28 days of awareness: day 22

While working on next month's module, we're also thinking forward to those that will follow. As soon as the ransomware module is delivered, we'll need to come up with poster ideas for a brand new module on 'innovation and creativity' - an unusual topic for a security awareness program for sure. We've been quietly researching the topic for months, in parallel with the ongoing work. Over the next week or two we need to review the information already gathered and firm-up the scope and purpose of the new module, clarifying the learning objectives and key messages that we'll be putting across. The fundamental premise we originally had in mind was to encourage the legitimate exploitation of the organization's intellectual property and other information assets, while at the same time protecting them from various risks including (in part) theft and exploitation by others. Instead, or perhaps as well, we might delve into the controls and tools supporting information security, another area of innovation and creativity. 

Meanwhile, the ransomware module keeps us busy. Today we prepared an IT audit-style ICQ (Internal Controls Questionnaire) for the professionals' awareness stream, encouraging someone (ideally a competent IT auditor) to review the organization's ransomware risks and controls. As with all the awareness materials, the ICQ is generic, reflecting typical information risks and security controls, identifying issues that would typically be checked and proposing the checks or tests that would typically be performed. In practice, the ICQ is just a starting point that should ideally be customized or adapted for the organization's specific situation e.g. some parts of it may have been covered already by recent audits, and there may be other areas of concern and tests to perform.

We have about 16 types of awareness content done or nearing completion, well on the way to the 26 or so in the finished module.