Published: January 7, 2017
favorite0 forum0 poll1.4K
By: Shawn Barnes, Cal State San Marcos
Hashtags: #Analysis #Audit #Communications #impact #Management #RecommendationReport #Research #ResearchAnalysis #riskmanagement #StrategicThinking
You have been hired as Acme Rocket Company’s internal auditor. You are ready to start working on auditing their information security program. Your focus today is in the area of Training and Security Awareness. Your scope is past 3 years. You have the InfoSec Training Standard, which includes the following:
ARC Security Awareness and Training Program
1. The ARC ISO or designee is responsible for overseeing development and coordination of the information security awareness and training program. At a minimum, the program must:
a. Be completed by new employees within 21 days of the start of employment.
b. Include periodic information security awareness refresher training for all employees who access information assets on a schedule not to exceed three years. Security awareness refresher training may take the form of activities such as brown-bag sessions, information on special topics delivered via email and other presentations or publications
c. Maintain a record of the content, distribution and/or attendance, event and date of each security awareness training or outreach activity.
Your assignment is to come up with a list of questions to ask and also documents or reports you might need in order to complete the audit.