Re: Information Security Awareness Day, Week

[Melissa Guenther <mguenther () COX NET>]

Thank you so much Davina - I like the tip a day on your calendar - what a
wonderful tool!!
  I still belive that in times of change you can never over-communicate
Below are Lessons Learned from various assignments regarding communication
and security awareness campaigns - some lessons were from an assignment with
a university.(I used the word organization - academia is a business, right?)

I also included what that leaders can provide VISIBLE support for the
campaign. usually I just asked for visible support - I found I need to
describe what that can look like.

A big part of any culture change effort, like security awareness, involves
communication "You can never communicate during times of change"
 
Organizational Communication is a management process with a specific
business purpose and disciplined methods of development, implementation, and
measurements. It is accomplished through a strategic communication plan
reviewed and approved by senior management.
 Organizational Communication is a change agent. Its purpose is not just to
convey information, but to change behavior. It changes behavior by
persuading people to take action toward the organization’s objectives. 
 
The primary responsibility for organizational communication lies with all
managers and supervisors. The Organizational Communication Unit is
responsible for designing and delivering the system and tools that enable
managers to play their role as communicators. Face to face communication
with the immediate manager is the most effective form of communication, and
is the way employees prefer to receive information.
 
Communication is a two way process. Listening and encouragement of feedback
must be as emphasized and practiced as speaking and providing information
and directions. Two-way is the only way for communication to actually exist
in the organization.
 
To be effective, communication must be grounded in the interests and
language of the receiver. While it seeks to achieve the organization’s
strategic objectives, it cannot do so effectively unless it uses a
receiver-focused approach in both content and context. 
 
To be noticed, communication must be compelling. As it must compete for the
receiver’s attention, communication must use highly compelling and creative
ways to deliver its message.
 
To be influential, communication must be credible. Without a high degree of
credibility, the integrity and believability of the message will be lost,
and the whole communication process will be a waste of resources.
 
To be remembered and internalized, communication needs to be continuous and
consistent. We can not afford not to communicate .
 
Executives’ Roles and Benefits:
 
Roles: The organizations executives have several key roles to play : 
 
They review, give input to, and approve the Plan, including the strategic
objectives to be achieved. 
 
They articulate the organizations strategy, interests, and actions in a
variety of communication opportunities and media, including town meetings,
department meetings, speeches, presentations, memos, and interpersonal
interactions with stake-holders. 
 
 
They create and welcome opportunities for them to listen to the ideas,
feedback, and issues raised by stakeholders. 
 
They act as role – models for the essence of the messages conveyed by the
process, to enforce the vital credibility aspect of the required behavior
change.
 
 
Benefits: The organizations top leadership will gain the following benefits
from the implementation of the Plan:
 
Will enable top management to explain their business strategy and goals to
the stake-holders, helping gain their support and alignment.
 
Uncovers hot issues and concerns on the minds of key stakeholders, making it
possible to address these issues in timely manner to maintain good
relationships with critical constituencies, including customers, investors,
employees and the community.
 
 
Explaining the reasons behind certain executive actions and changes helps
gain employee understanding and support for these actions.
 
Effective, open, and credible communication creates a culture of trust,
shared values, and accessible knowledge throughout the organization. This
facilitates faster action and higher performance.  
 
 Managers / Supervisors’ Roles and Benefits:
 
Roles: Employee surveys have shown that people want to get the important
information affecting the organization and their jobs from their immediate
supervisor. This means that managers and supervisors must fulfill this
expectation by acting as the primary communicators of strategy and actions
for their direct reports. Managers and supervisors need to support the Plan
and its messages, own it as their own plan, and be prepared to explain it
and answer staff questions about it.
 
To do this effectively, they need to work closely with the us, including
attending meetings or training for this purpose. Ultimately, the managers
and supervisors are accountable for the two-way communication process within
their areas. 
 
 
Benefits: Managers and supervisors gain the following benefits from the
process and plan:
 
They become better able to answer questions from their own staff about
business and actions, enhancing their status in the process.
 
Managers and supervisors will build better relationships with their staff by
practicing open two-way communication, including raising the issues voiced
by their staff to upper management.
 
 
Armed with the critical information about company strategy and goals,
managers and their staff will be better able to contribute effectively to
achieving these goals, enhancing their own value to the organization.
 
 


 
 
-------Original Message-------
 
From: The EDUCAUSE Security Discussion Group Listserv
Date: 04/22/04 05:28:03
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Awareness Day , Week
 
Melissa--to make things more confusing in the educational community
(Maryland and  expanding to other locations) we are using April and October
(kick off April and finish the month--start in October and finish on the Oct
31st) as Cyberawareness months.  See: http://www.edtechoutreach.umd
edu/cyberawareness.html  for the April activities.

Davina

Melissa Guenther wrote:

Ken
Thanks for the clear delineation between all the days.  It's the best
explanation I've heard to date. I especially like that there is no mention
of which date or week is correct.  It's not a dichotomy in this situation -
the more the better!
Any chance privacy will be integrated with the awareness efforts?  They seem
to be intrinsically connected. 
 
Melissa
 
-------Original Message-------
 
From: The EDUCAUSE Security Discussion Group Listserv
Date: 04/21/04 07:24:29
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Awareness Day , Week
 
 
At the "federal" or US National level it is intended that 9/10 be a day not
just for Information Security Awareness, but security and safety awareness
overall.  We already have "CyberSecurity" Days in the spring and fall with
daylight savings time, there is also Computer Security Day from the ACM on
November 30.  There was a firewall security day earlier this year.
 
The intention is to create a day of observance that is not specific to cyber
 physical, a vendor or a technology.  Just good old fashioned "Be Aware or
BeWARE". 
 
Add September 10, 2004 to your calendars and lets all increase our awareness
every day leading up to it and every day after it.
 
Melissa great work on the materials and sharing.
 
Ken 
------ 
Ken M. Shaurette, CISSP, CISA, CISM 
MPC Solutions - Security 
(262) 523-3300 x60486 
------ 
National Security Awareness Day - September 10, 2004 - Are you aware? 
------ 
-----Original Message-----
From: Melissa Guenther [mailto:mguenther () COX NET] 
Sent: Tuesday, April 20, 2004 9:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Informnation Security Awarenes Day , Week


Please take time to consider sending a note to your Governor to ask for a
proclamation for Security Awareness Day or Week,
Governor Napalitano just dedicated the fourth week in April as Information
Security Awareness Day - many initiative can be done and I have alot of
material I would be willing to donate.
 
Please let me know if you need any additional information Or material
 
Currently - information Security Awareness day on the Federal  level is 9/10
- the Week is designated as the fourth week in April - I realize not much
time but I have material all ready to use.  You just need to let me know if
you are interested.
 
Thanks - " you can force them to change their password, but how to you have
them change their behaviors?"
It takes knowledge (what to do), skill (how to do) and attitude (want to or
shy to do)
 
Melissa
 
 





********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/

 





********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/
 


-- 

Davina Pruitt-Mentle
Director
Educational Technology Outreach
College of Education
University of Maryland College Park
http://www.edtechoutreach.umd.edu/
(301) 405-8202
 
The sender believes that this email and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent.  This message
and its attachments could have been infected during transmission.  By
reading the message and opening any attachments, the recipient accepts full
responsibility for taking protective and remedial action about viruses and
other defects.  The sender’s employer is not liable for any loss or damage
arising in any way from this email or its attachments.
 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.