Developing an Effective Information Security Awareness Training Program - Getting the Word Out

The Interagency Guidelines Establishing Information Security Standards as per Gramm-Leach-Bliley Act (GLBA) of 2001 require each bank to have a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. This program shall include security awareness training to inform personnel of information security risks associated with the activities of personnel, and responsibilities of personnel in complying with bank policies and procedures designed to reduce such risk.

Security awareness and training should be focused on the organization’s entire user population.

An awareness program should begin with an effort that can be deployed and implemented in various ways and is aimed at all levels of the organization including senior and executive managers.

A review of an organization’s Information Security Awareness Program is part of ongoing regulatory examinations from the Federal Deposit Insurance Corporation (FDIC), the Office of Comptroller of Currency (OCC), the Federal Reserve, the Office of Thrift Supervision (OTS) and the National Credit Union Administration (NCUA).

Customer Education: In October 2005 the Federal Financial Institution Examination Council (FFIEC) issued guidance stating that organizations must address education and awareness as part of the overall risk management strategy for multi-factor authentication and should address topics such as phishing, account hijacking, safe Internet use practices and spyware.

Security has never been a technology problem - it has always been a “people problem.”

Next to employees, a company’s greatest asset is its information, and it is the responsibility of every staff member to ensure that its confidentiality, integrity, and availability remain intact. You may have performed a risk assessment to learn what assets your company needs to protect, their value to the company, and the vulnerabilities that face them. You may have written security policies; but, does everyone know where they are? Are they current? Has anyone read them? Does your staff understand their content?

Communicating the content of the information security policies, explaining what vulnerabilities are being addressed within them and what employees can do to prevent a security breach from happening is the role of security awareness. Employees want to do the right thing, but often they do not know or understand what makes up “the right thing.” In many cases, they may be doing “the wrong thing” for all of the right reasons. In this class, you will learn how to develop and implement a security awareness program. You will learn how to get your audience’s attention, and keep it. We will also discuss how to keep awareness fresh long after the initial classes have been taken.

In this class, we will discuss:

• Why security awareness is a critical element in your overall security program
• The importance of knowing your business culture(s)
• Where is your security awareness culture now compared to where you want it to be?
• The three key elements for program success – Educate, Motivate, and Cultivate
• Baseline and targeted audience content
• Incorporating regulatory, federal, state, and country specific requirements in content development
• Explaining the “why” behind security policies and best practices
• The “What’s in it for Me” principle
• Methods to deliver the content
• Will training a trainer be necessary?
• How to measure the success of the program
• Keeping awareness fresh

> Register for this webinar