PHONE: (305) 744-5447 / (866) 553-3779

FAX: (866) 582-4901

1722 Sheridan St., Hollywood, FL 33020

North America's Premier ISO 27001 Training & Consulting Services Provider

  • twitter
  • facebook
  • googlePlus
  • linkedin

COPYRIGHT © CENTER FOR INFORMATION MANAGEMENT AND ASSURANCE. LLC. ALL RIGHTS RESERVED.

Developing an Awareness & Training Program based on ACADEMICS - PART 1

July 23, 2015

 

Security of information is a shared responsibility at all levels of an organization and extends to all its stakeholders, as well. The likelihood of major incidents occurring and their consequences affecting an organization is increasing rapidly as our dependence on technology and information grows in all sectors of the global economy.

 

For the seasoned information assurance professional anti-virus, intrusion detection, firewall technologies, etc., albeit continually evolving, these technologies are well known. The challenge is to somehow provide the rest of an organization's employee base with the requisite level of awareness, training and education. While in the past it was always a good thing to do, in today's world it has become a necessity for a higher degree of assurance that a secure and sustainable foundation for the business' operations is present.

 

The new critical frontier in the arsenal of defense controls for information assurance professionals is people, and that means every employee in every organization. Although not a new concept, it’s fast becoming the new defense to protect valuable information from identity thieves, hackers and industrial espionage experts (corporate spies). As the need grew over the years, a new methodology was developed to help organizations, and is explained in this article to assist companies in designing, developing, implementing and maintaining an Information Assurance Learning Program (IALP). The acronym for this methodology is appropriately entitled, ACADEMICS. To help illustrate the methodology, in this series of articles, the topic will be presented in a dual approach: first by introducing the concept by stage and secondly, by supporting the concept with a case study of a large program developed for a global financial services company based in North America. The program ran for two years from concept to launch, then the accomplishment of the program's initial training objectives, and then finally into ongoing maintenance.

 

It doesn't matter what your area of expertise is within the various information assurance fields (Security, Privacy, Business Continuity, Compliance, Risk Management, etc.), or the topic you are developing it for, ACADEMICS is a flexible and extensible methodology that works for all needs. The methodology was developed drawing upon over 35 years of experience developing learning programs for the Department of Defense, Big 4 Consulting firms, IT service organizations, as well as Healthcare and Financial service companies in Canada and the United States.

 

 

 

As a fundamental introduction to any topic, it makes sense to level set our understandings on definitions for key terms, to ensure everyone is on the same page before moving forward into more in-depth conversation. To this end, let’s embrace three key words and then let's put context to them. These keys are:

  • Awareness

  • Training

  • Education

The definitions of these are provided in our illustration to the right, which also helps to put each into context from a learning continuum perspective, as it illustrates a graduating design. The learning continuum concept was adopted from the US National Institute of Standards & Technology (NIST) publication 800-50 (Wilson & Hash, October 2003) and is used as a foundational understanding for building an information assurance or any other learning program for that matter, using the ACADEMICS methodology.

Inevitably the question arises, why use a methodology?

  • Large scale IALPs are relatively new to us as a body of an integrated information assurance industry, therefore using a methodology can be used to offset our lack of familiarity;

  • Complexity is deceiving and easy to underestimate; therefore using a methodology guides us to consider all aspects that should be considered within the overall scope of the program;

  • A written methodology demonstrates to senior management that you have focus and can offer organizational leadership on this type of initiative; and

  • In the early 2000's regulations and other legal obligations started to drive IALPs as a business imperative, therefore your success must be assured. Using a structured methodology will provide the guidance and structure to take you there.

 

WHAT IS AN IALP?

An IALP is a comprehensive program with a given theme developed by organization based on a defined learning continuum and objectives. For clarification sake, an IALP does not need to incorporate all levels of the learning continuum, but rather  consider to what degree the organizational needs dictate. What’s equally important, is to understand what an IALP is not; as too many people underestimate the challenges associated with one. It’s not:

  • A one-time deal

  • A silver bullet

  • The answer to what keeps you up at night (but it’s a good start)

  • A slam dunk

  • Unimportant

WHY IMPLEMENT AN IALP?

The obvious answer is that 40,000 employees of “Company A” educated by an IALP, can protect the information assets of the company better than a single department of 40 information assurance professionals can. In addition, the need to ensure success due to the growing standards and regulatory landscape that mandate an IALP has made it imperative, not optional. Some examples of which are:

  • GLBA / FFIEC

  • HIPAA

  • The Computer Security Act of 1987

  • COSO

  • NERC

  • FISMA

  • ISO 27001 (for which CIMA teaches the certified ISO 27001 lead implementer and lead auditor courses)

  • and many more

 

 

WHAT WILL ACADEMICS DO FOR ME?

ACADEMICS will guide you through a pragmatic flow from initiation to the roll-out of your program, and finally to a state of ongoing maintenance. It does not prescribe any minimum criteria with respect to size or elements; each program is unique and there really are no boiler plates. This methodology has been developed based on real life experience, not an academic exercise. As such, it has been field tested and gives you a   structured approach to follow, affording a higher level of assurance for your success. The stages of the ACADEMICS methodology are:

  •      Analysis

  •      Construct the governance

  •      Architect the program

  •      Design approach model

  •      Enter development

  •      Manufacture communications

  •      Initiate pilot

  •      Correct based on lessons learned

  •      Structured roll-out

To  understand the output of each phase of the methodology, we offer the following to illustrate each phase with its associated work product:

 

 

In Part 2 of this series, I will be breaking down and discussing the activity within Phase I of the methodology, Analysis. This is also when we will begin introducing our case study to help bring the methodology to life for you for in-depth comprehension.

 

 

In Part 2 of this series, I will be breaking down and discussing the activity within Phase I of the methodology, Analysis. This is also when we will begin introducing our case study to help bring the methodology to life for you for in-depth comprehension.

Please reload

Recent Posts

Please reload

Archive

Please reload

Tags