information, security & privacy matters training (ispm) elearning context and design
DESCRIPTION
Information, Security & Privacy Matters Training (ISPM) eLearning Context and Design. Presentation for STEP May 2007. Information, Security & Privacy Matters: The Challenge. The number of reported privacy incidents increasing - PowerPoint PPT PresentationTRANSCRIPT
Information, Security & Privacy Matters Training (ISPM)eLearning Context and Design
Presentation for STEPMay 2007
2
Legislative and Bank Requirements
The number of reported privacy incidents increasing Estimated that one million dollars of sensitive information is compromised every 90 seconds Policies and controls alone cannot deliver sufficient compliance in practice. Effectiveness depends on the actions of people within the organization
Increased electronic interactivity between banks and their customers has placed public focus on how banks manage information risk
Risk emerges from someone who is trusted and who interacts with sensitive corporate information as part of their everyday job
No integrated standardized enterprise-wide training program for employees to ensure they are aware of their responsibility for security in the use of BMO FG computer assets and networks
Personal Information Protection and Electronic Documents Act (PIPEDA) states: “Organizations shall implement policies and practices to give effect to the principles, including … training staff and communicating to staff information about the organization’s policies and practices”
Governments and regulators have addressed information management threats through the implementation of 18 other North American acts, policies & programs
During the 2005 Annual State of Privacy Report to the Conduct and Review Committee, the Privacy Office identified one gap in controls related to employee training and committed to developing a comprehensive, measurable, mandatory training program across Operating Groups to support privacy requirements in concert with Information Management and Information Security.
Information, Security & Privacy Matters: The Challenge
The Situation
The Problem
3
Integrating Multiple Initiatives
Privacy and compliance training delivered to the entire organization
3 other groups requesting regulatory & policy training
Information Security Information Management Desktop Security
Information Management
Desktop SecurityInformation Security
Privacy
The Request
Leverage Privacy request as a catalyst to drive the integration of all 4 groups
The Opportunity
Single deployment to users across the organization (instead of 4)
Reduction in development and deployment costs
Time savings: 4 initiatives expected 2 hours each > eliminated administration and content duplication
The Benefits
4
No vendor could supply 100% of currently defined content (IM, IS, Privacy) One vendor satisfied 50% of the content
One vendor had applicable elearning content readily available in both English and French Analyzed vendor integration options based on costs, risks and benefits Selected vendor to provide content
Meetings with TD, Scotia and Deloitte all indicated the number of modification to range between 40 and 60%
Implementation of vendor solutions typically require 9-14 month investment Experience from previous projects dealing with licensing results in ownership disputes over
who owns the customization of content and version control
Identified four vendor integration options:
1. Vendor to develop, host, and license total solution
2. License content only from vendor and customize
3. Buy content from vendor and customize
4. BMO to develop, host and build total solution Applied a cost and risk analysis that favored buying content (Option 3) Created a recommendation to buy existing content from vendor and build remaining
content in house.
Purchase the specialized vendor content Customize the content locally and avoid ownership disputes. Explore offshore development capabilities
Build vs. Buy Decision
Options
Vendor Analysis
Decision
External Experiences
5
The Solution
Challenge Solution
Platform: multiple platforms across various business groups & countries
Created 3 versions focused on learner experience: Flash, HTML, and Accessibility in both English & French
Customized: role specific learning required (not all roles have to take all the learning)
Created filtering questions to customize required learning by access to technology
Program Length: original request called for 4 programs, at approximately 2 hours each
Continuously prioritize content to eliminate duplication and decrease impact to Bank employees
Learner focus: reduce periods of time away from customers 15 minute topics allowed learns to complete the learning according to their schedule
Increase awareness: current baseline unknown Establish foundational baseline for futures programs
Customer focus: accommodate each of the Business Groups different business cycles
Deployed over a year, allowing Business Groups the ability to select their start and end dates based on their business demands
Branding: project became know as Compliance Learning CEO endorsed a message supporting the learning initiative as a key component in maintaining “Customer Trust”
Audience 40,000 full-time and contract employees 6 business groups Primarily North America, and also Asia,
Europe and Caribbean
Project objectives: Increase awareness of the importance of managing and protecting
information across the BankHelp mitigate the exposure of privacy, information, reputation, legal and
regulatory risk to the BankComply with IM, IS, and Privacy regulatory requirements
6
ISPM Learning Design
a
Learner Questionnaire: will define the Learning Path (LP)
LP1
No PC,Internet or email
LP 2
LP1 + People Manager
LP3
PC + Internet / email
LP4
LP3 + People Manager
LP5
LP3 + works at home / remote
LP6
LP5 People Manager
Information Security Topics*
• What is Information Security?
• Entry Control
• Classifying Information
• Clear Desk Policy
• Secure Disposal
• Password Control
• Systems Integrity
• Virus Control
• Electronic Communication
• Email: Open with Care
• Internet Security
• Securing Your Home PC
• Remote Access
• Security Out of the Office
• Social Engineering
• Incident Reporting
•Management and IT Responsibilities
Introduction (Information Management)
BMO Information Challenge
Privacy Topics*• Privacy at BMO• The Legislation• The Key Principles• Rules of Disclosure
Awareness Assessment
Avg. 2-3 hours depending on Learning Path 2hrs 3 hrs
*Avg. topic length = 7 min.
1
2
4
5
3
7
ISPM Learning
8
ISPM Learning
9
Reporting and Tracking
Organizational and Managerial Reporting:
Summary reports to meet legal requirements
Managers can view entire managerial hierarchy
Managers can change only direct reports
Existing User Database:
World-wide employee feeds, with multiple inputs into HR databases
Anomalies include frequency of updates resulting in accuracy issues
Sufficient for internal reporting for employee training records
Insufficient for the rigor of compliance
Reengineered Database:
Collectively leveraged best practices from previous deployments and addressed each anomaly to maximize accuracy
Reduced administration service calls by giving mangers local access and quality controls
Direct linkage to HR system to correct anomalies (i.e. leaves of absence, seasonal employees, etc)
Solution can be used for other deployments
The Problem
The Solution
Legislative And Bank
Requirement
10
ISPM Reporting
11
Off Shoring: Challenges and Solution
Pros Cons Learnings
Time Difference Full use of 24hrs during hand-offs improved workflow
Synchronous communication limited or not possible when required for immediate issue resolution
Required additional planning in order to leverage 24 hour efficiencies
Adjusted schedules in order to increase available meeting times
“On-call” process established at both ends
Culture & Working Relationship
“Yes” Willingness to please and offer flexibility in both work effort and expertise
Reluctance to say “no”, even if work effort was to impact priorities (eventually impacting timelines)
Emphasized that they not only had permission, but were expected to say “No” if for the benefit of the project
Language Forced complete and succinct documentation
Added increased complexity to communication
Often caused misunderstanding which required time to resolve
Change speech pattern (ie. Talk slower)
Continuously test for understanding
Holidays Worked through most of our holidays (ie. Christmas, Easter, etc.)
Required additional planning to leverage holidays efficiently
Distance No physical presence: Took longer to establish a strong
working relationship Missing body language
increased communication issues Took longer for them to
understand our business culture Impromptu idea collaborations was
difficult
Key members of each project team should meet at the beginning of the project (and at key points there after)
Exchanged team pictures Increased the frequency of
interactions through emails, conference calls and WebEx sessions
Create an approach to celebrate success
12
Questions
Questions
13
Appendix
Appendix
14
Breakdown of the content purchased vs. built including DSP overlap.
Buy Build
DSP Build
BMO Modifications required
Vendor content
50%
IS/DSP + Privacy
IM
20%
IS 26%
Privacy 4%
Content Comparison:
Preliminary analysis shows significant overlap between the content in the DSP awareness project and the IM awareness project.
DSP new content build
15
ISPM Learning Program Overview
There are five sections to the Information, Security and Privacy Matters learning program. The completion time is estimated between 2 to 3 hours in total, dependant on learner’s familiarity with the content, speed and number of required modules. The learning can be completed over several sessions.
Learner Questionnaire: Initially users complete a brief learner questionnaire about their role, their location, and the technology they use. This will determine which learning topics are applicable.
Information Management Scenarios (BMO Information Challenge): Next, users work through a series of 13 situations, providing advice on managing information appropriately. Their responses to these situations will give a measure of their information awareness and feedback on specific issues.
Privacy Topics: The third section of the training focuses on privacy legislation and appropriate privacy practices. If users work in the US, their four privacy topics will reflect the US privacy legislation. If they work in Canada or any other location than the US, their four privacy topics will reflect the Canadian privacy legislation.
Information Security Topics: In the fourth section, users work through a variety of topics focused on aspects of information security. The number of topics required depends on each user’s role and technology environment but they will always have access to both applicable and optional topics.
Awareness Assessment: Finally, users complete an awareness assessment covering content from the information management, privacy, and information security sections of the program. To successfully complete this training users must achieve a score of 80% on this assessment. If they do not reach the 80% mark, they can review the topics and then try the assessment again until they achieve a score of 80%. There is no limit to the number of assessment attempts.
1
2
3
4
5
16
ISPM Learning