Creative content for continuous security awareness programs

NoticeBored delivers creative awareness materials through a continuous series of monthly modules on a broad range of topics (more below). This innovative rolling approach means NoticeBored awareness programs are constantly refreshed with less chance of the materials and messages becoming stale and boring. Month-by-month, the NoticeBored modules build into a comprehensive library of creative security awareness materials. If you can’t afford to wait, we can optionally supply the entire back catalog of previously-delivered modules on DVD to get your awareness library and program off to a flying start.

Contrast this with the traditional “sheep dip” approach to security awareness - an annual lecture to the troops by information security, at once both tedious and pointless. We all know that most people don’t respond well to these forced-attendance sessions and that they are often only used to satisfy the auditors. Security awareness can be a much more creative, satisfying and cost-effective continuous process with NoticeBored.

Information security topic coverage

The complete portfolio of NoticeBored awareness modules deliberately covers a wide range of information security topics. The following list shows how we have carved up the subject area to date but we are always open to new combinations and completely new information security topics, including suggestions from our customers:

1. Accountability and responsibility - examines, explains and contrasts these two commonly misunderstood concepts in the context of information security;
2. Authentication and identity management - everything from choosing strong passwords to phishing, two factor authentication, biometrics, identity theft and access control;
3. Bugs! - errors in program specification, design, coding or configuration by software development professionals and end-users can create security vulnerabilities;
4. Change management - covers information security aspects of IT-related changes including patching, testing, configuration management and implementation of “IT projects”;
5. Compliance - fulfilling obligations under IT/information security-related laws, regulations, standards, policies, procedures and guidelines including issues such as copyright, privacy, ISO/IEC 27000-series, ITIL etc.
6. Computer auditing - understand what makes IT auditors tick, what they do and how to work with them most effectively;
7. Contingency planning - planning for success by preparing to cope with the worst - includes business continuity, resilience and disaster recovery;
8. Database security - securing large collections of valuable data against hackers, corruption, loss etc.;
9. Digital forensics - a completely new awareness module released in July 2009 covering the forensic investigation of information security incidents;
10. Email security (core topic) - risks relating to the receipt and sending of electronic mail including malware, defamation, phishing etc.;
11. Ethics - looks at the morality and ethics of appropriate versus inappropriate use of information;
12. Gizmos - security issues associated with portable IT devices including laptops, USB memory sticks and a million other boys’ toys;
13. Hacking - tips to counteract hackers, crackers, industrial spies, fraudsters, criminals and other adversaries, being primarily but not exclusively outsiders;
14. Incident management - the process around reacting to, containing, resolving and learning from information security incidents;
15. Induction (new employee orientation) module covering the basics of information security - please see below for more on this.
16. Information security management - roles, structure and reporting lines for the security management function and its relationships with others;
17. Information security risk management - explains the processes of analyzing and managing risks;
18. Insider threat - covering the security threats represented by employees and others working in a similar capacity;
19. Identity theft - based on the authentication and password modules, this one focuses specifically on identity theft risks and controls;
20. IT and security governance - controlling and minimizing IT risks forms an integral and vital part of corporate governance;
21. IT-related fraud - phishing, identity theft and other forms of fraud committed using IT systems and networks;
22. Keeping secrets - all about keeping sensitive corporate and personal information private and confidential;
23. Malware (core topic) - viruses, worms, Trojans, key loggers, spyware, rootkits and more;
24. Mobile and home working - information security considerations for road warriors & those working from home;
25. Network security (core topic) - all manner of information security issues linked with networking in general and the Web and wireless networks in particular;
26. Network & systems management - processes for securely installing, configuring, monitoring and managing IT;
27. Office information security - a range of security topics associated with the average office or workplace;
28. Passwords & biometrics - presents advice to staff on choosing stronger passwords, coupled with advice to managers and IT on choosing better user authentication mechanisms;
29. Personal data protection and privacy - focuses specifically on protection and privacy issues relating to data about living individuals (Personally Identifiable Information or Personal Data);
30. Physical security - protecting the facilities against unauthorized access, fires, floods, overheating, power disturbance, lightning ...;
31. SCADA security - security risks and controls relating to industrial control systems and embedded controllers;
32. Secure software development - integrating security with the system lifecycle from specification and design through to testing and configuration;
33. Social engineering (core topic) - the only practical way to tackle this threat is through genuine security awareness;
34. Third parties - information security issues resulting from the increasing interconnectedness of modern organizations;
35. Trade secrets - covering a spectrum of activities from competitive intelligence to information warfare.

We put a lot of effort into researching and staying abreast of the very latest information security advances,  threats and controls. As security issues, technologies and approaches mature and become mainstream, we either update and reissue or prepare brand new modules. In this way, your awareness program will constantly evolve and adapt to the ever-changing security environment.

Core security awareness topics

The four “core modules” covering malware, social engineering, email security and network security are updated and reissued annually. Along with the induction module, these are topics that practically all security awareness programs need to cover. We refresh them more frequently than the others to remind employees annually of their obligations. If your organization needs a simple security awareness program, consider using just the core modules and skip the rest!

Other modules are delivered in the intervening months to build a broad level of security awareness and maintain interest in this otherwise rather dull subject area (interesting to us!). They are thoroughly updated and reissued every three years or so, keeping them up-to-date with advances in the field. Please check the diary page to see the sequence we have covered so far and our plans for the next three modules.

Induction module - a free bonus

The NoticeBored induction module contains basic security awareness materials for use in new employee security induction courses and orientation training. This module is also suitable to launch new security awareness programs so we provide it as a free bonus module to welcome new customers - in other words, you’ll receive the induction module plus your first regular module when you subscribe to NoticeBored.

What is a “module” anyway?

Modules are compressed ZIP files of about 30-60 Mb, containing around 20-30 different types of security awareness item each month. See what’s in this month’s module for a typical example.

The awareness materials themselves are mostly Microsoft Word, PowerPoint and Visio files, plus .JPG poster images. We supply fully-editable unrestricted files so that customers can customize or adapt the content to suit their specific requirements, for example providing contact details for the Information Security Manager or equivalent, referencing corporate policies, adopting a “house style” etc. Customers are welcome to cut-and-paste the supplied content to supplement existing awareness and training materials including Learning Management Systems, and to incorporate existing awareness materials where relevant.

Cross-referencing of related topics and reinforcement of the information security messages brings a coherence and consistency to the NoticeBored awareness materials often lacking in other “awareness solutions”. It helps that all the materials are written to the same high standard of quality by us. It’s what we do!

Keep up with recent information security incidents, emerging risks and new security practices through NoticeBored

All our modules include topical information security news clippings and references, highlighting and expanding upon stories that employees will probably have seen in the general news media. The monthly delivery cycle and flexible delivery schedule give us a significant advantage over more traditional awareness products: wqe pick up on information security issues as they emerge. Whereas most of our competitors only offer annual updates, NoticeBored keeps you up to date with current trends.

While we can only cover incidents that are in the public domain, we encourage customers to incorporate information about actual incidents within their organizations into their awareness programs. This is one good reason why we provide editable files - what better way to bring the security message home to employees than to make them appreciate that security breaches are happening around them?

Take a good look at the NoticeBored samples to see exactly what you’ll be getting for your money.

Copyright © 2009 IsecT Ltd.