CYBR3600 Project 3: Creating a Training plan

Due Date: Thursday 12/6 by Class time (1:30PM)

Overview

In this short project you will create a training plan for employees at the company you selected/created in Project 2. The end result of your efforts will be an employee training manual that covers at least 3 security policy areas (e.g. physical security, password policy, access control, backup, personal resource usage, etc) and includes a 4th section on countering social engineering.

Section Structure

Each section should include information that describes:

• Scope: Who the training program applies to within your company (e.g. managers, basic users, legal, HR, software developers, bank tellers, )
• Policy/Purpose: The purpose of the policy: What bad things can happen if it isn’t followed
• Delivery Method: What mode of communication will you use?
  • E.g. role play, lecture/presentation, real world case study, previous examples from around your company, posters, videos, etc
• Content: What information should be conveyed to the chosen group of people at your company
  • Think about your audience, specifically what is their knowledge level and skillset
  • Try to give them enough information to be aware of the policy without overloading them
• Learning objectives: What skill or skills should individuals walk away with after training
  • What do they do now
  • How can they change their behavior to be more secure and compliant

Example Section

Scope: This training initiative applies to software developers in ’s product development division.

Policy/Purpose: Data protection: Without proper training, developers may inadvertently share important trade secrets regarding the operation or construction of software or construction/interoperation of important systems within . This initiative will help mitigate this problem by training developers to better recognize intellectual property and keep this data confidential.

Delivery Method: This training initiative will be delivered in the form of role play scenarios and presentations of counter examples that demonstrate previously identified data protection policy violations.

Content: Information regarding the exact nature of intellectual property at will be communicated. operates many systems that include our customer facing web services (core fictional point of sale system, customer relations, etc) and our mobile apps. Developers need to be aware which portions of these systems are proprietary. For instance, the algorithms designed into our were designed and developed internally. Since not all are patented – it is critically important that details of our designs not be released to our competitors. Developers need to be aware that they cannot reveal any details about these designs while ‘talking shop’ with other developers in or outside of the company.

Learning objectives: • Understand the difference between intellectual property (trade secrets) and publicly releasable information • Identify situations in which trade secrets can inadvertently be leaked to individuals in the company that do not need to know them or to outside entities • Raise awareness of trade secret data protection policies at

Submission

Prepare a report, of type .md, .pdf, .doc, .docx only, that answers each question above. Clearly follow the format for each training plan section. Submit your report to Canvas by the due date.