Information Security Awareness And Training Business Case For Web Based Solution (Template)

1

Information Security Awareness and Training Business Case for a Web-Based Solution

[PRESENTATION TEMPLATE]you are free to use this presentation for your own company if you wish to make a business case for

implementing a web-based security awareness program at your company.

Michael Kaishar, CISSPSenior Information Security Consultant

2

Executive Summary Business Problem and Opportunity Proposed Project Objectives/Performance Metrics Business Risks Alternative Solutions Recommendation



3

Executive Summary Information security deals with people, process, and technology. If people understand and appreciate the

dangers and risks associated with mismanaging information, the exposures become measurably reduced. Information security awareness is one of the most critical aspects of an organization’s information security

strategy. Viruses, worms, hackers, phishers, and social engineers threaten an organization on all sides.

Furthermore, employees sometimes make careless mistakes and accidentally disclose confidential information.

Technical security controls are not sufficient in protecting an organization’s assets. Study after study has shown that it is employees who are the most important link in protecting the confidentiality, integrity and availability of valuable assets.

The best counter measure to these threats is to raise employee awareness and build a “human firewall” that can thwart and frustrate these kinds of attacks by educating employees about the threats and how to recognize and respond to them.



4

Business Problem and Opportunity Information costs time, money and effort to create, maintain, and deliver. That’s a good investment,

because it helps employees do their jobs and honor commitments to the organization as well as the organization’s members.

When computer assets must be repaired or replaced because of poor security practices, productivity suffers and valuable assets—including labor, materials, and money—must be diverted from other uses.

There are also legal obligations to protect the confidentiality and integrity of the organization’s information assets. [COMPANY NAME] relationship with its clients and members is based on trust and integrity. [COMPANY NAME] has an opportunity to ensure that trust every day by exercising reasonable information security practices.



5

Proposed Project Objectives/Performance Metrics Deliver a web-based security awareness solution for sustaining awareness through the ongoing training of existing and new

[COMPANY NAME] employees. Update the Information Security Policy to reflect the addition of the security awareness program, and track metrics.

The Security Awareness project will focus on the following main objectives: Build information security awareness into the [COMPANY NAME] culture. Create the concept of the “human firewall” to protect [COMPANY NAME] assets. Address internal exposures to social engineering attacks by implementing a security awareness-campaign and training initiative

aimed at [COMPANY NAME] employees. The following components will comprise the Security Awareness initiatives: Information Security Basics

Course Introduction Real World Issues What is Information Security?

Online Security Threats and How to Counter Them Password Management Avoiding Viruses and Worms Protecting Mobile Data

Offline Security Issues and How to Counter Them Thwart the Malicious Insider Physical Security Outwitting Social Engineers and Phishers Acceptable Use Policies and Ethics Incident Response Security Policy Acceptance

Comprehensive Test on the above security initiatives Tracking, auditing and reporting of the security awareness program



6

Business Risks Zero risk is impossible; however it is possible to minimize the risks. In order to minimize risks, it is necessary to put controls in place. Currently we have reasonable technical

controls such as firewalls, IDS/IPS, anti-virus, and so forth. These technical controls are great for detecting and stopping the threats that are coming from the outside, but what about inside the perimeter.

We have limited security controls such as anti-virus on the inside. Anti-virus is not enough. The creation of a ‘Human Firewall’ is the answer to providing these necessary controls. By educating our employees on information security we create a culture that is aware of the evolving threats.

The success of the program depends on the acceptance of the program by all respective participants. Everyone is responsible and accountable for ensuring best practices and performing due diligence.



7

Alternative Solutions The following solutions are alternatives to the web-based delivery of security awareness: Delivery of security awareness through a class room setting This is not a feasible alternative as the time constraints of employees make this alternative very time

consuming and not cost-effective. Implementation of our own Learning Management System and courseware This is not a feasible solution at the moment because of our resource constraints in reference to software,

hardware, labor, and necessary staff. Disseminate brochures, posters, screen savers, logon announcements and so forth This alternative solution might be cost-effective, but it lacks the ability for us to track and acquire metrics. It

is a good complementary solution to the web-based delivery of the security awareness program.



8

Recommendation In order to provide a comprehensive security awareness program we propose a web-based delivery

method. The web-based delivery method allows all employees to participate in the initiative and it allows for the

measurement and auditing of the program. The courseware is beneficial, valuable and interactive and would fit the needs and requirements of

[COMPANY NAME]. [VENDOR NAME] is the choice vendor for providing Security Awareness and Training for [COMPANY

NAME].



Documents

Information Security Awareness And Training Business Case For Web Based Solution (Template)