An effective security program may involve firewalls, vulnerability reduction, operating system hardening and other technical components. But these elements will remain fragmented without an overall, unifying strategy. A top-level security policy documents and explains security goals for everyone in the organization. As a clear management articulation of security strategy, it helps prevent communication breakdowns among corporate divisions. Aligning the culture and the strategy is crucial to success in any improvement effort.
LogOn Consulting provides assistance to our clients in reaching their goals.
Following is a typical roadmap in the Security Change process:
1. A Self-Audit of Your Awareness Plan
- understanding the existing environment and anticipating change
- what should be included in a security awareness program geared for 2001 and beyond
- conducting a technology inventory
2. Getting Management's Attention...and Commitment
- determining management's needs
- building your case
- "marketing" your program
3. Awareness Program Goals
- developing awareness objectives and criteria
- developing a business case
- developing a charter
- influencing and motivating employees
- communicating your ideas
4. Getting Started
- working with your customers
- staffing for awareness
- who is responsible for what
- identifying your target audience
- developing organization-wide programs
- implementing pilot projects
5. Identifying the Awareness Tools That Work Best for Your Organization
6. Monitoring the Success of Your Program
Evaluating training effectiveness is a vital step to ensure that the training delivered is meaningful. Training is "meaningful" only when it meets the needs of both the participant and the organization. Spending time and resources on training that does not achieve desired effects can reinforce, rather than dispel, the perception of security as an obstacle to productivity.
A robust training evaluation effort may be the second most effective vehicle for garnering management support for security-the first being the occurrence of a serious security incident.
In addition, others within the organization that have traditionally "owned" security need to position themselves as that of an enabler or facilitator of Security.The most effective programs begin at new employee orientation and continue annually for all employees at all levels of the organization.