Develop a comprehensive Security Training, Awareness, and Education Program, based on the following organization scenario:
“The Business Organisation is an information holdings with about 600 staff. A recent audit of the organisation’s information security management system found it to be deficient in some key areas, notably incident response, disaster recovery and business continuity, social engineering exploitation of personnel, an apparent lack of personnel awareness of the various threats to information, and poor password security. Technical systems were found to be reasonably effective in maintaining database and document management security, and were well serviced by the IT team”
The proposed plan should include:
1. Objectives
2. Topics to be covered
3. Level of learning (knowledge, skill or competence)
4. Recommended Instructional methods and media to use/support
5. Example of learning activities and exercises
6. Evaluation criteria
Some theory sources I found:
https://www.sans.org/reading_room/whitepapers/awareness/developing-integrated-security-training-awareness-education-program_1160
https://www.itl.nist.gov/lab/bulletns/bltnoct03.htm
https://www.wyoming.gov/pdf/Template_AwarenessPlan.pdf
• The plan should be based on real commercial security education techniques, and your best knowledge and expertise in security education.
• Answers should not be theoretical definitions
• As far as possible, please avoid too much word-quoting from sources. Minor citation allowed
• Any citation must be from credible sources.