documents

Case studies help liven-up seminars, presentations and training courses and make engaging awareness exercises by themselves. They get the audience thinking and talking about the topic. There are four case studies again this month, each comprising a scenario paragraph and handful of discussion points, followed by a page of ‘model answers’ to get the discussion going. The scenarios are situations relating to information security governance.

7. Top tips: information security governance MS Word document 1 page Word document

A page of tips - simple suggestions for staff on information security governance.

8. Take home messages: information security governance MS Word document 1 page Word document

The entire module condensed and summed-up on just one side! A mind map and a few words of explanation do the trick. Even those who are “too busy” to take much notice of information security can hardly claim to be that busy.

9. Crossword puzzle: information security governance MS Word document 2 page Word document

Puzzle on one page. Solution on another. Have some fun over lunch while learning about information security governance.

10. Security awareness survey MS Word document 1 page Word document

A simple form to check the extent to which employees are aware of the information security governance topic, and gather their feedback suggestions to improve the awareness program. 

11. Security awareness test: information security governance MS Word document 1 page Word document

Check how well employees recall the information security governance awareness messages. Generate useful metrics on your awareness program to help demonstrate progress to management and drive further improvements.

12. Glossary of information security governance MS Word documentHTML 5 page Word document or 1 web page

An hyperlinked glossary of information security governance-reated terms, ideal for Information Security’s intranet Security Zone. 

13. Links to additional resources on information security governance HTML 1 web page

Explore our managed collection of links to information security governance resources on the Web for still more perspectives on this important topic. We used many of these resources in our research to prepare the module. Customers are very welcome to duplicate and amend our links collection on their corporate intranets.


Awareness materials for managers and executives

14. Mind-maps: information security governance MS Visio file 5 Visio diagrams

Mind-maps help us think through and develop the content whilst researching and preparing the NoticeBored materials. We use them to illustrate the presentations and various other awareness materials in the module, showing the topic in a structured and visually appealing way. Five mind-maps plus several variants are provided, along with a handful of diagrams, in one Visio file allowing customers to make changes and continue the thinking process.

15. Board agenda: information security governance MS Word document 1 page Word document

Although senior management support is an essential prerequisite for a world-class information security program, helping senior managers understand often complex information security issues, quickly, is something of a challenge. The ‘board agenda’ paper aims to get them thinking about the issues and stimulate a Board-level discussion on information security governance, facilitated by the CIO, CISO or Information Security Manager. 

16. Model policies covering (a) information security governance, (b) divisions of responsibility and (c) information asset ownership MS Word document 3 Word documents

Three separate policy documents cover the core topic and two related matters. Adopt these as-is or compare them against and perhaps improve your own information security policies.

17. Management seminar: information security governance MS PowerPoint 10 PowerPoint slides

Ten seminar slides supported by speaker notes encourage management to consider and discuss information security governance. 

18. Executive briefing: information security governance MS Word document 1 page Word document

19. Executive briefing: information asset ownership MS Word document 1 page Word document

20. Executive briefing: accountability for information security MS Word document 1 page Word document

Three short briefings intended for busy senior managers, covering governance issues in the context of information security (and vice versa!).

21. Management briefing: information security governance MS Word document 14 page Word document

For middle managers and interested executives with a bit more time on their hands, this detailed briefing paper supports and extends the management seminar (item #17). It can be printed for use as a handout, desk-drop or internal mailing, or made available to download from Information Security’s intranet Security Zone.

22. Management briefing: accountability for information security MS Word document 3 page Word document

It’s important that managers understand that they will be held to account personally for their actions in relation to information security, even if many of the associated responsibilities are delegated to others.

23. Management procedure: defining information security roles MS Word document 1 page Word document

Documenting information security activities in role or job descriptions goes a long way towards making people aware of their security responsibilities. This simple procedure explains, in general terms, how to do it.

24. Management procedure: cost-justifying information security investments MS Word document 3 page Word document

As with other risk-reduction situations, it’s not always obvious how to prepare business cases to justify investments in information security since they normally reduce costs rather than generate outright profits. The technique described in this paper shows how cost-reduction projects can still be financially sound.

25. Management briefing: information security governance metrics MS Word document 5 page Word document

Assessing and measuring the organization’s information security governance practices is an important part of managing them. This discussion paper suggests a number of relevant targets and metrics.


Awareness materials for IT professionals

26. The NoticeBored newsletter: information security governance MS Word documentAvailable as a free PDF too 8 page document

The newsletter introduces and sets the scene for the remaining security awareness materials, providing background information on this month’s topic plus an overview of the associated risks. While the editable MS Word version is reserved for paying customers, the free Available as a free PDF too PDF version is emailed to everyone on our newsletter mailing list.

27. Awareness program activities: August module MS Word document 5 page Word document

Information security awareness program managers - start here! Pep-up your security awareness program with our creative internal communications ideas and awareness tips. We can’t stand up in front of your employees to deliver the awareness seminars, training courses etc. but we can make your job a bit easier, more productive and hopefully more fun. Spend your time interacting with staff, managers and IT people rather than researching and writing the presentations and other awareness materials.

28. Technical seminar: information security governance MS PowerPoint file 12 PowerPoint slides

The seminar slides with speaker notes present information security governance concepts in terms that IT professionals will understand and appreciate. The suite of technical controls within and surrounding the IT systems and networks are an essential component of the organization’s governance framework (hence the reason that SOX section 404 focuses on them).

29. Technical briefing: information security roles and responsibilities MS Word document 6 page Word document

Technical briefing for IT professionals discusses the definition of information security management rôles and responsibilities based on the 39 control objectives identified in ISO/IEC 27002:2005. It includes a generic matrix relating information security activities to the departments, functions or people that normally perform them.

30. Technical briefing: SOX primer MS Word document 3 page Word document

IT people in organizations subject to the Sarbanes Oxley Act of 2002 should be aware of their obligations under the Act, particularly section 404. This is a succinct primer.

31. Internal Controls Questionnaire: information security governance MS Word document 6 page Word document

An audit-style checklist to guide an evaluation of your organization’s information security governance processes. Check the current status against good practice criteria.

Module #63 contents (file listing)

Files in the module

NoticeBored is for you, yes you!

If this brief outline of our latest awareness module intrigues you, why not contact us to evaluate NoticeBored? We’ll send you a month’s awareness materials, a complete module exactly as it was delivered to our customers, plus an evaluation license for you to try them out. There’s no commitment or charge to evaluate. Find out what makes NoticeBored different and discover what led ENISA to describe us as “best practice experts” in security awareness. We can even help you build a budget proposal for your awareness program.


NB home > NB this month >

Copyright © 2008 IsecT Ltd.