security education training and awareness (SETA)
1) Explain what a functional information security program should look like? What are the internal and external factors that need to be considered when planning and staffing an information security program? Define the different roles associated with members of the information security program. How does project management come into play with an information security program.
Easy to read. A layperson should be able to walk away from the security policy with the gist of what is attempting to be conveyed. As nearly all users operate technology on a regular basis, the abstract of the policy should be on one of the first few pages, and should be relatable to the entire organization. Naturally, other aspects of the policy should be more detail oriented, but not all of the policy needs to be technically dense. For this purpose, one should acquire a well rounded staff while planning an information security program.
Naturally, one would want to procure the most technically skilled laborers and shot callers of the organization to develop the security policy, but most times, those upper echelon employees are typically otherwise occupied with mission critical tasks.
I believe the best way to optimize efficiency and get the best value from your team, is to place a potential protege, an associate or subordinate of your hotshot employee that stands to learn from him or her, and have them design the information security program, meanwhile encouraging the policy designer to bounce questions off the expert, strengthening their rapport, and hopefully paving a path for a beneficial mentorship.
2) Explain how you would address the issue of security education, training, and awareness to ensure the program is dynamic and adaptive.
I believe that for any security education training and awareness (SETA) program to be considered dynamic and adaptive it has to be done in a workplace environment. No slideshow, lecture, or presentation is going to ever be considered dynamic, and unless it was designed by someone in (and about) that particular office, it can’t truly be considered adaptive.
The only way for any SETA course to be dynamic and adaptive would be if it were performed with everyone at their desks. A “how to hack” presentation where, sitting at their desks, employees are shown how easy it is to access certain drives or files that are mission critical, is an easy way to present security awareness training to an employee without coming across as dry or boring. Giving employees a hands on lesson on how easy it is for someone to break into their system would certainly sharpen their awareness and put them on guard for actual avenues for attack. Which might be more effective than a giant poster over the copy maker telling you to tape over your webcam.