Last month we discussed the first step in planning your awareness program, building your security awareness Steering Committe (SC).  This will be the foundation for your program and help ensure long term success.  This is where every new program should start. However one of the common questions I'm asked is what next, what do you and your committee do?  Simple, you need a plan.  Draft a plan together, have management review that plan, and once you get approval execute it.  However, before you can start putting that plan together you and the steering committee need to first decide the scope of your program.  Specifically.
  1. Determine your program goals.
  2. Determine your awareness policy
  3. Time limitations
  4. Enforcement
I'll discuss goals today and the other points in following posts.  By goals I mean what do you hope to achieve? Often the first one is compliance.  Do you have any specific standards or regulations you have to adhere to, such as PCI DSS, GLBA or HIPAA?  For your reference, download a complete listing of all regulations that require security awareness training.   Keep in mind you may have more then one standard or regulation you have to adhere to.  Also, what about securing the end user, reducing risk?  If this is a goal, you will need metrics to measure it.  This goal can have a far greater impact for your organization, but can also be more challenging to implement. Finally, perhaps while your organization may not require an awareness program, perhaps your partners or customers do (such as if you are a law firm).  Whatever your goals are, make sure you and your SC document them. Then when you put your plan together, the plan should be designed to achieve those goals.