Sections Flashcards
What are the steps in Section 1, “Define Organization’s Security Awareness Strategy “ (the long versions)
1) Review Organization’s Mission and Goals
2) Review Risk Assessment Reports
3) Review Risk Management Reports
4) Document and Validate Compliance Objectives
5) Review Previous Threats and Incidents
6) Identify and Communicate with Stakeholders
7) Assess Threat Landscape
8) Establish Business Needs and Benefits
9) Build Business Case for Security Awareness Strategy
10) Obtain Authorizations for Program (e.g., Legal, HR, Executives)
11) Establish the Security Awareness Program Charter
12) Evaluate Organizational Security Culture to Identify Areas of Alignment or Possible Disconnect
13) Participate in Developing Policies Pertaining to Non-compliance
Section 1 Strategy (short versions)
Learn - understand the org: what it does overall, pain points and threats, what legal/contracts, who are key stakeholders
1) Org Mission and Goals
2) Risk Assessment Reports
3) Risk Mgmt Reports
4) Compliance Objectives
5) Prev Incidents
6) Stakeholders
7) Threat Landscape
Make your case for program:
8) Business Needs
9) Business Case
Prep to build program:
10) Authorizations
11) Charter
12) Disconnects
13) Policies for non-compliance
Section 2: Provide Security Awareness Training and Education to End Users (the long versions)
1) Establish Target Audience
2) Determine Key Learning Objectives
3) Determine the Delivery Method
4) Define Content Based on Audience (e.g., Social, Environmental, Regional)
5) Determine Schedule and Cadence for Training
6) Create and Curate Content
7) Conduct Training
8) Track Training Compliance Against Target(s)
9) Measure Learning Outcomes
10) Implement Improvements Based on Feedback and Previous Run Cycles
Section 2 Training (the short version)
Plan out the training - who, what, how, when
1) Audience
2) Objectives
3) Delivery Method
4) Content by audience
5) Schedule and Cadence
6) Content
Give training, assess how it went, and improve going forward
7) Conduct
8) Track against targets
9) Measure Outcomes
10) Improvements
Section 3: Reinforce Security Awareness with Communications (long version)
1) Identify Key Content/Messaging
2) Adapt Communication to Target Audience
3) Align Communication with Brand/Company Culture
4) Determine Modality and Channel of Communication
5) Coordinate Scheduling of Communications with Stakeholders
6) Research and Deliver Applicable Security Awareness Subject Matter (e.g., incidents, solutions, preventions, statistics, reinforcement)
7) Identify Potential Cultural/Organizational Misalignment
8) Draft Communications for Stakeholder Review and Approval
9) Finalize Communications
10) Distribute Communications
11) Validate and Report Efficacy (e.g., Reach, Engagement, Behavior Change, Culture)
Section 3: Comms (short version)
1) Content
2) Target Audience
3) Brand
4) Modality and Channel
5) Scheduling
6) Research and Deliver
7) Org Misalignment
8) Draft Comms
9) Finalize Comms
10) Distribute Comms
11) Report Efficacy
Section 4: Assess User Behavior (long versions)
1) Define Learning Objectives
2) Determine and Validate Baseline Level of Awareness
3) Select Appropriate Behavioral Interventions Based on Contextualized Factors (e.g., Environmental, Social Factors)
4) Select and Implement the Most Effective Testing Tool(s) for the Environment
5) Determine Schedule and Cadence for Testing
6) Design an Assessment to Measure User Behavior
7) Run the Assessment(s)
8) Provide Feedback to Users
9) Report Results to Stakeholders (e.g., track, disclose)
10) Monitor Behavioral Risks (e.g., secure shredding, password practices, badging, reporting)
Section 5: Define and Validate Awareness Metrics (long versions)
1) Define Participation Metrics
2) Compare Pre and Post Behaviors
3) Align Awareness Methods with Risks
4) Define Compliance Metrics (e.g., policies, procedures, laws/regulations, contractual)
5) Manage Program Budget (e.g., budgeting, program, administration)
Section 6: Monitor Effectiveness of Security Awareness Program (long versions)
1) Collect Results of Awareness Initiatives (e.g., training completion, simulation results)
2) Compare Awareness Initiative Results with Goals
3) Identify Gaps Between Results and Program Goals
4) Identify and Implement Activities for Continuous Improvement to Close Gaps
5) Evaluate Returns on Investment (e.g., Financial, Behavioral, Time, Level of Effort, Risk Reduction)
Section 7: Report Status of Compliance and Outcomes (long versions)
1) Identify Impact of and Remediation for Non-compliance
2) Identify Categories of Reporting (e.g., individual, department, entity)
3) Identify and Report Data Needs by Stakeholder (e.g., customization of reports, formatting)
4) Report User Activity to Stakeholders (e.g., upper management, auditors)
5) Provide Evidence to Support Compliance Metrics (e.g., policies, procedures, laws/regulations, contractual)
Section 4: User Behaviors (short versions)
1) Objectives
2) Baseline Awareness
3) Behavioral Interventions
4) Tool
5) Schedule
6) Assessment to Measure Behavior
7) Run Assessments
8) Feedback to Users
9) Report to Stakeholders
10) Monitor Behavioral Risks
Section 5: Metrics (short versions)
1) Participation Metrics
2) Compare Pre and Post Behaviors
3) Align with Risks
4) Compliance Metrics
5) Budget
Section 6: Effectiveness (short versions)
1) Results - collect
2) Results - compare with goals
3) Gaps - identify
4) Gaps - close
5) ROI - Returns on Investment
Section 7: Status (short versions)
1) Noncompliance impact and remediation
2) Reporting categories
3) Reporting data needs by stakeholder
4) Report to stakeholders
5) Compliance evidence compliance
