Project 4: Develop the Training and Operations Plan
Employee Training on the Cloud Operations Plan
An awareness and training program must support the business needs of the organization and be
relevant to the organization's culture and information technology architecture. The most successful
programs are those that users feel are relevant to the subject matter and issues.
Once the awareness and training program has been designed, supporting material can be developed.
Material should be developed with the following in mind:
"What behavior do we want to reinforce?"
"What skill or skills do we want the audience to learn and apply?"
In both cases, the focus should be on specific material that the participants should integrate into
their jobs. Attendees will pay attention and incorporate what they see or hear in a session if they
feel that the material was developed specifically for them. If a presentation feels so impersonal and
general that it could be given to any audience, attendees will not take it seriously. An awareness and
training program can be effective, however, if the material is interesting, current, and relevant.
The awareness audience must include all users in an organization. Users may include employees,
contractors, foreign or domestic guest researchers, other personnel, visitors, guests, and other
collaborators or associates requiring access. The awareness message program or campaign should
make all individuals aware of their commonly shared information security responsibilities.
On the other hand, the message in a training class is directed at a specific audience. The message in
training material should include everything related to security that attendees need to know in order
to perform their jobs. Training material is usually far more in-depth than material used in an
awareness session or campaign.
The program's implementation must be fully explained to the organization to achieve support for the
implementation and commitment of resources. This explanation includes expectations of
management and staff support, as well as expected results of the program and benefits to the
organization. Funding issues must also be addressed. For example, in the federal government, agency
managers must know if the cost to implement the awareness and training program will be totally
funded by the chief information officer (CIO) or information security program budget, or if the
agency managers' budgets will be impacted to cover their share of the expense of implementing the
Learning Topic
program. It is essential that everyone involved in the implementation of the program understand
their roles and responsibilities. In addition, schedules and completion requirements must be
communicated.
Once the plan for implementing the awareness and training program has been explained to (and
accepted by) management, the implementation can begin. Since there are several ways to present
and disseminate awareness and training material, organizations should tailor their implementation to
the size, organization, and complexity of their enterprise.
References
Chapter 4: Awareness and Training in NIST Special Publication 800-100, Information Security
Handbook: A Guide for Managers by Pauline Bowen, Joan Hash, and Mark Wilson comprises
public domain material from the National Institute of Standards and Technology, US
Department of Commerce.
© 2021 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information
located at external sites.